ACE Probe Config for Blue Coat Proxy TCP Port 74 NETRJS-4
We are running 4710's with A5(2.2). We use Blue Coat proxies for our internet connections, specifcally TCP port 74. So when we open up a browser connection to www.cisco.com, the HTTP GET is actually encapsulated in TCP port 74 netrjs-4. We want to load-balance these proxies with ACE and I'm trying to setup health probes, but the only ones that work are the tcp probes PROXY_BCC_PROBE and PROXY_PROBE. I'd like to have health probes that hit external websites, but I'm confused whether the "ip address" Probe sub command is all I need, and netrjs is simple encapsulation of the HTTP request (which is what it looks like on a sniffer). Does anyone have Blue Coat proxies/ACE working? If so, how are your probes configured?
Thanks,
probe tcp PROXY_BCC_PROBE
port 8084
interval 3
passdetect interval 3
probe http PROXY_HTTP1_PROBE
ip address 198.133.219.25
port 74
interval 3
passdetect interval 3
request method head url /index.html
expect status 200 299
probe http PROXY_HTTP2_PROBE
ip address 198.133.219.25
port 74
interval 3
request method get url /
expect status 200 299
probe tcp PROXY_PROBE
port 74
interval 3
passdetect interval 3
Hi,
I have seen this working for one of the customer.
probe http HTTPGET
description Tests that www.gmail.com returns 302 redirect
interval 10
request method get url http://www.gmail.com
expect status 302 302
If I modify your probe :
probe http PROXY_HTTP1_PROBE
ip address 198.133.219.25
port 74
interval 3
passdetect interval 3
request method get url
http://www.gmail.com
expect status 302 302
Give it a try and see if that helps.
regards,
Ajay Kumar
Similar Messages
-
Looking for local VRU-PIM TCP port
Hi Team,
I am setting a VRU-PG to connect an external IVR, however I couldn't find anywhere what is the TCP port number used by the vrupim.exe process to open our firewall port accordingly.
Is the VRU port dynamic ? "The port Port Utilization Guide for Cisco Unified Intelligent Contact ManagementEnterprise & Hosted Release 8.0" document mentions that for GED-125 the server Protocol/Port is TCP 5000–5001.
However in my case the local TCP port of vrupim.exe keeps changing. Whenever I cycle the PG it is changed to 1102, or 3352, 3407, 3443 etc..
Thanks & Regards
Nick
Note:Hi Sentil,
Thank you for your answer. The "VRUTcpServiceName" setting is indeed set to 3000. This is my remote port for my the
VRUIpHostName 10.173.33.143. However this is not what I am looking for.
I am looking for the local port range which is used by the the VRUPIM.EXE process which is at the moment 2481 (see belloww). This is because the is a firewall on the remote site, where the VRU server is located, and they need to know which are the ports to open.
C:\icm\pft\PG1A>netstat -bn
Active Connections
Proto Local Address Foreign Address State PID
TCP 10.157.124.37:1802 10.157.124.33:40002 ESTABLISHED 4964
[pgagent.exe]
TCP 10.157.124.37:1803 10.157.124.50:40017 ESTABLISHED 4964
[pgagent.exe]
TCP 10.157.124.37:1804 10.157.125.50:41003 ESTABLISHED 4964
[pgagent.exe]
TCP 10.157.124.37:1805 10.157.125.50:41017 ESTABLISHED 4964
[pgagent.exe]
TCP 10.157.124.37:1806 10.157.125.33:41002 ESTABLISHED 4964
[pgagent.exe]
TCP 10.157.124.37:1807 10.157.124.50:40003 ESTABLISHED 4964
[pgagent.exe]
TCP 10.157.124.37:2481 10.173.33.143:3000 ESTABLISHED 4560
[vrupim.exe]
