ACE Probes for authentication to imaps, smpts or pop3s servers

Similar Messages

• ACE probe for LDAP

  Is there a way to configure a probe to check the health of LDAP and how? I can't find any reference in the docs for how to do this.

  You can use scripted ldap probe (LDAP_PROBE) available with ACE.It sends an
  anonymous bind request and check for bind success.
  Syed

• ACE ; probe for host header-value

  Hi,
  we have following probe setup. sometimes this probe fails because server resets the connection but server team claims there aren't any issues with server.
  probe https probe1.abc.com:10456
    port 10456
    interval 34
    passdetect interval 17
    ssl version all
    expect status 200 200
    header Host header-value "probe1.abc.com"
    open 1
  is there a way to validate able probe using linux/linux servers? i.e. using unix/linux server is there a way to send that host header-value to the servers and see if servers are responding with 200 OK status? if not from Unix/Linux servers than if there any otherway to validate it apart from validating it from ACE?
  Thanks...

  or can we do it using window? maybe using firefox on windows machine?
  please advise.

• ACE probe for rserver

  Hi I've following requirement to do health check for server.
  I need to add below three ports in probe with OR condition so if any of these 3 port is up along with 10292 connection should  go that  server:
  10721
  10722
  10723
  how to do this? can we setup up such health check with using script?

  Hi,
  You will need a custom script. The supplied CHECKPORT_STD_SCRIPT should provide a reasonable starting point. You just need to implement the logic behind setting the return code.
  HTH
  Cathy

• Setup ACE probe for HTTP host headers for multiple sites on rservers

  We have multiple sites on each server. Is there a way to have the probe only stop traffic to a specific site or header and not take the complete rserver offline?
  Thanks
  Greg

  If you are running multiple web servers on same servers using same IP addresse on the server. Then Host header field differentiate these web instances on the same physical machine.
  Use header command under http probe definition to send appropriate HOST value with probe rquest
  e.g
  probe http site1
  interval 2
  faildetect 1000
  passdetect interval 2
  passdetect count 1
  header Host header-value "www.site1.com"
  expect status 200 200
  probe http site2
  interval 2
  faildetect 1000
  passdetect interval 2
  passdetect count 1
  header Host header-value "www.site2.com"
  expect status 200 200
  HTH
  Syed iftekhar Ahmed

• Cisco ace mibs for concurrent connection on real and virtual servers

  i have loaded cisco provided mibs for cisco ace into nms but i am not able to fetch the details from ace appliance 4710.where can i find IODs for this.
  would really appreciate if anyone can help me regarding this

  Hi Manohar,
  you need two MIBs:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
  The current connection you will find in the section:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  slbVServerInfoTableEntry .1.3.6.1.4.1.9.9.161.1.4.2.1
  Example:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  slbVServerNumberOfConnections  .1.3.6.1.4.1.9.9.161.1.4.2.1.6.1.44
  Use a MIB-Browser to find out the OID for each server.
  Best Regards,
  Achim

• SMTP and IMAP ACE Probe configuration Example

  Hi,
  Could someone share he SMTPS and IMAPS probe setting configuration in CISCO ACE 4710 for my reference.
  I have two server 10.1.1.58 and 10.1.1.59 which supposed to be load balaced for the service 993 and 465.
  Regards
  BR

  Hello There,
  The ACE has built-in scripted probes in order to check connectivity beyond layer 4 with these kinds of mail servers but only for the unencrypted versions SMTP/IMAP.
  In your case since you're working with these protocols over SSL/TLS, you'll need to configure regular TCP probes for each serverfarm so reachability will be test'd based on TCP port.
  probe tcp IMAPS-993
    port 993
    interval 5
    faildetect 2
    passdetect interval 3
    passdetect count 1
    open 1
  probe tcp SMTPS-464
    port 465
    interval 5
    faildetect 2
    passdetect interval 3
    passdetect count 1
    open 1
  HTH
  Pablo

• ACE probe dilemma

  Hi, I have a requirement to use the ACE to provide Active/Standby service for 2 services located on 2 physical servers. Server A is active for one port and backup for antoher, Server B vice versa.
  As well as this, I am doing port translation - incoming requests to one port are being translated to one of two ports - see config below
  rserver host TEST-FE01
  ip address 10.100.100.1
  inservice
  rserver host TEST-FE02
  ip address 10.100.100.2
  inservice
  serverfarm host test-farm
  predictor leastconns
  rserver TEST-FE01 20902
  backup-rserver TEST-FE02 20902
  inservice
  rserver TEST-FE01 20903
  inservice standby
  rserver TEST-FE02 20902
  inservice standby
  rserver TEST-FE02 20903
  backup-rserver TEST-FE01 20903
  inservice
  My problem is that I want to configure probes for each ip/port combination, but I can't seem to achieve this as my server farm contains servers that listen on more than one port and a probe can only be configured with one TCP port and can only be applied to either the rserver or the whole serverfarm.
  Can anynone see how I can achieve this
  Many Thanks in advance

