ACE new rserver
Hi All
I am trying to move to real server's from the current configuration and adding to a new VIP, does anyone know what changes I would need to make.
I am trying to move the 2 proxies BCPROXY1 and BCPROXY2.
Any help much appreciated
Regards MJ
Hi Jorge
Thanks for the response, please see the configuration.
access-list ALL line 1 extended permit ip any any
probe icmp icmp_probe
interval 5
passdetect interval 60
rserver host BCPROXY1
description NEW HBC WEB PROXY 1
ip address 10.100.102.22
probe icmp_probe
inservice
rserver host BCPROXY2
description NEW HBC WEB PROXY 2
ip address 10.100.102.23
probe icmp_probe
inservice
rserver host PROXY1
description WEB PROXY 1
ip address 10.100.102.20
probe icmp_probe
inservice
rserver host PROXY2
description WEB PROXY 2
ip address 10.100.102.21
probe icmp_probe
inservice
serverfarm host PROXY-PRODUCTION
description PRODUCTION WEB PROXY
predictor response app-req-to-resp
rserver BCPROXY1
inservice
rserver BCPROXY2
inservice
rserver PROXY1
inservice
rserver PROXY2
inservice
class-map match-all CLASSIFY-INCOMING-TRAFFIC
2 match virtual-address 10.100.101.10 tcp eq 8080
policy-map type loadbalance first-match WEB-POLICY-L7
class class-default
serverfarm PROXY-PRODUCTION
policy-map multi-match INCOMING-WEB-TRAFFIC
class CLASSIFY-INCOMING-TRAFFIC
loadbalance vip inservice
loadbalance policy WEB-POLICY-L7
loadbalance vip icmp-reply
interface vlan 1111
description ACE-VIPS-MAIL - Incoming Traffic
ip address 10.100.101.253 255.255.255.0
alias 10.100.101.254 255.255.255.0
peer ip address 10.100.101.252 255.255.255.0
access-group input ALL
service-policy input remote_management_access
service-policy input INCOMING-WEB-TRAFFIC
no shutdown
interface vlan 1112
description ACE-SERVER-VLAN
ip address 10.100.102.3 255.255.255.0
alias 10.100.102.1 255.255.255.0
peer ip address 10.100.102.2 255.255.255.0
access-group input ALL
service-policy input remote_management_access
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.101.1
All I am wanting to do is remove the to test proxy servers to a new VIP for (for test before putting back into production)
will I need a new service policy or can I use the existing one (INCOMING-WEB-TRAFFIC)
Regards MJ
Similar Messages
-
Cisco ACE can rserver use it's own VIP address ?
we've configured a serverfarm with a real server and a VIP.
The serverfarm can be reached and is functioning well.
Now we want the rserver to be able to reach it's own VIP address.
This is needed because the rserver has multiple websites which need each other
and we want to have load balancing.
Is this a supported configuration ?
regards,
Sebastianyou can simply add a new policy to match the servers ip addresses and then configure nat.
ie:
class-map match-all servers
2 match source-address 192.168.30.48 255.255.255.255
policy-map multi-match client-nat
class servers
nat dynamic 1 vlan 30
interface vlan 20
ip address 192.168.20.121 255.255.255.0
alias 192.168.20.124 255.255.255.0
peer ip address 192.168.20.123 255.255.255.0
no normalization
mac-sticky enable
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input client-nat
service-policy input SLB1
no shutdown
interface vlan 30
bridge-group 30
no normalization
mac-sticky enable
access-group input PERMIT-ANY
nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0
In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.
You could also use a free ip from the same server subnet and no static route would be required.
Also if ACE is already the default gateway for the servers, no specific static route is required.
Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.
Gilles. -
How the ACE handles rserver failures
Hello
I've got a question re: the ACE module.
Lets say I have 2 web rservers and I have a probe interval for checking them from the ACE of 10 seconds.
Lets say a probe just passed and it is 10 seconds before the next one. The ACE will think the rserver is ok. Then say the rserver httpd service is stopped at 3 seconds after the last successful probe, therefore leaving 7 seconds before the ACE is going to send another probe. The ACE will think it is still 'up' before the next probe is sent.