TCP 10.157.124.37:3389 10.159.29.60:52247 ESTABLISHED 3340
TermService
[svchost.exe]
TCP 127.0.0.1:1069 127.0.0.1:7161 ESTABLISHED 3388
[msnsaagt.exe]
TCP 127.0.0.1:1076 127.0.0.1:7161 ESTABLISHED 3420
[cccaAgent.exe]
TCP 127.0.0.1:1077 127.0.0.1:7161 ESTABLISHED 3396
[hostagt.exe]
TCP 127.0.0.1:1138 127.0.0.1:7161 ESTABLISHED 3408
[sappagt.exe]
TCP 127.0.0.1:7161 127.0.0.1:1069 ESTABLISHED 3380
[snmpdm.exe]
TCP 127.0.0.1:7161 127.0.0.1:1077 ESTABLISHED 3380
[snmpdm.exe]
TCP 127.0.0.1:7161 127.0.0.1:1076 ESTABLISHED 3380
[snmpdm.exe]
TCP 127.0.0.1:7161 127.0.0.1:1138 ESTABLISHED 3380
[snmpdm.exe]
TCP 10.157.124.37:1062 10.157.124.42:389 CLOSE_WAIT 3048
[DiagFwSvc.exe]
C:\icm\pft\PG1A>
Regards
Nick -
Cache config for distributed cache and TCP*Extend
Hi,
I want to use distributed cache with TCP*Extend. We have defined "remote-cache-scheme" as the default cache scheme. I want to use a distributed cache along with a cache-store. The configuration I used for my scheme was
<distributed-scheme>
<scheme-name>MyScheme</scheme-name>
<backing-map-scheme>
<read-write-backing-map-scheme>
<internal-cache-scheme>
<class-scheme>
<class-name>com.tangosol.util.ObservableHashMap</class-name>
</class-scheme>
</internal-cache-scheme>
<cachestore-scheme>
<class-scheme>
<class-name>MyCacheStore</class-name>
</class-scheme>
<remote-cache-scheme>
<scheme-ref>default-scheme</scheme-ref>
</remote-cache-scheme>
</cachestore-scheme>
<rollback-cachestore-failures>true</rollback-cachestore-failures>
</read-write-backing-map-scheme>
</backing-map-scheme>
</distributed-scheme>
<remote-cache-scheme>
<scheme-name>default-scheme</scheme-name>
<initiator-config>
<tcp-initiator>
<remote-addresses>
<socket-address>
<address>XYZ</address>
<port>9909</port>
</socket-address>
</remote-addresses>
</tcp-initiator>
</initiator-config>
</remote-cache-scheme>I know that the configuration defined for "MyScheme" is wrong but I do not know how to configure "MyScheme" correctly to make my distributed cache the part of the same cluster to which all other caches, which uses the default scheme, are joined. Currently, this ain't happening.
Thanks.
RG
Message was edited by:
user602943Hi,
Is it that I need to define my distributed scheme with the CacheStore in the server-coherence-cache-config.xml and then on the client side use remote cache scheme to connect to get my distributed cache?
Thanks, -
ACE - Probe suggestion for CheckPoint Firewall ?
Hi to all,
Assume that inbound interface of FW1 side cable unplugged. In this scenario the probes are still up. Probes cannot detect this situation and fail over doesn't take place. As you can see it is impossible to detect cable tear down unless we have an IP address from different vlan. I have an idea about to solve this issue, I need to create a new vlan (for instance vlan 200) on the ACE_INSIDE. We will insert a static route on ACE_OUTSIDE. That static route will try to access vlan 200 via FW1 outside interface. Then we will be sure when the FW1 fails. Of course vice versa will be valid. We can use similar configuration for the FW0 too. According to the configuration that I have attached and my solution, can you give me a configuration example or do you have a better way to accomplish this task. I will be waiting for your suggestion or solution as soon as possible. I have little time to solve this. Thanks in advance.
Best Regards.