  You will need to define probe under serverfarms's Rserver config
  probe tcp port-20902
  port 20902
  probe tcp port-20903
  port 20903
  rserver host TEST-FE01
  ip address 10.100.100.1
  inservice
  rserver host TEST-FE02
  ip address 10.100.100.2
  inservice
  serverfarm host test-farm
  predictor leastconns
  rserver TEST-FE01 20902
  probe port-20902
  inservice
  rserver TEST-FE01 20903
  probe port-20903
  inservice
  Syed

• Cisco ACE probe setup

  Configured a Probe to check the heath of server webpage .But getting a status code of 400.
  probe http PROBE_80
    interval 10
    faildetect 2
    passdetect interval 10
    passdetect count 2
    receive 5
    request method get url http://<host>:<port>/eml/HealthCheckServlet
    expect status 200 202
    open 10
  getting below status code .would like to know the correct format for the requesr method of the above url
       real      : app02p[0]
                           192.168.10.6  80 VIP     161    161    0      FAILED
     Socket state        : CLOSED
     No. Passed states   : 0         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 400
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Received invalid status code
     Last probe time     : Tue Mar 17 02:53:58 2015
     Last fail time      : Tue Mar 17 02:27:15 2015
     Last active time    : Never

  Hi Hari,
  Does this URL return status 200 when you send the request directly from your browser?
  You should use the exact URL here.  If the URL is fine, then check with your server team why server is responding with 400. The syntax looks fine. You can also take a pcap on server and see what is ACE sending for probe.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• ACE: probe timers

  Hi,
  I've general question about ACE probe timers. I've following probe setup:
  probe https probe:1061
    port 1061
    interval 34
    passdetect interval 17
    open 1
  ACE# sh probe probe:1061detail
  probe       : probe:1061
  type        : HTTPS
  state       : ACTIVE
  description :
     port      : 1061   address     : 0.0.0.0         addr type  : -
     interval  : 34      pass intvl  : 17              pass count : 3
     fail count: 3       recv timeout: 10
  ===
  for above probe: when ACE will declare the server as down? will it declare it down after (17*3+34) 85 seconds or it will declare it down after 115 seconds (added recv timeout=secs 3 times = 30 seconds).
  please help.
  ========
  we did a test and bought down the server manually. ACE declared the server down after 91 seconds (from the time when server was brought down).

  Hi Gavin, Krishna,
  The explanation for all these parameters can be found in the health monitoring section of the configuration guide (
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1031040)
  Below are the definitions quoted from the guide:
  Interval:
  The time interval between probes is the frequency  that the ACE sends probes to a server marked as passed. You can change  the time interval between probes by using the interval command
  Faildetect:
  Before the ACE marks a server as failed, it must  detect that probes have failed a consecutive number of times. By  default, when three consecutive probes have failed, the ACE marks the  server as failed. You can configure this number of failed probes by  using the faildetect command
  Passdetect interval/count:
  To configure the time interval after which the ACE  sends a probe to a failed server and the number of consecutive  successful probes required to mark the server as passed, use the passdetect command.
  So, to summarize, taking Gavin's configuration as example. A server failure would be detected in a time between 78 seconds (2x34 +10) and 112 (3x34 +10). Once it's down, it will become operational between 34 (2x17) and 51 (3x17) seconds after it comes back up.
  I hope this helps
  Daniel

• Printing to a Windows shared printer, keep getting "Hold for Authentication" when I'm on the Windows shared network and can browse the computers.

  I have had two MacBook Pros now, and this has been an issue in Mountain Lion and Mavericks. I've got a shared printer on the local Windows network (it's a USB printer shared via the network and the computer), and the other Windows computers in the house can print to it no problem. The Mac sees it no problem, yet whenever I try to print to it, I just get "Hold for Authentication."
  Like I said, persists over Mountain Lion and Mavericks. No other computer in the house has any issues printing to it. I've installed the drivers for the printer as well (Brother HL-2240).
  I've tried to follow the instructions here: https://discussions.apple.com/message/23268762#23268762 but the printer isn't listed in Keychain Access.
  Any thoughts?
  Thanks in advance!
  Patrick Campanale

  Well, that isn't too useful. Try this instead: Adding a printer shared by a Windows computer via SMB/CIFS.
  You may find more by selecting Mac Help from the Finder's Help menu and searching for articles by keyword.

• SSL: how to use Multiple Private key/Certificate pair for authentication.

