ACE probe for LDAP

Similar Messages

• ACE Probes for authentication to imaps, smpts or pop3s servers

  Dear all,
  we have the demand to do health checks using authentication for servers running SSL-encrypted services like imaps, smpts or pop3s. Has someone implemented tcl scripts for that ? Unfortunately the "SSL_PROBE_SCRIPT" provided by Cisco does only do a "Client Hello". Maybe it is possible to enhance that script in order to test authentication ?
  Thank you very much in advance.
  Bernd

  Dear Gilles,
  thank you very much for your reply. This answers my question.
  But ... I would like to turn this into a feature request, because I believe this demand is not that much out of common. There already is a https probe which works in a similar way, so it should be easy for Cisco to add probes for common ssl-encrypting protocols or - even better - add a generic ssl probe.
  Best regards,
  Bernd

• Issue with Scripted Probe for LDAP

  I have the script LDAP_PROBE loaded into memory on my ACE 4710 (A4(2.0)) and th Probe is name is configured for the LDAP port the servers are listening on. So here is th econfiguration.
  probe scripted LDAP_PROBE_3389
    port 3389
    interval 5
    passdetect interval 5
    passdetect count 2
    receive 5
    script LDAP_PROBE 3389
  I have tried removing the argument of 3389 at the bottom as well but I continue to get the result:
  real      : LDAP02[3389]
                  10.220.31.81    3389  PROBE    2491     2491     0        FAILED
     Socket state        : RESET
     No. Passed states   : 0         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 30002
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Probe error: Server did not respond as expected
     Last probe time     : Thu Jul 12 16:24:41 2012
     Last fail time      : Thu Jul 12 12:56:59 2012
     Last active time    : Never
  The server log states this was successful however...
  Admin Acct Status: Not Locked
  AuditV3--2012-07-11-14:18:21.428+00:00DST--V3 anonymous Bind--bindDN: <*CN=NULLDN*>--client: 10.220.31.217:56908--connectionID: 8--received: 2012-07-11-14:18:21.428+00:00DST--Success
  name: <*CN=NULLDN*>
  authenticationChoice: simple
  Admin Acct Status: Not Locked
  Am I missing an argument? I have run debug on LDAP but really don't know what I am looking at...

  To update the script
  ==============
  Extract the Cisco-supplied LDAP script from the tar.gz or zip file. Rename it to something unique. Update it to use the
  new length and offset.
  Import the script into the LDAP contexts on both ACEs. Remember, scripts are not replicated and having mismatched scripts will cause replication to fail.
  ACE1/ldap# copy tftp: disk0:
  Enter source filename[]? UoN-LDAP_PROBE-iLDAP2
  Enter the destination filename[]? [UoN-LDAP_PROBE-iLDAP2]
  Address of remote host[]? [redacted]
  Trying to connect to tftp server......
  TFTP get operation was successful
  ACE2/ldap# copy tftp: disk0:
  Enter source filename[]? UoN-LDAP_PROBE-iLDAP2
  Enter the destination filename[]? [UoN-LDAP_PROBE-iLDAP2]
  Address of remote host[]? [redacted]
  Trying to connect to tftp server......
  TFTP get operation was successful
  script file 13 UoN-LDAP_PROBE-iLDAP2
  If you look at (for example) packet 651 in the capture in wireshark you'll see a
  successful bind response. You will need to tell wireshark to decode the packet as LDAP.
  The payload is:
  30 84 00 00 00 10 02 01 01 61 84 00 00 00 07 0a 01 00 04 00 04 00
  You need to have a basic understanding of ASN.1 and something called Basic Encoding Rules (BER) - whicj comes down to TLV format structures.
  The key to understanding this output is that there are three ways of specifying a length in ASN.1. The first way we have already seen in the Cisco script is to use a single byte. This known as the "definite" form and can be used for lengths of 127 bytes or less. Otherwise if the high bit is set to one, the low seven bits define the length of length. The length is then encoded in that many bytes. This is the "length of the length field" form. It looks like Microsoft Active Directory uses the indefinite form for all length encoding. The third form (for completeness is "indefinite" where the length is coded as x'80' and the end of the content is marked by x'0000'. Deconstructing the data:
  0x30    The start of a universal constructed sequence
  0x84    The length of the sequence in "length of the length" format. The next 4 bytes give the length.
  0x00000010    sequence length of 16 bytes
  0x02    Integer
  0x01    The length of the next field (1 byte)
  0x01    Value (this is the message ID which agrees with the ID in the BIND Request)
  0x61    Application, number 0, use RFC2251 to decode. This is a Bind Response
  0x84    The length of the sequence in "length of the length" format. The next 4 bytes give the length.
  0x00000007    bind response length of 7 bytes   
  0x0a    Enumeration
  0x01    Length 1
  0x03    0 - Success
  0x04    String
  0x00    Length 0 (null string)
  0x04    String
  0x00    Length 0 (null string)
  The patch given takes in 20 bytes from the bitstream,converts it into a hexadecimal string  and finds the 6 hexadecimal characters from the 16th byte onwards   (Tcl uses zero-based arrays). This is the response code.
  Kind Regards
  Cathy