Note: Topology and all necessary configs are attached.First of all, this is the FIRST time I've heard
someone is running Securreplatform NGx R65
in Active/Active WITHOUT ClusterXL. I could
be wrong, though unlikely, but that is not
possible. Take a look at the pair of Checkpoint
firewall NGx R65 Secureplatform in Active/Active
Unicast mode:
[Expert@NGx-lab2]# cphaprob state
Cluster Mode: Load Sharing (Unicast/SDF)
Number Unique Address Assigned Load State
1 10.0.0.1 30% Active (pivot)
2 (local) 10.0.0.2 70% Active
[Expert@NGx-lab2]# cphaprob -a if
Required interfaces: 4
Required secured interfaces: 1
eth0 UP non sync(non secured), broadcast
eth1 UP non sync(non secured), broadcast
eth7 UP non sync(non secured), broadcast
eth13 UP sync(secured), broadcast
Virtual cluster interfaces: 3
eth0 65.129.75.1
eth1 129.174.1.1
eth7 192.168.128.1
[Expert@NGx-lab2]#
Again, I think it is NOT possible to run
Checkpoint in Active/Active mode without
ClusterXL. You may want to check the
configuration again. You can NOT have
active/active without VIP IPs. -
Cisco 4507R WCCP with blue coat SG 8000 as proxy server integration
Dear All,
I installed the blue coat on one of the vlan with users in diffwrent vlans. The core 4507R is used with L3 vlans as gateway for the respective vlan users. Now i need to configure both core switch and blue coat as proxy server so that all the users in different vlans access internet websites without configure the blue coat proxy address but the core switch would redirect the users request to the blue coat proxy server. I tried with latest IOS upgrade to the switch eventhen i could not get the cmds related to WCCP blue coat documents suggest to use in core switch to configure the proxy server of SG8000
Could any one help me to solve this issue.
Thanks
swamyFollowing link may help you
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a008062cfc6.html -
BEFW11S4 UDP AND TCP PORT opening
How do i open UDP AND TCP ports specifically TCP ports: 80, 6667, 28910, 29900, 29920
UDP ports: 4321, 27900 Its for a networkable game i need to open these ports to play it.Ok But when i try disabling the numbers in the forwarding field i run out of spaces in the field to be able to disable them Is there an advanced firewall settings that i dont know about? I put in all of the range forwarding and put the range forwarding start for example 80 originally (TCP ports: 80, 6667, 28910, 29900, 29920
UDP ports: 4321, 27900) The ones i try to disable i run out of fields to disable them in the forwarding for example there are 10 slots for disabling and Im trying to disable them on two numbers 192.168.1.101. and 192.168.1.100 So i need to disable them for both ip numbers I got 10 fields to enter it into them and 10 x 2 is more than the numbers..... You get me?? and on top of that i dont know if what i did was enough Linksys doesnt want to help me without paying 30 dollars so im just thinking i should buy a new router....... i mean they charge 39 dollars for a new router and they want me to pay 39 dollars for tech support it just doesnt make any sense........ -
Maximum # of UDP and TCP port Mappings
Does anyone know for sure the total number of port mappings you can create on the airport extreme?
ThanksOk But when i try disabling the numbers in the forwarding field i run out of spaces in the field to be able to disable them Is there an advanced firewall settings that i dont know about? I put in all of the range forwarding and put the range forwarding start for example 80 originally (TCP ports: 80, 6667, 28910, 29900, 29920
UDP ports: 4321, 27900) The ones i try to disable i run out of fields to disable them in the forwarding for example there are 10 slots for disabling and Im trying to disable them on two numbers 192.168.1.101. and 192.168.1.100 So i need to disable them for both ip numbers I got 10 fields to enter it into them and 10 x 2 is more than the numbers..... You get me?? and on top of that i dont know if what i did was enough Linksys doesnt want to help me without paying 30 dollars so im just thinking i should buy a new router....... i mean they charge 39 dollars for a new router and they want me to pay 39 dollars for tech support it just doesnt make any sense........ -
Looking for ACE Probe TCL script specific for LDAPS
Hello Everyone,
I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
Could someone kindly point me or provide me the modified TCL script if you happen to have it.
During my search I also found a config that someone had provided, which contained the following probe:
probe tcp LDAPS_Probe
port 636
probe tcp LDAP_Probe
port 389
I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
This is how I applied the script for LDAP port 389.
script file 1 LDAP_PROBE
probe scripted LDAP_PROBE_389
interval 5
passdetect interval 30
receive 5
script LDAP_PROBE
serverfarm host SF-LDAP-389
description SF LDAP Port 389
predictor leastconns
probe LDAP_PROBE_389
rserver LDAP-RS1-389
inservice
I will be more than glad to provide you any additional information that you need.