Given the above, what happens to a) existing connections to the newly failed rserver and b) new connections if the failure occurs between probes?
How does the ACE handle this situation?
Are there any differences between how the ACE handles this between A1 and A2 versions of software?
Thanks
CameronURL rewrite only comes into play when REAL Server (Rserver )sends a clear text redirect. Such as 302 for http://investor.nice360.com. If client recieves this 302 it will attempt the next request using HTTP.With Url rewrite feature we configure ACE to change these redirects from Http tp HTTPS.
What you are looking for is a simple redirection of client request from port 80 to port 443. This can be achieved using redirect server farm and redirect rserver.
You will need to create two sets of configs (class-maps, rserver, sfarm,policy map) for port 80 & port 443 traffic. Port 80 policy will simply redirect the port 80 request to port 443.
Following example will give you some idea
rserver redirect HTTP2HTTPS
webhost-redirection https://%h%p 301
inservice
serverfarm redirect HTTP2HTTP-SF
rserver HTTP2HTTPS
inservice
class-map match-all WEB-HTTP
2 match virtual-address 172.25.250.245 tcp eq http
class-map match-all WEB-HTTPS
2 match virtual-address 172.25.250.245 tcp eq 443
policy-map type loadbalance first-match HTTP2HTTPS-POLICY
class class-default
serverfarm HTTP2HTTPS-SF
policy-map type loadbalance first-match L7-POLICY
class class-default
sticky-serverfarm STICKY_IP
policy-map multi-match L4-POLICY
class WEB-HTTP
loadbalance vip inservice
loadbalance policy HTTP2HTTPS-POLICY
loadbalance vip icmp-reply
class WEB-HTTPS
loadbalance vip inservice
loadbalance policy L7-POLICY
loadbalance vip icmp-reply
ssl-proxy server INVESTOR-CLIENT
Syed -
ACE: new stiky cookie inserted for different URL?
I have sticky cookies set (cookie insert) and http persistence rebalance on. The virtual server is made of a group of three real http servers.
The DNS name of the virtual server is for example "vhost.domain.com".
If I browse (from the internal network) to "http://vhost/" my session is stuck to a real server using cookie stickiness. My question is, when I click a link which is fully qualified e.g. "http://vhost.domain.com/newpage.html" is a stickiness maintained or as the http header has changed is it seen as a new session and potentially sending me to a different real server?ACE doesn't care about the url.
It will simply look for the presence of the cookie.
If the cookie is there, you will stick to the same rserver.
If not, this is considered a new connection and the request is loadbalanced.
So, it all depends if your browser consider that vhost and vhost.domain.com are the same because the cookie is associated to a domain.
Normally it should consider them the same.
Gilles. -
ACE logging - rserver and probes
on CSS I get an info if a server fails the keepalive and get in state "down, up or suspended". This is logged in the traplog file on the CSS.
Is there any possibility on an ACE to have logs for rserver state changes like "PROBE-FAILED, OPERATIONAL and OUT-OF-SERVICE"
thx in advanceHi Gilles,
1. looks fine, but I miss the rserver Name in the log. it only appears the ip address of the server.
So it looks like that the "ip address log" is implemented :-(
b-sllb2001-09/db_bku-nK2# show rserver sthon
rserver : sthon, type: HOST
state : PROBE-FAILED
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: test.db.de
172.24.100.98:0 8 PROBE-FAILED 0 0
b-sllb2001-09/db_bku-nK2# show logging | i ACE-3
Jun 25 2008 09:20:14 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:20:23 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:20:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:21:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
2. I can find nothing in the log when the probe gets "operational" or "out-of-service state".
Is thos correct ?
b-sllb2001-09/db_bku-nK2# show rserver sthon
rserver : sthon, type: HOST
state : OPERATIONAL
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: test.db.de
172.24.100.98:0 8 OPERATIONAL 0 0 -
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo -
Hi,
I am designing a data centre with VSS, FWSM & ACE. I am using the design guide below as a start point, using the red service chain.
http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html
my topology will be routed access with transparent contexts, so;
client -> MSFC -> Trans FWSM -> Trans ACE -> VRF - > Rservers subnets A & B.