• ACE ; probe for host header-value

  Hi,
  we have following probe setup. sometimes this probe fails because server resets the connection but server team claims there aren't any issues with server.
  probe https probe1.abc.com:10456
    port 10456
    interval 34
    passdetect interval 17
    ssl version all
    expect status 200 200
    header Host header-value "probe1.abc.com"
    open 1
  is there a way to validate able probe using linux/linux servers? i.e. using unix/linux server is there a way to send that host header-value to the servers and see if servers are responding with 200 OK status? if not from Unix/Linux servers than if there any otherway to validate it apart from validating it from ACE?
  Thanks...

  or can we do it using window? maybe using firefox on windows machine?
  please advise.

• ACE probe for rserver

  Hi I've following requirement to do health check for server.
  I need to add below three ports in probe with OR condition so if any of these 3 port is up along with 10292 connection should  go that  server:
  10721
  10722
  10723
  how to do this? can we setup up such health check with using script?

  Hi,
  You will need a custom script. The supplied CHECKPORT_STD_SCRIPT should provide a reasonable starting point. You just need to implement the logic behind setting the return code.
  HTH
  Cathy

• Setup ACE probe for HTTP host headers for multiple sites on rservers

  We have multiple sites on each server. Is there a way to have the probe only stop traffic to a specific site or header and not take the complete rserver offline?
  Thanks
  Greg

  If you are running multiple web servers on same servers using same IP addresse on the server. Then Host header field differentiate these web instances on the same physical machine.
  Use header command under http probe definition to send appropriate HOST value with probe rquest
  e.g
  probe http site1
  interval 2
  faildetect 1000
  passdetect interval 2
  passdetect count 1
  header Host header-value "www.site1.com"
  expect status 200 200
  probe http site2
  interval 2
  faildetect 1000
  passdetect interval 2
  passdetect count 1
  header Host header-value "www.site2.com"
  expect status 200 200
  HTH
  Syed iftekhar Ahmed

• Looking for ACE Probe TCL script specific for LDAPS

  Hello Everyone,
  I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
  Could someone kindly point me or provide me the modified TCL script if you happen to have it.
  During my search I also found a config that someone had provided, which contained the following probe:
  probe tcp LDAPS_Probe
    port 636
  probe tcp LDAP_Probe
    port 389
  I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
  This is how I applied the script for LDAP port 389.
  script file 1 LDAP_PROBE
  probe scripted LDAP_PROBE_389
  interval 5
  passdetect interval 30
  receive 5
  script LDAP_PROBE
  serverfarm host SF-LDAP-389
  description SF LDAP Port 389
  predictor leastconns
  probe LDAP_PROBE_389
  rserver LDAP-RS1-389
  inservice
  I will be more than glad to provide you any additional information that you need.
  As always thanks for your input.
  Raman Azizian
  SAIC/NISN Network services