  Hi all,
  i am implementing SSL in java using X509 Certificate/private key combination.
  i have two set of private key/certificate pair.
  one is factory default and another is generated at run time.
  my problem is to try ssl connection with both pairs on same tcp/ip connection.
  e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
  on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
  can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
  Thanks In Advance
  Saurabh Ahuja

  Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
  It's like this. The idea of PKI with SSL is as follows:
  - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
  - the client has a truststore that trusts the server, one way or the other, see above.
  - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
  - the server sends its cert to the client along with a digital signature signed by its private key.
  - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
  At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
  If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
  You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

• One username for two tunnel in IPSec remote access vpn + ACS for authentication

  Hi all,
  I want to set up a username which can be used for two different IPSec tunnel (i.e. username USER1 can be used in tunnel TUN1 and TUN2). Can anyone help me how to do this? My current configuration is that I tied the username to tunnel group using group-lock (RADIUS property) so a username can only be used for a particular remote access vpn tunnel (USER1 can only be used for TUN1). I have already tried to enable multiple entry for group lock in ACS (by manipulating the dictionaru setting in ACS), but it seems that authentication still takes the first group and can not take the second group.

  You'd have to create a new AAA server group pointing to servers in the new domain for authentication.
  Then make a new connection profile that uses that AAA server group.
  Your users would have to choose the connection profile (absent some more advanced tricks like issuing them user certificates that can be checked for attributes which map to one profile or another).
  This could also be done with ISE 1.3 which can act as the RADIUS server and join to multiple AD domains on the backend as identity stores. (or even with ISE 1.2 if you use one of the AD directories as an LDAP store vs. native AD).

• Using Hyper-V 2012 r2, connecting to the console results in: A certification authority could not be contacted for authentication.

  I'm having some trouble with authentication to guests from my Hyper-V console.
  If I try to connect from the Hyper-V Manager to the console of any guest, I get the error:
  "A certification authority could not be contacted for authentication. If you are using a Remote Desktop Gateway with a smart card, try connecting to the remote computer using a password. For assistance, contact your system administrator or technical support."
  I'm not using an RDG and smart card.
  I have 2 virtual networks. The first is Production, the second is Isolated. Production has 2 NICs attached to the Production LAN, the second has 2 NICs in our DMZ. The host is a member server of the production domain. I can use MSTSC from the LAN or the DMZ
  to gain access to each Guest and the Host.
  The issues start if I try "Connect" from Hyper-V Manager in an attempt to use the console of any Guest. Each attempt fails with the above error. If I use an incorrect password, I get a different error: "The credentials that were used to connect
  to {Server FQDN} did not work. Please enter new credentials."
  Taking a look at the the event logs, I can see the session successfully authenticating to the Guest (4776 Credential validation and 4624 Logon), and the fact I get a different error if I enter an incorrect password show I get some way along the line. However
  if I take a look at the logs on the Host, however I get:
  An account failed to log on.
      Subject:
          Security ID:        NULL SID
          Account Name:        -
          Account Domain:        -
          Logon ID:        0x0    
      Logon Type:            3
      Account For Which Logon Failed:
          Security ID:        NULL SID
          Account Name:        
          Account Domain:        
      Failure Information:
          Failure Reason:        An Error occured during Logon.
          Status:            0xC000006D
          Sub Status:        0xC000005E
      Process Information:
          Caller Process ID:    0x0
          Caller Process Name:    -
      Network Information:
          Workstation Name:    -
          Source Network Address:    -
          Source Port:        -
      Detailed Authentication Information:
          Logon Process:        Kerberos
          Authentication Package:    Kerberos
          Transited Services:    -
          Package Name (NTLM only):    -
          Key Length:        0
      This event is generated when a logon request fails. It is generated on the computer where access was attempted.
      The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
      The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
      The Process Information fields indicate which account and process on the system requested the logon.
      The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
      The authentication information fields provide detailed information about this specific logon request.
          - Transited services indicate which intermediate services have participated in this logon request.
          - Package name indicates which sub-protocol was used among the NTLM protocols.
          - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Which looks to me like a blank authentication request is being sent? (I've not deleted any machine/domain names, they're just not present)
  Any suggestions? Do you think I'm barking up the wrong tree?
  Thoughts and comments gratefully received

  Hi,
  What’s your guest system platform, base on my experience that must be the not supported guest system issue, the generation 2 vm only support the Windows 8 or 8.1 platform.
  The related KB:
  Generation 2 Virtual Machine Overview
  http://technet.microsoft.com/en-us/library/dn282285.aspx
  Hope this hleps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Printing: Stuck on 'Hold for authentication'

  Hello. Im try to print from my mac mini through a windows 7 pc. I haven't ever gotten this to work. I can see the printer by choosing 'guest' when logging into the print server. I don't know what my username and password would be. When I save the printer and go to print something a the print status window comes up and says "Hold for authentication". I tried clearing keychains related to the print in keychain access. Anyone know of a soulution?

  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad and start typing the name.
  Use the search box in the toolbar of the Keychain Access to search for the name of the shared printer. Double-click one of the items and check the box marked Show password in the inspector window. You'll be prompted for your keychain password to confirm. Make a note of the user name and password. Then delete every "Network Password" item in the search results. Quit Keychain Access.
  The next time you send a job to the printer, you'll be prompted for the user name and password. Enter the information you noted earlier and check the box to save it in the Keychain.