I will be using RHI to advertise the VIPs to the MSFC. The VRF and MSFC will use OSPF to propagate reach-ability.
my questions are:
1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
4) likewise for LB traffic that hits the VIP, how is it forwarded?
5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
Thanks in advance!
Lee.Hi Lee,
Let me reply you in line:
1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
Yes, you can use any subnet, of course you must have a route to reach the rservers.
2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.
3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
either static routes or a gateway.
4) likewise for LB traffic that hits the VIP, how is it forwarded?
normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.
5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
yes it is.
Hope this helps,
/dom -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
Connections through ACE module
when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?
how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?
vlan 195 is teh client side
vlan 719 is the server side
access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0
class-map match-any NAT_CLASS_VIP
2 match access-list acl_NAT_VIP
policy-map multi-match NAT_POLICY
class NAT_CLASS_VIP
nat dynamic 5 vlan 719
interface vlan 195
ip address 172.19.192.19 255.255.252.0
alias 172.19.192.18 255.255.252.0
peer ip address 172.19.192.20 255.255.252.0
access-group input allowall
access-group output allowall
nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
service-policy input LB_POLICY
no shutdown
interface vlan 719
ip address 10.1.9.66 255.255.255.240
alias 10.1.9.65 255.255.255.240
peer ip address 10.1.9.67 255.255.255.240
access-group input allowall
access-group output allowall
nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat
service-policy input LB_POLICY
service-policy input NAT_POLICY
no shutdownBryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
New folder and modify access rights
I have played around with a script.
My script looks like this:
#Variables
$GroupNameTIA="F_KSMCommon-common-ScanTIA_m"
$Directory = Read-Host "Folder name: "
$DirectoryPath = "z:\$Directory"
#Mount directory
Net use Z: \\stg-w75\ksmcommon\common\ScanTIA
#Create new folder
New-Item -Type directory -path $DirectoryPath
takeown.exe /F $DirectoryPath
#Read and modify ACL
$ACL = Get-Acl $DirectoryPath
$ACL.SetAccessRuleProtection($True, $True)
Set-Acl
$DirectoryPath $ACL
$user_Account = $GroupNameTIA
$Acl = (Get-Item $DirectoryPath).GetAccessControl(“Access”)
$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($user_account,
“FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
$Acl.Setaccessrule($Ar)
Set-Acl
$DirectoryPath $Acl
$Ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
$GroupNameTIA,
"Delete",
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
$SD = Get-Acl $DirectoryPath
$SD.RemoveAccessRule($Ace)
(Get-Item
$DirectoryPath).SetAccessControl($SD)
#delete mounted directory
net use /d z:
If I run this script I got an error:
Set-Acl : Attempted to perform an unauthorized operation.
At C:\PSScripts\NeuerScanOrdner.ps1:187 char:12
+ Set-Acl <<<< $DirectoryPath $ACL
+ CategoryInfo : PermissionDenied: (Z:\tia-test5:String)
[Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
Set-Acl : Attempted to perform an unauthorized operation.
At C:\PSScripts\NeuerScanOrdner.ps1:193 char:12
+ Set-Acl <<<< $DirectoryPath $Acl
+ CategoryInfo : PermissionDenied: (Z:\tia-test5:String)
[Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
It makes no difference whether I let
the script run with an administator
account or "run as administrator".
Although I am the owner of the folder, I get this
error message.
I do not know why this happend. Whats wrong?Set-Acl is a flawed cmdlet. It often tries to call the API to write the security descriptor with the flags to change the owner and SACL, both of which require privilege activation (doesn't matter if your account has the privileges, they need to be enabled,
too). There are a few bugs about this on the Connect site.
I get a more descriptive error than you did when I try to run your script, but maybe those differences are due to different PowerShell versions. Anyway, I almost never use Set-Acl, and instead use the .SetAccessControl() method of the file object (which
you already did at least once in your script).