  normally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl.  default port is 389 when you implement you would specify 636.
  #!name = LDAP_PROBE
  # Description:
  #    LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
  #    determines whether the bind request succeeds.  LDAP_PROBE then closes the
  #    connection with a TCP RST.
  #    If a port is specified in the "probe scripted" configuration, the script probes
  #     each suspect on that port. If no port is specified, the default LDAP port 389
  #     is used.
  # Success:
  #   The script succeeds if the server returns a bind response indicating success
  #    (status code 0x0a0100) to the bind request.
  #   The script closes the TCP connection with a RST following a successful attempt.
  # Failure:
  #   The script fails due to timeout if the response is not returned.  This
  #    includes a failure to receive ARP resolution, a failure to create a TCP connection
  #    to the port, or a failure to return a response to the LDAP bind request.
  #   The script also fails if the server bind response does not indicate success.
  #    This specific error returns the 30002 error code.
  #   The script closes any attempted TCP connection, successful or not, with a RST.
  #  PLEASE NOTE:  This script expects the server LDAP bind response to specify length
  #   in ASN.1 short definite form.  Responses using other length forms (e.g., long
  #   definite length form) will require script modification to achieve success.
  # SCRIPT version: 1.0       April 1, 2008
  # Parameters:
  #   [DEBUG]
  #      username - user login name
  #      password - password
  #      DEBUG        - optional key word 'DEBUG'. default is off
  #         Do not enable this flag while multiple probe suspects are configured for this
  #         script.
  # Example config :
  #   probe scripted USE_LDAP_PROBE
  #         script LDAP_PROBE
  #   Values configured in the "probe scripted" configuration populate the
  #   scriptprobe_env array.  These may be accessed or manipulated if desired.
  # Documentation:
  #    A detailed discussion of the use of scripts on the ACE is included in
  #       "Using Toolkit Command Language (TCL) Scripts with the ACE"
  #    in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
  # Copyright (c) 2005-2008 by Cisco Systems, Inc.
  # debug procedure
  # set the EXIT_MSG environment variable to help debug
  # also print the debug message when debug flag is on
  proc ace_debug { msg } {
      global debug ip port EXIT_MSG
      set EXIT_MSG $msg
      if { [ info exists ip ] && [ info exists port ] } {
       set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
      if { [ info exists debug ] && $debug } {
       puts $EXIT_MSG
  # main
  # parse cmd line args and initialize variables
  ## set debug value
  set debug 0
  if { [ regsub -nocase "DEBUG" $argv "" argv] } {
      set debug 1
  ace_debug "initializing variable"
  set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"
  set ip $scriptprobe_env(realIP)
  set port $scriptprobe_env(realPort)
  # if port is zero the use well known ldap port 389
  if { $port == 0 } {
      set port 389
  # PROBE START
  # open connection
  ace_debug "opening socket"
  set sock [  socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
  fconfigure $sock -buffering line -translation binary
  # send a standard anonymous bind request
  ace_debug "sending ldap bind request"
  puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
  flush $sock
  #  read string back from server
  ace_debug "receiving ldap bind result"
  set line [read $sock 14]
  binary scan $line H* res
  binary scan $line @7H6 code
  ace_debug "received $res with code $code"
  #  close connection
  ace_debug "closing socket"
  close $sock
  #  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
  if {  $code != "0a0100" } {
      ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
      exit 30002
  ## make probe success by exit with 30001
  ace_debug "probe success"
  exit 30001

• ACE probe dilemma

  Hi, I have a requirement to use the ACE to provide Active/Standby service for 2 services located on 2 physical servers. Server A is active for one port and backup for antoher, Server B vice versa.
  As well as this, I am doing port translation - incoming requests to one port are being translated to one of two ports - see config below
  rserver host TEST-FE01
  ip address 10.100.100.1
  inservice
  rserver host TEST-FE02
  ip address 10.100.100.2
  inservice
  serverfarm host test-farm
  predictor leastconns
  rserver TEST-FE01 20902
  backup-rserver TEST-FE02 20902
  inservice
  rserver TEST-FE01 20903
  inservice standby
  rserver TEST-FE02 20902
  inservice standby
  rserver TEST-FE02 20903
  backup-rserver TEST-FE01 20903
  inservice
  My problem is that I want to configure probes for each ip/port combination, but I can't seem to achieve this as my server farm contains servers that listen on more than one port and a probe can only be configured with one TCP port and can only be applied to either the rserver or the whole serverfarm.
  Can anynone see how I can achieve this
  Many Thanks in advance