As always thanks for your input.
Raman Azizian
SAIC/NISN Network servicesnormally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl. default port is 389 when you implement you would specify 636.
#!name = LDAP_PROBE
# Description:
# LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
# determines whether the bind request succeeds. LDAP_PROBE then closes the
# connection with a TCP RST.
# If a port is specified in the "probe scripted" configuration, the script probes
# each suspect on that port. If no port is specified, the default LDAP port 389
# is used.
# Success:
# The script succeeds if the server returns a bind response indicating success
# (status code 0x0a0100) to the bind request.
# The script closes the TCP connection with a RST following a successful attempt.
# Failure:
# The script fails due to timeout if the response is not returned. This
# includes a failure to receive ARP resolution, a failure to create a TCP connection
# to the port, or a failure to return a response to the LDAP bind request.
# The script also fails if the server bind response does not indicate success.
# This specific error returns the 30002 error code.
# The script closes any attempted TCP connection, successful or not, with a RST.
# PLEASE NOTE: This script expects the server LDAP bind response to specify length
# in ASN.1 short definite form. Responses using other length forms (e.g., long
# definite length form) will require script modification to achieve success.
# SCRIPT version: 1.0 April 1, 2008
# Parameters:
# [DEBUG]
# username - user login name
# password - password
# DEBUG - optional key word 'DEBUG'. default is off
# Do not enable this flag while multiple probe suspects are configured for this
# script.
# Example config :
# probe scripted USE_LDAP_PROBE
# script LDAP_PROBE
# Values configured in the "probe scripted" configuration populate the
# scriptprobe_env array. These may be accessed or manipulated if desired.
# Documentation:
# A detailed discussion of the use of scripts on the ACE is included in
# "Using Toolkit Command Language (TCL) Scripts with the ACE"
# in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
# Copyright (c) 2005-2008 by Cisco Systems, Inc.
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc ace_debug { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
# main
# parse cmd line args and initialize variables
## set debug value
set debug 0
if { [ regsub -nocase "DEBUG" $argv "" argv] } {
set debug 1
ace_debug "initializing variable"
set EXIT_MSG "Error config: script LDAP_PROBE \[DEBUG\]"
set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
# if port is zero the use well known ldap port 389
if { $port == 0 } {
set port 389
# PROBE START
# open connection
ace_debug "opening socket"
set sock [ socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
fconfigure $sock -buffering line -translation binary
# send a standard anonymous bind request
ace_debug "sending ldap bind request"
puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
flush $sock
# read string back from server
ace_debug "receiving ldap bind result"
set line [read $sock 14]
binary scan $line H* res
binary scan $line @7H6 code
ace_debug "received $res with code $code"
# close connection
ace_debug "closing socket"
close $sock
# make probe fail by exit with 30002 if ldap reply code != success code 0x0a0100
if { $code != "0a0100" } {
ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
exit 30002
## make probe success by exit with 30001
ace_debug "probe success"
exit 30001 -
Hello,
Can we select which IP source the ACE will used for any kind of probe (ICMP, TCP, ...)
or it just used the nearest interface?
MauriceHi Maurice,
I do no believe that the ip can be changed.. by default the source IP will be the physical interface of the module/appliance. On a bridged deployment, it will use the BVI IP.
Any specific reason why you wanted to change this ?
regards,
Chris -
Hello,
Can Cisco LMS monitor and report on ACE module probes.
Thanks.yes, as imported MIBs.
ACE appliance 3.x currently supports more SNMP OIDs for the probes than does the ACE module 2.x, but will ACE module 2.3 due by Q4CY09, they will both have same capabilities for probes monitoring.
