ACE new rserver

Similar Messages

• Cisco ACE can rserver use it's own VIP address ?

  we've configured a serverfarm with a real server and a VIP.
  The serverfarm can be reached and is functioning well.
  Now we want the rserver to be able to reach it's own VIP address.
  This is needed because the rserver has multiple websites which need each other
  and we want to have load balancing.
  Is this a supported configuration ?
  regards,
  Sebastian

  you can simply add a new policy to match the servers ip addresses and then configure nat.
  ie:
  class-map match-all servers
  2 match source-address 192.168.30.48 255.255.255.255
  policy-map multi-match client-nat
  class servers
  nat dynamic 1 vlan 30
  interface vlan 20
  ip address 192.168.20.121 255.255.255.0
  alias 192.168.20.124 255.255.255.0
  peer ip address 192.168.20.123 255.255.255.0
  no normalization
  mac-sticky enable
  access-group input PERMIT-ANY
  service-policy input ALLOW-ALL
  service-policy input client-nat
  service-policy input SLB1
  no shutdown
  interface vlan 30
  bridge-group 30
  no normalization
  mac-sticky enable
  access-group input PERMIT-ANY
  nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0
  In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.
  You could also use a free ip from the same server subnet and no static route would be required.
  Also if ACE is already the default gateway for the servers, no specific static route is required.
  Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.
  Gilles.

• How the ACE handles rserver failures

  Hello
  I've got a question re: the ACE module.
  Lets say I have 2 web rservers and I have a probe interval for checking them from the ACE of 10 seconds.
  Lets say a probe just passed and it is 10 seconds before the next one. The ACE will think the rserver is ok. Then say the rserver httpd service is stopped at 3 seconds after the last successful probe, therefore leaving 7 seconds before the ACE is going to send another probe. The ACE will think it is still 'up' before the next probe is sent.
  Given the above, what happens to a) existing connections to the newly failed rserver and b) new connections if the failure occurs between probes?
  How does the ACE handle this situation?
  Are there any differences between how the ACE handles this between A1 and A2 versions of software?
  Thanks
  Cameron

  URL rewrite only comes into play when REAL Server (Rserver )sends a clear text redirect. Such as 302 for http://investor.nice360.com. If client recieves this 302 it will attempt the next request using HTTP.With Url rewrite feature we configure ACE to change these redirects from Http tp HTTPS.
  What you are looking for is a simple redirection of client request from port 80 to port 443. This can be achieved using redirect server farm and redirect rserver.
  You will need to create two sets of configs (class-maps, rserver, sfarm,policy map) for port 80 & port 443 traffic. Port 80 policy will simply redirect the port 80 request to port 443.
  Following example will give you some idea
  rserver redirect HTTP2HTTPS
  webhost-redirection https://%h%p 301
  inservice
  serverfarm redirect HTTP2HTTP-SF
  rserver HTTP2HTTPS
  inservice
  class-map match-all WEB-HTTP
  2 match virtual-address 172.25.250.245 tcp eq http
  class-map match-all WEB-HTTPS
  2 match virtual-address 172.25.250.245 tcp eq 443
  policy-map type loadbalance first-match HTTP2HTTPS-POLICY
  class class-default
  serverfarm HTTP2HTTPS-SF
  policy-map type loadbalance first-match L7-POLICY
  class class-default
  sticky-serverfarm STICKY_IP
  policy-map multi-match L4-POLICY
  class WEB-HTTP
  loadbalance vip inservice
  loadbalance policy HTTP2HTTPS-POLICY
  loadbalance vip icmp-reply
  class WEB-HTTPS
  loadbalance vip inservice
  loadbalance policy L7-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server INVESTOR-CLIENT
  Syed

• ACE: new stiky cookie inserted for different URL?

  I have sticky cookies set (cookie insert) and http persistence rebalance on. The virtual server is made of a group of three real http servers.
  The DNS name of the virtual server is for example "vhost.domain.com".
  If I browse (from the internal network) to "http://vhost/" my session is stuck to a real server using cookie stickiness. My question is, when I click a link which is fully qualified e.g. "http://vhost.domain.com/newpage.html" is a stickiness maintained or as the http header has changed is it seen as a new session and potentially sending me to a different real server?