  You will need to define probe under serverfarms's Rserver config
  probe tcp port-20902
  port 20902
  probe tcp port-20903
  port 20903
  rserver host TEST-FE01
  ip address 10.100.100.1
  inservice
  rserver host TEST-FE02
  ip address 10.100.100.2
  inservice
  serverfarm host test-farm
  predictor leastconns
  rserver TEST-FE01 20902
  probe port-20902
  inservice
  rserver TEST-FE01 20903
  probe port-20903
  inservice
  Syed

• SMTP and IMAP ACE Probe configuration Example

  Hi,
  Could someone share he SMTPS and IMAPS probe setting configuration in CISCO ACE 4710 for my reference.
  I have two server 10.1.1.58 and 10.1.1.59 which supposed to be load balaced for the service 993 and 465.
  Regards
  BR

  Hello There,
  The ACE has built-in scripted probes in order to check connectivity beyond layer 4 with these kinds of mail servers but only for the unencrypted versions SMTP/IMAP.
  In your case since you're working with these protocols over SSL/TLS, you'll need to configure regular TCP probes for each serverfarm so reachability will be test'd based on TCP port.
  probe tcp IMAPS-993
    port 993
    interval 5
    faildetect 2
    passdetect interval 3
    passdetect count 1
    open 1
  probe tcp SMTPS-464
    port 465
    interval 5
    faildetect 2
    passdetect interval 3
    passdetect count 1
    open 1
  HTH
  Pablo

• Cisco ACE probe setup

  Configured a Probe to check the heath of server webpage .But getting a status code of 400.
  probe http PROBE_80
    interval 10
    faildetect 2
    passdetect interval 10
    passdetect count 2
    receive 5
    request method get url http://<host>:<port>/eml/HealthCheckServlet
    expect status 200 202
    open 10
  getting below status code .would like to know the correct format for the requesr method of the above url
       real      : app02p[0]
                           192.168.10.6  80 VIP     161    161    0      FAILED
     Socket state        : CLOSED
     No. Passed states   : 0         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 400
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Received invalid status code
     Last probe time     : Tue Mar 17 02:53:58 2015
     Last fail time      : Tue Mar 17 02:27:15 2015
     Last active time    : Never

  Hi Hari,
  Does this URL return status 200 when you send the request directly from your browser?
  You should use the exact URL here.  If the URL is fine, then check with your server team why server is responding with 400. The syntax looks fine. You can also take a pcap on server and see what is ACE sending for probe.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE: probe timers

  Hi,
  I've general question about ACE probe timers. I've following probe setup:
  probe https probe:1061
    port 1061
    interval 34
    passdetect interval 17
    open 1
  ACE# sh probe probe:1061detail
  probe       : probe:1061
  type        : HTTPS
  state       : ACTIVE
  description :
     port      : 1061   address     : 0.0.0.0         addr type  : -
     interval  : 34      pass intvl  : 17              pass count : 3
     fail count: 3       recv timeout: 10
  ===
  for above probe: when ACE will declare the server as down? will it declare it down after (17*3+34) 85 seconds or it will declare it down after 115 seconds (added recv timeout=secs 3 times = 30 seconds).
  please help.
  ========
  we did a test and bought down the server manually. ACE declared the server down after 91 seconds (from the time when server was brought down).