The following worked for me, so let me know if it doesn't work for you (make sure you put back in the part where the $DirectoryPath and $GroupNameTIA variables are defined):
$ACL = Get-Acl $DirectoryPath
$ACL.SetAccessRuleProtection($True, $True)
# Apply rule protection and get the SD again:
(Get-Item $DirectoryPath).SetAccessControl($ACL)
$ACL = Get-Acl $DirectoryPath
# Give group full control:
$Ar = New-Object system.Security.AccessControl.FileSystemAccessRule (
$GroupNameTIA,
"FullControl",
"ContainerInherit, ObjectInherit",
"None",
"Allow"
$ACL.SetAccessRule($Ar)
# Now remove delete rights from folder
$Ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
$GroupNameTIA,
"Delete",
[System.Security.AccessControl.InheritanceFlags]::None,
[System.Security.AccessControl.PropagationFlags]::None,
[System.Security.AccessControl.AccessControlType]::Allow
$null = $ACL.RemoveAccessRule($Ace)
# Apply the changes:
(Get-Item $DirectoryPath).SetAccessControl($ACL)
The
PowerShellAccessControl module has a function called Set-SecurityDescriptor that works like Set-Acl, except it won't try to set the owner or SACL unless needed. -
Hi all,
I have a issue with a ACE configuration which terminate https traffic and load balance the client request to the real servers.
All working fine, with one exception. If the client requests for the URL "https://www.myservice.com/content/" the connection working perfect.
If the request are "https://www.myservice.com/content" (missing slash on the end), the real servers sending a redirect back to the client.
The redirect is "http://www.myservice.com/content/".
How can I absorb the request to get not http but https.
Any suggestions are welcome.
Regards,
ReneHi Kanwal,
I have tried your solution today without any success.
The configuration are simple, but the result are always the same.
client browser---------https--------ACE-------http---------rserver
If the client use the URL: https://this.is.a.request.com/dir/
All will working fine. But if the user us the URL: https://this.is.a.request.com/dir <-- missing slash
The server response back to the client are: http://this.is.a.request.com/dir/ <-- respond via http not https
But the ACE are not configured to response to http.
I used also your recommendation, but without any success.
I have tried the function with “ssl url rewrite” but this solution did not work.
My I am absolutely wrong with my way, but you will find the configuration below, which I have configured. Probably you have a solution for me.
Regards,
Rene
probe http PROBE-GENERIC-HTTP
description HTTP Probe for GEVER-UVEK-PR Servers
port 80
interval 20
faildetect 2
passdetect interval 25
passdetect count 2
receive 3
request method get url /iisstart.htm
expect status 200 200
rserver host SERVER-1
description uvek-s6201-235 (GEVER-UVEK-PR)
ip address 10.135.13.235
inservice
rserver host SERVER-2
description uvek-s6201-28 (GEVER-UVEK-PR)
ip address 10.135.14.28
inservice
rserver host SERVER-3
description uvek-s6202-116 (GEVER-UVEK-PR)
ip address 10.135.13.116
inservice
serverfarm host GEVER-UVEK-PR-FARM
predictor leastconns
probe PROBE-GENERIC-HTTP
rserver SERVER-1 80
inservice
rserver SERVER-2 80
inservice
rserver SERVER-3 80
parameter-map type generic GEVER-UVEK-SSLID-PARAMETER
set max-parse-length 70
parameter-map type ssl SSL_CIPHERS
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
sticky http-cookie ACE-UVEK-COOKIE GEVER-UVEK-PR-COOKIE
cookie insert browser-expire
serverfarm GEVER-UVEK-PR-FARM
action-list type modify http HTTP2HTTPS_REWRITE
ssl url rewrite location "this\..*"
ssl-proxy service SSL-GEVER-UVEK-FRONTEND
key gever.key
cert gever.crt
ssl advanced-options SSL_CIPHERS
class-map match-all VIP-GEVER-UVEK-PR
2 match virtual-address a.b.c.67 tcp eq https
policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY
class ANY-CONTENT
sticky-serverfarm GEVER-UVEK-PR-COOKIE
action HTTP2HTTPS_REWRITE
policy-map multi-match CLIENT-VIPs
class VIP-GEVER-UVEK-PR
loadbalance vip inservice
loadbalance policy GEVER-UVEK-PR-HTTP-POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1583
appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER
ssl-proxy server SSL-GEVER-UVEK-FRONTEND
interface vlan 1583
description VLAN EVD-Prod (inside Produktion neues Segment)
ip address 10.135.14.11 255.255.254.0
alias 10.135.14.10 255.255.254.0
peer ip address 10.135.14.12 255.255.254.0
access-group input EVERYONE
nat-pool 1 10.135.15.240 10.135.15.240 netmask 255.255.255.255 pat
service-policy input REMOTE-MGMT
no shutdown
interface vlan 1584
description VLAN EVD-LB (outside)
ip address a.b.c.74 255.255.255.0
alias a.b.c.73 255.255.255.0
peer ip address a.b.c.75 255.255.255.0
access-group input EVERYONE
service-policy input CLIENT-VIPs
no shutdown
ip route 0.0.0.0 0.0.0.0 a.b.c.1 -
Ace fail over / synchronization question
Hey all,
I have a customer who has a ace HA pair, the primary ace is shut down, and they've been making changes to the standby ace which has been working ok.