See:
TableName:cslbxProbeCfgTable
cslbxProbeState
INDEX: slbEntity, cslbxProbeName
For Probe State per Probe Name.
cslbxProbeState can have two values ACTIVE and INACTIVE
As part of reporting probe statistics per RServer the following OIDs will be added in the cesRServerProbeTable in CISCO-ENHANCED-SLB-MIB
Table Name:cesRserverProbeTable
cesRserverProbesPassed
cesRserverProbesFailed
cesRserverProbeHealthMonState
INDEX: Probe Name, RServerProbe Statistics per RServer (configured probe).
This will display stats based on Probe Name per Rserver (Rservers are physical devices not associated with any server farm). Stats generated when probe is associated to a rserver.
Table Name: cesRealServerProbeTable
cesRealServerProbeName
cesRealServerProbeStorageType
cesRealServerProbeRowStatus
INDEX: Probe Name, Server Farm Name,Real Server Name, Real Server Port
Represents a probe associated with a real server directly. For example the following configuration adds an entry to the table.
As part of reporting probe statistics for probes that are assigned to real server/server farm the following table with the OIDs will be added in CISCO-SLB-HEALTH-MON-MIB
cshMonServerfarmRealProbeStatsTable: (New Table)
cshMonServerfarmRealPassedProbes
cshMonServerfarmRealFailedProbes
cshMonServerfarmRealProbeHealthMonState
INDEX:Probe Name, Server Farm Name,Real Server Name, Real Server Port ,Inherited Port
Statistics for probes assigned to real server/serverfarm -
ACE VIP OK HTTP, NOK other TCP port
Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
inservice
rserver PRD2 80
inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
inservice
rserver PRD2 4444
inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
sticky-serverfarm SC-IP-PRD-HTTP
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
loadbalance vip inservice
loadbalance policy LB-NAT-VIP-TCP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
class NAT-VIP-HTTP
loadbalance vip inservice
loadbalance policy LB-VIP-HTTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe : PROBE-TCP
type : TCP
state : ACTIVE
port : 4444 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : SF-TCP
real : PRD1[4444]
10.10.10.1 8853 1 8852 SUCCESS
real : PRD2[4444]
10.10.10.2 8853 1 8852 SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
PROBE-TCP, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: PRD1
10.10.10.1:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: PRD2
10.10.10.2:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
class: NAT-VIP-TCP
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: LB-NAT-VIP-TCP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regardsHi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad -
ACE: design/config question: trans.slb + slb + mngt
Hi,
Could this ACE setup/design work?
I want PROXIED sessions (to VIP proxy 10.0.0.10) to be loadbalanced
All other sessions (eg. Some public ip's) will have to transparent loadbalanced to proxy servers. Thus not destinations NAT
ACE is inline between firewalls and proxy servers.
Vip definitions:
class-map match-all P_PXYVIP_VS_LB
2 match virtual-address 10.0.0.10 255.255.255.255 tcp 8080
class-map match-all P_PXYTRANS_VS_LB
2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
Question in this case: would it still be possible to have management sessions towards proxy servers routed by the ACE ? (physical ip addresses of proxy)
Probably the classmap PXYTRANS is catching those sessies also.
Are there other design/config solutions to solve this one?
Thank you!
WimLet me repose the question:
How could one still be able to access the realserver IP (which is directly connected
to the ACE) for manangement.
Knowing that there is 1 VIP which (normal) loadbalance to the realservers
and
there is 1 VIP 0.0.0.0 tcp any which is configure to catch all other traffic to be
transparant loadbalanced.
The VIP 0.0.0.0 is always catching the sessions which need only to be routed
to the real servers ip. -
Hi, I have a requirement to use the ACE to provide Active/Standby service for 2 services located on 2 physical servers. Server A is active for one port and backup for antoher, Server B vice versa.
As well as this, I am doing port translation - incoming requests to one port are being translated to one of two ports - see config below
rserver host TEST-FE01
ip address 10.100.100.1
inservice
rserver host TEST-FE02
ip address 10.100.100.2
inservice
serverfarm host test-farm
predictor leastconns
rserver TEST-FE01 20902
backup-rserver TEST-FE02 20902
inservice
rserver TEST-FE01 20903
inservice standby
rserver TEST-FE02 20902
inservice standby
rserver TEST-FE02 20903
backup-rserver TEST-FE01 20903
inservice
My problem is that I want to configure probes for each ip/port combination, but I can't seem to achieve this as my server farm contains servers that listen on more than one port and a probe can only be configured with one TCP port and can only be applied to either the rserver or the whole serverfarm.