  Hi Gavin, Krishna,
  The explanation for all these parameters can be found in the health monitoring section of the configuration guide (
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1031040)
  Below are the definitions quoted from the guide:
  Interval:
  The time interval between probes is the frequency  that the ACE sends probes to a server marked as passed. You can change  the time interval between probes by using the interval command
  Faildetect:
  Before the ACE marks a server as failed, it must  detect that probes have failed a consecutive number of times. By  default, when three consecutive probes have failed, the ACE marks the  server as failed. You can configure this number of failed probes by  using the faildetect command
  Passdetect interval/count:
  To configure the time interval after which the ACE  sends a probe to a failed server and the number of consecutive  successful probes required to mark the server as passed, use the passdetect command.
  So, to summarize, taking Gavin's configuration as example. A server failure would be detected in a time between 78 seconds (2x34 +10) and 112 (3x34 +10). Once it's down, it will become operational between 34 (2x17) and 51 (3x17) seconds after it comes back up.
  I hope this helps
  Daniel

• How to disable SSLv3 and keep only TLS for LDAP connection.

  Hi,
  I'm planning to keep only TLSv1.2 for LDAP connections.
  I tried to set LDAP_OPT_SSL_INFO in LDAP Session Options using a SecPkgContext_ConnectionInfo Structure with dwProtocol SP_PROT_TLS1_2_CLIENT(as described here -  https://social.msdn.microsoft.com/Forums/en-US/7544226d-97e1-4dae-a377-e382c2281e91/how-to-set-up-tls-in-ldap-connection?forum=vcgeneral),
  but it returns LDAP_PARAM_ERROR.
  I tried to call this function directly after ldap_sslinit/ldap_init and before ldap_connect() - without success, I tried to use other parameters with default values, I tried to initialize them by 0/other possible values - and also no success.
  How I can do this?
  Thanks for your advices.

  LDAP_PARAM_ERROR
  https://msdn.microsoft.com/en-us/library/aa367026(v=vs.85).aspx

• DTrace probes for oracle database 10g in solaris 10

  Hi guys,since a mounth i`ve learnt about solaris DTrace and its D scripts and tried to look for probes for administrating oracle database but til now,nothing!so my question,does there DTrace probes for oracle application ?i really need it now,that`s my project:tracing oracle with DTrace in solaris 10 SPARC!anyone can help me pleaaase!!!

  Hey!!of course that's a great site but U know,i've already visit it and it doesn't talk about probes for oracle!!howeiver i thought about another option,how do u think about exploiting oracle instance...i mean,do u think it's possible to monitoring oracle processes (LWGR,PMON,DBWR,SMON,...) with DTrace by using providers?like fbt or io,i don't know much!!remember,the aim is monitoring oracle database performance !!
  regards!

• Cannot find the Novell Connection Manager for LDAP

  Novell Connection Manger for Java/LDAP
  Cannot find the Novell Connection Manager for LDAP in download
  I am trying to connect through a Java client to the Apache Directory Studio, LDAP server....I have downloaded the classes from the download page...see link below...but I can't see the NovellConnectionManager Class anywhere in this download when I use the open freely application to view the jar details.
  LDAP Classes for Java
  Environment: Windows 7

  Hi MentalSuplex, and a warm welcome to the forums!
  Don't know about Airport cards for it, but other options...
  http://eshop.macsales.com/item/Sonnet%20Technology/N80211PCI/
  Maybe this one, ask them...
  http://eshop.macsales.com/item/Newer%20Technology/MXP802NPCI/
  I use these...
  http://eshop.macsales.com/item/Newer%20Technology/MXP2802NU2C/
  http://eshop.macsales.com/item/Edimax/EW7711UMN/

• IBM Netcool/OMNIbus probe for SCOM

  My SCOM 2012 environment feeds SCOM alerts to two IBM Netcool/OMNIbus probe. In the probe property file the connector names are different and they show correctly in the Internal Connector tab.
  However when I try to forward any alert directly from monitoring console, it doesn't show me the connector names but only IBM Netcool/OMNIbus probe for both connectors. How and where can I change this name?
  Thanks, Harry :-)

  Hi Harry,
  If we check the properties of both connector, where can we see "IBM Netcool/OMNIbus probe for SCOM", there should be a property that indecate that for both of them.
  And from what I am thinking, this seems like designed by the connector, if we cannot change the above setting for both of the connector, then we may not be able to achieve the goal.
  Regards,
  Yan Li
  Regards, Yan Li