They want to bring up the primary ace again, but I just want to confirm the process so I don't overwrite the configuration of the current standby ace when the primary ace is brought back online.
I don't have any experience with these boxes yet. But I was thinking about turning preemption off and increases the standby priority to make it the primary?
Thoughts?
Many thanks.
Sent from Cisco Technical Support iPad AppHi,
If you want to sync the config then you dont have to use the following command.
no ft auto-sync running-config
no ft auto-sync startup-config
Start as follows:
(1) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.
Configure all FT groups BUT DO NOT “configure them “inservice”.
Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.
Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).
(2) Please make sure “preemption” is NOT enabled for the FT group. If enabled please do remove it and re-add after the module is successfully replaced.
Example:
Example:
ft group 1
peer 1
no preempt <=====================
peer priority 150
associate-context test
(3) Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.
Example:
ft group 1
peer 1
no preempt
peer priority 150
associate-context test
inservice <===============================
(4) At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.
show ft group detail
show ft peer detail
These “show commands” should help you with verifying the state of FT configuration.
(5) Repeat the above procedure for all context one by one ( Bring Admin context FT "inservice" at the end )
In case if you have are using SSL offloading in any context refer the following thread:
https://supportforums.cisco.com/thread/2156101?tstart=0&viewcondensed
Hope that helps.
regards,
Ajay Kumar -
Bug in oracle.security.jazn.spi.LoginConfigProvider?
I recently wrote my own LoginModule to handle x509 cert authentication. I instantiate a LoginContext (and pass Subject or CallbackHandler etc) and call login(). This issue is that only one instance of the LoginModule is ever instantiated - therefore it always authenticates the original subject that was passed in.
Through logging, I have verified that the LoginModule's constructor and initialize() method are called only once.
I checked sun's java forum for information and found the following:
http://forum.java.sun.com/thread.jsp?forum=60&thread=209219&start=0&range=15#1417789
That thread indicates that the issue is with the Configuration subclass (in this case, Oracle's LoginConfigProvider). I was able to verify this - I wrote my own Configuration subclass, pointed to in (in the java.security file) and my code works properly now. A new LoginModule is instantiated each time.
Does anyone have any additional information/comments on this? Is it something that I am doing incorrectly? If this is indeed a bug, is it fixed in newer versions of the app server? I don't suppose Oracle is interested in posting their code for LoginConfigProvider so that I can make the necessary change maintain the rest of the functionality?
no[i]Long postings are being truncated to ~1 kB at this time.ah, yes. the 1k limit again. fantastic...