  ACE doesn't care about the url.
  It will simply look for the presence of the cookie.
  If the cookie is there, you will stick to the same rserver.
  If not, this is considered a new connection and the request is loadbalanced.
  So, it all depends if your browser consider that vhost and vhost.domain.com are the same because the cookie is associated to a domain.
  Normally it should consider them the same.
  Gilles.

• ACE logging - rserver and probes

  on CSS I get an info if a server fails the keepalive and get in state "down, up or suspended". This is logged in the traplog file on the CSS.
  Is there any possibility on an ACE to have logs for rserver state changes like "PROBE-FAILED, OPERATIONAL and OUT-OF-SERVICE"
  thx in advance

  Hi Gilles,
  1. looks fine, but I miss the rserver Name in the log. it only appears the ip address of the server.
  So it looks like that the "ip address log" is implemented :-(
  b-sllb2001-09/db_bku-nK2# show rserver sthon
  rserver : sthon, type: HOST
  state : PROBE-FAILED
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  serverfarm: test.db.de
  172.24.100.98:0 8 PROBE-FAILED 0 0
  b-sllb2001-09/db_bku-nK2# show logging | i ACE-3
  Jun 25 2008 09:20:14 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  Jun 25 2008 09:20:23 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  Jun 25 2008 09:20:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  Jun 25 2008 09:21:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  2. I can find nothing in the log when the probe gets "operational" or "out-of-service state".
  Is thos correct ?
  b-sllb2001-09/db_bku-nK2# show rserver sthon
  rserver : sthon, type: HOST
  state : OPERATIONAL
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  serverfarm: test.db.de
  172.24.100.98:0 8 OPERATIONAL 0 0

• Ask the Expert: Configuration and Troubleshooting the Cisco Application Control Engine (ACE) load balancer

  With Ajay Kumar and Telmo Pereira 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
  Ajay Kumar  is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications. 
  Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
  Remember to use the rating system to let Ajay know if you have received an adequate response.
  Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
  This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello Krzysztof,
  Another set of good/interesting questions posted. Thanks! 
  I will try to clarify your doubts.
  In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
  ACE/Context# show resource usage
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  -- outputs omitted for brevity --
    proxy-connections             0      16358      16358      16358      17872
    ssl-connections rate          0        626        626        626      23204
  Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
  On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
  So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
  ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource. 
  For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
  If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
  This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
  We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
  1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE  should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
  To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
  For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users. 
  2)  ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
  As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
  To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
  As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
  3)  If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
  The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
  I hope this makes things clearer! Uff...
  Regards,
  Telmo

• Transparent ACE Design

  Hi,
  I am designing a data centre with VSS, FWSM & ACE. I am using the design guide below as a start point, using the red service chain.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html
  my topology will be routed access with transparent contexts, so;
  client -> MSFC -> Trans FWSM -> Trans ACE -> VRF - > Rservers subnets A & B.
  I will be using RHI to advertise the VIPs to the MSFC. The VRF and MSFC will use OSPF to propagate reach-ability.
  my questions are:
  1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
  2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
  3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
  4) likewise for LB traffic that hits the VIP, how is it forwarded?
  5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
  Thanks in advance!
  Lee.

  Hi Lee,
  Let me reply you in line:
  1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
  Yes, you can use any subnet, of course you must have a route to reach the rservers.
  2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
  It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.
  3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
  either static routes or a gateway.
  4) likewise for LB traffic that hits the VIP, how is it forwarded?
  normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.
  5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
  yes it is.
  Hope this helps,
  /dom

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• Connections through ACE module

  when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies  - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?
  how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?
  vlan 195 is teh client side
  vlan 719 is the server side
  access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0
  class-map match-any NAT_CLASS_VIP
    2 match access-list acl_NAT_VIP
  policy-map multi-match NAT_POLICY
    class NAT_CLASS_VIP
      nat dynamic 5 vlan 719
  interface vlan 195
    ip address 172.19.192.19 255.255.252.0
    alias 172.19.192.18 255.255.252.0
    peer ip address 172.19.192.20 255.255.252.0
    access-group input allowall
    access-group output allowall
    nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
    nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
    nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
    nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
    nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
    service-policy input LB_POLICY
    no shutdown
  interface vlan 719
    ip address 10.1.9.66 255.255.255.240
    alias 10.1.9.65 255.255.255.240
    peer ip address 10.1.9.67 255.255.255.240
    access-group input allowall
    access-group output allowall
    nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat
    service-policy input LB_POLICY
    service-policy input NAT_POLICY
    no shutdown