Can anynone see how I can achieve this
Many Thanks in advanceYou will need to define probe under serverfarms's Rserver config
probe tcp port-20902
port 20902
probe tcp port-20903
port 20903
rserver host TEST-FE01
ip address 10.100.100.1
inservice
rserver host TEST-FE02
ip address 10.100.100.2
inservice
serverfarm host test-farm
predictor leastconns
rserver TEST-FE01 20902
probe port-20902
inservice
rserver TEST-FE01 20903
probe port-20903
inservice
Syed -
ACE session persitence "sticky" TCP port
Hey guys,
I trying to work up some configurations on the ACE for performing session persistence "sticky" on the ACE based on source TCP port. All flows are SSL based therefor, I thought the only option was SSL-ID but I've been running into querky behavior due to clients using IE7. Evidently there are several cases where IE7 causes the SSL-ID to be regenereated causing this weird behavior.
Anybody have example configs of the layer4-payload offset, length, etc. to perform sticky based on TCP source port?
Thanks in advance.
PaulSince source port is not part of the layer 4 payload you cannot use it for sticky. IE changing ssl id is a known problem (does it every 2 minutes).
So you are left with:
terminating SSL on the ace and using cookie sticky (you can always re-encrypt on back end if security demands it)
or
source IP sticky (practical only if clients are not behind a proxy device) -
Ace probe failure after IIS app pool recycle?
Windows Server 2003 SP2
ACE Module A2(1.6a)
I suspect this is caused by an IIS6 setting, but posting here in case anyone has seen this. For this one particular site, we have 4 servers in the farm. 2 of those servers are fine. The other 2 (new) servers will generate probe failure after the site's app pool recycles. I then remove the 2 servers from service and re-activate (no inservice, then inservice) and the probe comes back as operational. It appears that the app pool recycle somehow is resetting the hash on the default page, though I'm not sure how. Any ideas are very much appreciated.Yeah, the hash is inside the probe. Here's the config for the serverfarm and the probe. Public-007 and Public-008 are new servers...the other 6 have been in the farm for the last 2.5 years and they don't have this issue. It's only the 2 new boxes that the probe fails when the app pool is recycled.
serverfarm host PUBLIC
probe URL-DEFAULT-ASPX
rserver PUBLIC-001
inservice
rserver PUBLIC-002
inservice
rserver PUBLIC-003
inservice
rserver PUBLIC-004
inservice
rserver PUBLIC-005
inservice
rserver PUBLIC-006
inservice
rserver PUBLIC-007
inservice
rserver PUBLIC-008
inservice
probe http URL-DEFAULT-ASPX
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
request method get url /default.aspx
expect status 200 200
hash
Maybe you are looking for
-
This has been happening for about 1-2 months. My iPhone makes a sound which is a normal iOS sound, but without any reason for it to be making the sound. It happens randomly, perhaps 1 day per week although when it happens it happens several times in
-
Mysql connection through netbeans problem
Hi All - I am trying to connect to a mysql database using the following: Connection con = DriverManager.getConnection("jdbc:mysql://localhost/database?" + "user=user&password=pass");But am getting an error of: SQLException: No sui
-
I had been using my N900 for 2 weeks without any issues. I never updated the software. Last night I was trying to take a picture and opened the camera lens cover. Accidentally I pressed the power button instead of the camera capture key while trying
-
I am creating Software demonstrations with Captivate 6, these are being recorded in 1280 x768 and when I preview them they are sharp and clear, Im also recording in 32bit. I then publish them with sfw and quailty set at high and the properties set at
-
I have a lot of iWork documents on my iDisk. I realize iDisk is not part of iCloud and that it will en in June. I have set up my iCloud on my MacBook Pro and iPhone 4 (Documents turned On on both). How do I get these two syincing the new documents I