code (note: this is hardcoded and terribly unpolished...but it works...):
import javax.security.auth.login.Configuration;
import javax.security.auth.login.AppConfigurationEntry;
import java.util.ArrayList;
import java.util.StringTokenizer;
import java.util.HashMap;
import java.util.Map;
public class CITestAuthenticationConfiguration extends Configuration {
private static ArrayList appConfigurationList = new ArrayList();
public CITestAuthenticationConfiguration(){}
public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName){
Map map = new HashMap();
AppConfigurationEntry ace = new AppConfigurationEntry(
"CITestLoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
map
AppConfigurationEntry[] aceArray = new AppConfigurationEntry[1];
aceArray[0] = ace;
return aceArray;
public void refresh()
// Right now this is a load once scheme and we will not implement the
// refresh method
public static boolean addAppConfigurationEntry ( String flag, String module, String options )
// REMOVED FOR BREV[i]Long postings are being truncated to ~1 kB at this time. -
Bug in Oracle XSchema Processor for Java v1 (recently released)
Running the sample file is giving the following error. Is this a bug
Thanks
Exception in thread "main" java.lang.NoSuchMethodError
at oracle.xml.parser.schema.XSDBuilder.initParser(XSDBuilder.java:260)
at oracle.xml.parser.schema.XSDBuilder.build(XSDBuilder.java:179)
at XSDSetSchema.main(XSDSetSchema.java:24)
nullah, yes. the 1k limit again. fantastic...
code (note: this is hardcoded and terribly unpolished...but it works...):
import javax.security.auth.login.Configuration;
import javax.security.auth.login.AppConfigurationEntry;
import java.util.ArrayList;
import java.util.StringTokenizer;
import java.util.HashMap;
import java.util.Map;
public class CITestAuthenticationConfiguration extends Configuration {
private static ArrayList appConfigurationList = new ArrayList();
public CITestAuthenticationConfiguration(){}
public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName){
Map map = new HashMap();
AppConfigurationEntry ace = new AppConfigurationEntry(
"CITestLoginModule",
AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
map
AppConfigurationEntry[] aceArray = new AppConfigurationEntry[1];
aceArray[0] = ace;
return aceArray;
public void refresh()
// Right now this is a load once scheme and we will not implement the
// refresh method
public static boolean addAppConfigurationEntry ( String flag, String module, String options )
// REMOVED FOR BREV[i]Long postings are being truncated to ~1 kB at this time. -
Load Balance https based on url
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
rserver host SRV02_123
ip address 192.168.1.102
inservice
rserver host SRV01_456
ip address 192.168.1.111
inservice
serverfarm host farm_123
rserver SRV01_123
inservice
rserver SRV02_123
inservice
serverfarm host farm_456
rserver SRV01_456
inservice
class-map match-all VIP_Application
2 match virtual-address 192.168.1.10 tcp eq https
class-map type http loadbalance match-all L7_server_456
2 match http url /456/
policy-map type loadbalance http first-match LB_Application
class L7_server_456
serverfarm farm_456
class class-default
serverfarm farm_123
policy-map multi-match ServerGroup1_PM
class VIP_Application
loadbalance vip inservice
loadbalance policy LB_Application
loadbalance vip icmp-reply
interface vlan 70
bridge-group 1
no shutdown
interface vlan 700
bridge-group 1
service-policy input ServerGroup1_PM
no shutdown
ThanksHi John,
If you want to do the offload in the ACE also called SSL termination, it is a two step process:
1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.
2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.
You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).
Here you can take a look at the SSL termination process (using clear text port in the backend servers).
Oficial Configuration Example
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html
Cisco Wiki Example
http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example
HTH
Pablo
Maybe you are looking for
-
We have a parameter and select option in Selection Screen, by using the parameter and select option in the select query, with out passing the any values to the Parameter and SO, how we will get the records?
-
Get Number of rows from a sql query.
I am reading data from a sql query in a BLS transaction and I would like to know the number of rows returned. Is there an easy way to do this without looping through the table? Thanks Jasper
-
Rich text versus plain text when sending to Outlook
I've notice some strange behavior with Mail today. I've been sending some attachments to people who use Outlook on an Exchange server. When I send the mail in Rich Text Format, they receive the mail but the text and the signature are included as atta
-
Design Questions: To sql or java?
Howdy, I've got a quick question on sort of the "best" way to do something with java or sql. I know best is relative to app and case but just bare with me. Basically I have a table set up in such a way that is making pulling reports awkward. I have a
-
i updated my apps last night and it said there was a new updated so i went to bed and this morning on the screen it shows to plug in to itunes and theb its says it will go back to factory it won't stay on help