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• New folder and modify access rights

  I have played around with a script.
  My script looks like this:
  #Variables
  $GroupNameTIA="F_KSMCommon-common-ScanTIA_m"
  $Directory = Read-Host "Folder name: "
  $DirectoryPath = "z:\$Directory"
      #Mount directory
      Net use Z: \\stg-w75\ksmcommon\common\ScanTIA
      #Create new folder
      New-Item -Type directory -path $DirectoryPath
      takeown.exe /F $DirectoryPath
      #Read and modify ACL
      $ACL = Get-Acl $DirectoryPath
      $ACL.SetAccessRuleProtection($True, $True)
      Set-Acl
  $DirectoryPath $ACL
      $user_Account = $GroupNameTIA
      $Acl = (Get-Item $DirectoryPath).GetAccessControl(“Access”)
      $Ar = New-Object system.Security.AccessControl.FileSystemAccessRule($user_account,
  “FullControl”, “ContainerInherit, ObjectInherit”, “None”, “Allow”)
      $Acl.Setaccessrule($Ar)
      Set-Acl
  $DirectoryPath $Acl
      $Ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
      $GroupNameTIA,
  "Delete", 
          [System.Security.AccessControl.InheritanceFlags]::None, 
          [System.Security.AccessControl.PropagationFlags]::None, 
          [System.Security.AccessControl.AccessControlType]::Allow
      $SD = Get-Acl $DirectoryPath
      $SD.RemoveAccessRule($Ace)
      (Get-Item
  $DirectoryPath).SetAccessControl($SD) 
      #delete mounted directory
      net use /d z:
  If I run this script I got an error:
  Set-Acl : Attempted to perform an unauthorized operation.
  At C:\PSScripts\NeuerScanOrdner.ps1:187 char:12
  +     Set-Acl <<<<  $DirectoryPath $ACL
      + CategoryInfo          : PermissionDenied: (Z:\tia-test5:String)
  [Set-Acl], UnauthorizedAccessException
      + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
  Set-Acl : Attempted to perform an unauthorized operation.
  At C:\PSScripts\NeuerScanOrdner.ps1:193 char:12
  +     Set-Acl <<<<  $DirectoryPath $Acl
      + CategoryInfo          : PermissionDenied: (Z:\tia-test5:String)
  [Set-Acl], UnauthorizedAccessException
      + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
  It makes no difference whether I let
  the script run with an administator
  account or "run as administrator".
  Although I am the owner of the folder, I get this
  error message.
  I do not know why this happend. Whats wrong?

  Set-Acl is a flawed cmdlet. It often tries to call the API to write the security descriptor with the flags to change the owner and SACL, both of which require privilege activation (doesn't matter if your account has the privileges, they need to be enabled,
  too). There are a few bugs about this on the Connect site.
  I get a more descriptive error than you did when I try to run your script, but maybe those differences are due to different PowerShell versions. Anyway, I almost never use Set-Acl, and instead use the .SetAccessControl() method of the file object (which
  you already did at least once in your script).
  The following worked for me, so let me know if it doesn't work for you (make sure you put back in the part where the $DirectoryPath and $GroupNameTIA variables are defined):
  $ACL = Get-Acl $DirectoryPath
  $ACL.SetAccessRuleProtection($True, $True)
  # Apply rule protection and get the SD again:
  (Get-Item $DirectoryPath).SetAccessControl($ACL)
  $ACL = Get-Acl $DirectoryPath
  # Give group full control:
  $Ar = New-Object system.Security.AccessControl.FileSystemAccessRule (
  $GroupNameTIA,
  "FullControl",
  "ContainerInherit, ObjectInherit",
  "None",
  "Allow"
  $ACL.SetAccessRule($Ar)
  # Now remove delete rights from folder
  $Ace = New-Object System.Security.AccessControl.FileSystemAccessRule (
  $GroupNameTIA,
  "Delete",
  [System.Security.AccessControl.InheritanceFlags]::None,
  [System.Security.AccessControl.PropagationFlags]::None,
  [System.Security.AccessControl.AccessControlType]::Allow
  $null = $ACL.RemoveAccessRule($Ace)
  # Apply the changes:
  (Get-Item $DirectoryPath).SetAccessControl($ACL)
  The
  PowerShellAccessControl module has a function called Set-SecurityDescriptor that works like Set-Acl, except it won't try to set the owner or SACL unless needed.

• ACE server response issue

  Hi all,
  I have a issue with a ACE configuration which terminate https traffic and load balance the client request to the real servers.
  All working fine, with one exception. If the client requests for the URL "https://www.myservice.com/content/" the connection working perfect.
  If the request are "https://www.myservice.com/content" (missing slash on the end), the real servers sending a redirect back to the client.
  The redirect is "http://www.myservice.com/content/".
  How can I absorb the request to get not http but https.
  Any suggestions are welcome.
  Regards,
  Rene

  Hi Kanwal,
  I have tried your solution today without any success.
  The configuration are simple, but the result are always the same.
  client browser---------https--------ACE-------http---------rserver
  If the client use the URL: https://this.is.a.request.com/dir/
  All will working fine. But if the user us the URL: https://this.is.a.request.com/dir <-- missing slash
  The server response back to the client are: http://this.is.a.request.com/dir/ <-- respond via http not https
  But the ACE are not configured to response to http.
  I used also your recommendation, but without any success.
  I have tried the function with “ssl url rewrite” but this solution did not work.
  My I am absolutely wrong with my way, but you will find the configuration below, which I have configured. Probably you have a solution for me.
  Regards,
  Rene
  probe http PROBE-GENERIC-HTTP
    description HTTP Probe for GEVER-UVEK-PR Servers
    port 80
    interval 20
    faildetect 2
    passdetect interval 25
    passdetect count 2
    receive 3
    request method get url /iisstart.htm
    expect status 200 200
  rserver host SERVER-1
    description uvek-s6201-235 (GEVER-UVEK-PR)
    ip address 10.135.13.235
    inservice
  rserver host SERVER-2
    description uvek-s6201-28 (GEVER-UVEK-PR)
    ip address 10.135.14.28
    inservice
  rserver host SERVER-3
    description uvek-s6202-116 (GEVER-UVEK-PR)
    ip address 10.135.13.116
    inservice
  serverfarm host GEVER-UVEK-PR-FARM
    predictor leastconns
    probe PROBE-GENERIC-HTTP
    rserver SERVER-1 80
      inservice
    rserver SERVER-2 80
      inservice
    rserver SERVER-3 80
  parameter-map type generic GEVER-UVEK-SSLID-PARAMETER
    set max-parse-length 70
  parameter-map type ssl SSL_CIPHERS
    cipher RSA_WITH_RC4_128_MD5
    cipher RSA_WITH_RC4_128_SHA
    cipher RSA_WITH_DES_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA
    cipher RSA_WITH_AES_256_CBC_SHA
  sticky http-cookie ACE-UVEK-COOKIE GEVER-UVEK-PR-COOKIE
    cookie insert browser-expire
    serverfarm GEVER-UVEK-PR-FARM
  action-list type modify http HTTP2HTTPS_REWRITE
    ssl url rewrite location "this\..*"
  ssl-proxy service SSL-GEVER-UVEK-FRONTEND
    key gever.key
    cert gever.crt
    ssl advanced-options SSL_CIPHERS
  class-map match-all VIP-GEVER-UVEK-PR
    2 match virtual-address a.b.c.67 tcp eq https
  policy-map type loadbalance http first-match GEVER-UVEK-PR-HTTP-POLICY
    class ANY-CONTENT
      sticky-serverfarm GEVER-UVEK-PR-COOKIE
      action HTTP2HTTPS_REWRITE
  policy-map multi-match CLIENT-VIPs
    class VIP-GEVER-UVEK-PR
      loadbalance vip inservice
      loadbalance policy GEVER-UVEK-PR-HTTP-POLICY
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 1583
      appl-parameter generic advanced-options GEVER-UVEK-SSLID-PARAMETER
      ssl-proxy server SSL-GEVER-UVEK-FRONTEND
  interface vlan 1583
    description VLAN EVD-Prod (inside Produktion neues Segment)
    ip address 10.135.14.11 255.255.254.0
    alias 10.135.14.10 255.255.254.0
    peer ip address 10.135.14.12 255.255.254.0
    access-group input EVERYONE
    nat-pool 1 10.135.15.240 10.135.15.240 netmask 255.255.255.255 pat
    service-policy input REMOTE-MGMT
    no shutdown
  interface vlan 1584
    description VLAN EVD-LB (outside)
    ip address a.b.c.74 255.255.255.0
    alias a.b.c.73 255.255.255.0
    peer ip address a.b.c.75 255.255.255.0
    access-group input EVERYONE
    service-policy input CLIENT-VIPs
    no shutdown
  ip route 0.0.0.0 0.0.0.0 a.b.c.1

• Ace fail over / synchronization question

  Hey all,
  I have a customer who has a ace HA pair, the primary ace is shut down, and they've been making changes to the standby ace which has been working ok.
  They want to bring up the primary ace again, but I just want to confirm the process so I don't overwrite the configuration of the current standby ace when the primary ace is brought back online.
  I don't have any experience with these boxes yet. But I was thinking about turning preemption off and increases the standby priority to make it the primary?
  Thoughts?
  Many thanks.
  Sent from Cisco Technical Support iPad App

  Hi,
  If you want to sync the config then you dont have to use the following command.
  no ft auto-sync running-config
  no ft auto-sync startup-config
  Start as follows:
  (1) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.
  Configure all FT groups BUT DO NOT “configure them “inservice”.      
  Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.
  Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).
  (2)  Please make sure “preemption” is NOT enabled for the FT group.  If  enabled please do remove it and re-add after the module is  successfully  replaced.
  Example:
  Example:
                 ft group 1
                                      peer 1
                                      no preempt  <=====================
                                      peer priority 150
                                      associate-context test
  (3)  Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.
  Example:
                 ft group 1
                                      peer 1
                                      no preempt
                                      peer priority 150
                                      associate-context test
                            inservice <===============================
  (4)   At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.
  show ft group detail
  show ft peer detail
  These “show commands” should help you with verifying the state of FT configuration.
  (5) Repeat the above procedure for all context one by one ( Bring Admin context FT "inservice" at the end )
  In case if you have are using SSL offloading in any context refer the following thread:
  https://supportforums.cisco.com/thread/2156101?tstart=0&viewcondensed
  Hope that helps.
  regards,
  Ajay Kumar

• Bug in oracle.security.jazn.spi.LoginConfigProvider?

  I recently wrote my own LoginModule to handle x509 cert authentication. I instantiate a LoginContext (and pass Subject or CallbackHandler etc) and call login(). This issue is that only one instance of the LoginModule is ever instantiated - therefore it always authenticates the original subject that was passed in.
  Through logging, I have verified that the LoginModule's constructor and initialize() method are called only once.
  I checked sun's java forum for information and found the following:
  http://forum.java.sun.com/thread.jsp?forum=60&thread=209219&start=0&range=15#1417789
  That thread indicates that the issue is with the Configuration subclass (in this case, Oracle's LoginConfigProvider). I was able to verify this - I wrote my own Configuration subclass, pointed to in (in the java.security file) and my code works properly now. A new LoginModule is instantiated each time.
  Does anyone have any additional information/comments on this? Is it something that I am doing incorrectly? If this is indeed a bug, is it fixed in newer versions of the app server? I don't suppose Oracle is interested in posting their code for LoginConfigProvider so that I can make the necessary change maintain the rest of the functionality?
  no[i]Long postings are being truncated to ~1 kB at this time.

  ah, yes. the 1k limit again. fantastic...
  code (note: this is hardcoded and terribly unpolished...but it works...):
  import javax.security.auth.login.Configuration;
  import javax.security.auth.login.AppConfigurationEntry;
  import java.util.ArrayList;
  import java.util.StringTokenizer;
  import java.util.HashMap;
  import java.util.Map;
  public class CITestAuthenticationConfiguration extends Configuration { 
  private static ArrayList appConfigurationList = new ArrayList();
  public CITestAuthenticationConfiguration(){}
  public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName){
  Map map = new HashMap();
  AppConfigurationEntry ace = new AppConfigurationEntry(
  "CITestLoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  map
  AppConfigurationEntry[] aceArray = new AppConfigurationEntry[1];
  aceArray[0] = ace;
  return aceArray;
  public void refresh()
  // Right now this is a load once scheme and we will not implement the
  // refresh method
  public static boolean addAppConfigurationEntry ( String flag, String module, String options )
  // REMOVED FOR BREV[i]Long postings are being truncated to ~1 kB at this time.

• Bug in Oracle XSchema Processor for Java v1 (recently released)

  Running the sample file is giving the following error. Is this a bug
  Thanks
  Exception in thread "main" java.lang.NoSuchMethodError
  at oracle.xml.parser.schema.XSDBuilder.initParser(XSDBuilder.java:260)
  at oracle.xml.parser.schema.XSDBuilder.build(XSDBuilder.java:179)
  at XSDSetSchema.main(XSDSetSchema.java:24)
  null

  ah, yes. the 1k limit again. fantastic...
  code (note: this is hardcoded and terribly unpolished...but it works...):
  import javax.security.auth.login.Configuration;
  import javax.security.auth.login.AppConfigurationEntry;
  import java.util.ArrayList;
  import java.util.StringTokenizer;
  import java.util.HashMap;
  import java.util.Map;
  public class CITestAuthenticationConfiguration extends Configuration { 
  private static ArrayList appConfigurationList = new ArrayList();
  public CITestAuthenticationConfiguration(){}
  public AppConfigurationEntry[] getAppConfigurationEntry(String applicationName){
  Map map = new HashMap();
  AppConfigurationEntry ace = new AppConfigurationEntry(
  "CITestLoginModule",
  AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
  map
  AppConfigurationEntry[] aceArray = new AppConfigurationEntry[1];
  aceArray[0] = ace;
  return aceArray;
  public void refresh()
  // Right now this is a load once scheme and we will not implement the
  // refresh method
  public static boolean addAppConfigurationEntry ( String flag, String module, String options )
  // REMOVED FOR BREV[i]Long postings are being truncated to ~1 kB at this time.

• Load Balance https based on url

  I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
  I attached an image of the topology.
  Ace Config:
  rserver host SRV01_123
    ip address 192.168.1.101
    inservice
  rserver host SRV02_123
    ip address 192.168.1.102
    inservice
  rserver host SRV01_456
    ip address 192.168.1.111
    inservice
  serverfarm host farm_123
    rserver SRV01_123
      inservice
    rserver SRV02_123
      inservice
  serverfarm host farm_456
    rserver SRV01_456
      inservice
  class-map match-all VIP_Application
    2 match virtual-address 192.168.1.10 tcp eq https
  class-map type http loadbalance match-all L7_server_456
    2 match http url /456/
  policy-map type loadbalance http first-match LB_Application
    class L7_server_456
      serverfarm farm_456
    class class-default
      serverfarm farm_123
  policy-map multi-match ServerGroup1_PM
    class VIP_Application
      loadbalance vip inservice
      loadbalance policy LB_Application
      loadbalance vip icmp-reply
  interface vlan 70
    bridge-group 1
    no shutdown
  interface vlan 700
    bridge-group 1
    service-policy input ServerGroup1_PM
    no shutdown
  Thanks

  Hi John,
  If you want to do the offload in the ACE also called SSL termination, it is a two step process:
  1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.
  2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.
  You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).
  Here you can take a look at the SSL termination process (using clear text port in the backend servers).
  Oficial Configuration Example
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/terminat.html
  Cisco Wiki Example
  http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Without_an_Existing_Chained_Certificate_and_Key_in_Routed_Mode_Configuration_Example
  HTH
  Pablo