Ace - rtcp
Hi all,
I am looking for a rtsp solution, and currently i cann't find an answer.
The problem we got:
We are using a ace to loadbalance streaming traffic, which uses rtsp/rtcp.
rtsp is not a problem, simple vip on port 554 and forwarding to the servers.
but when it gets to rtcp it gets complicated
i configured a vip for udp high-ports, which works fine for messages from the client to the streamer.
but streaming data, which are sent from the server to the client , need to use the same source-ip as the vip
for that i created a nat-pool with the same ip as the vip.
so the ace takes all packets from the servers and creates a pat.
the thing is, that the clients get a problem with that.
within the rtsp-setup there is a negotation of ports to use.
if the source/ports, which are changed trough the pat, are different from the negotation, some clients wont work.
so the question is:
is there a way to do a pat with "fixed" ports, like: a port-range for server a, next range for server b and so on.
or is there a better solution for rtcp on the ace?
thanks a lot.
ACE supports RTSP over TCP Loadbalanacing only.
You can use RTSP headers
RTSP stickiness is based on information in the RTSP session header. With RTSP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the RTSP header.
*Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used to establish and control media sessions between end points.
(config) sticky rtsp-header
To create an RTSP header sticky group to enable the ACE to stick client connections to the same real server based on the RTSP Session header field, use the sticky rtsp-header command. The prompt changes to the sticky header configuration mode prompt (config-sticky-header). Use the no form of this command to remove the sticky group from the configuration.
sticky rtsp-header name1 name2
no sticky rtsp-header name1 name2
Syntax Description
name1
RTSP header field. The ACE supports only the RTSP Session header field for stickiness. Enter Session.
name2
Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command HistoryRelease Modification
A3(1.0)
This command was introduced.
Usage Guidelines
This command requires the sticky feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness. Otherwise, the feature will not work. For more information about allocating resources, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The ACE supports only the RTSP Session header field for stickiness.
For information about the commands in RTSP sticky header configuration mode, see the "Sticky RTSP Header Configuration Mode Commands" section.
Examples
To create a group for RTSP header stickiness, enter:
host1/Admin(config)# sticky rtsp-header Session RTSP_GROUP
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky rtsp-header Session RTSP_GROUP
Example of an RTSP Load-Balancing Configuration
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples_--_Server_Load-Balancing_Configuration_Examples#Example_of_an_RTSP_Load-Balancing_Configuration
As per cisco
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1165238
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1114235
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1114691
Similarly for RTSP Inspection its clearly stated at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/appinsp.html#wp1318637
For RTSP inspection
The ACE supports TCP only in conformity with RFC 2326.
More on Ace configs:
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_configuration_examples_list.html
http://docwiki.cisco.com/wiki/Category:Configuration_Examples
Please Rate
HTH
Sachin Garg
Similar Messages
-
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
Cisco ACE - Firewall load balancing
I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
inservice
rserver FW2
inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdownHello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown -
Problem with ACE and Internet Explorer 8
I have a problem with ACE (system A2(1.1)) and Internet Explorer 8.
exactly:
ACE is configured as end-to-end ssl with 2 rserver and with the sticky source address. When user is opening the virtual address from IEv7, the web portal (On Microsoft IIS) works fine.
If user opens the same web portal but using IEv8, the session is suspended after 60 seconds.
I think, that the reason is http keep-allive, which is sending every 60 seconds from the user's internet browser.
Here is some information about this. http://en.wikipedia.org/wiki/HTTP_persistent_connection
Do you have any idea how to resolve this problem: upgrade ACE, change the configuration on IIS or ACE ??
Please help.Hi Kazik,
Using a persistent connection or HTTP keepalives should not have any negative effect on the ACE, so, giving you a straight-forward answer to fix it is not going to be easy.
I would recommend you to open a TAC case to have this investigated further. When you do, please, provide the following data:
A showtech from the Admin context of the ACE
A traffic capture taken on the TenGig interface connecting the switch with the ACE backplane while doing a test connection (preferably one with IE7 and one with IE8 to compare)
If possible, a copy of the SSL private key. Being able to decrypt the traffic capture to look inside the HTTP flow would really make troubleshooting much easier.
Regards
Daniel -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Cannot Telnet to ACE 4710 after upgrade to A4(2.3)
I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok
when i do a " sh telnet"
comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
Can anybody help?further this post, it was not a resource problem as had allocated 5% for the Admin context.
I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
though this morning (Monday) Can now telnet in ok very strange
I was connecting via the AUX line of a 2851 router to the console port.
whe I disconnected this morning I saw the following message
INIT: id "T0" respawning too fast : disabled for 5 minutes
not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
was it a coincidence
anybody any ideas -
How can I use multiple client side vlans in ACE?
In CSM we have a default-gateway per Client VLAN, in ACE there is no equivalent command! How does the ACE handles routing in this situation?
Hi,
Talk about a deja-vu. I was faced with the exact same challenge about a year ago.
Basically, I think you're looking at two options:
1) Firewall-consolidation - Consolidate your four firewalls into one, having one dedicated interface towards the ace and route all your vips using the ace as
next-hop. It looks like your firewalls are virtual (but I don't know), so it's duable. But I don't know if this is even an option for you.
2) Per. clientvlan context - Context A for vlan1001, Context B for vlan1002 and so on. Each context handles clienttraffic for the respective vlan and since
each context handles it's own routingtable, simply use the firewall-address as your default route. But from your drawing, it looks like your server-vlans
are all connected to the same ace, so you will need to split that up. Assign each servervlan to an ace-context as you do with the clientside-vlans.
Well, a third option would be NAT in your firewall. Unless you have a specific need for the original client-ip the reach the ace, you could nat incoming clientsessions in each of the firewalls to an interface-address on that firewall, hence the ace will see the clientrequest as originating from the firewall and since ace has connected routes to each of the firewall, it wall return traffic to respective firewall and leave it to him to return the traffic to the client.
Since each firewall will present the packets with a unique NAT'ed address, you can apply different policies, parameters etc. for that NAT-address, if this is required.
hth
/Ulrich -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
ACE - Inspection per VIP and other Questions
I have my ACE up and running with SLB for HTTP, terminating SSL and inspection for the traffic flowing through the ACE.
One thing i haven't figured out yet is how to let the ACE distinguish between inspecting only the VIP traffic versus inspecting the whole traffic flowing through the routed VLAN.
My service-policy is currently bound on the xfer net VLAN which also services the VIP.
I made a "match url" rule with action reset for the regex "admin". If try to access the link "slb.foo.local/admin" via the VIP it works but it unfortunatly also works if i access the real servers in the VLAN behind the ACE directly.
A: Any idea how to solve that with best practice?
B: I haven't found a way to create a self signed certificate so far. Is it not implemented or did i just miss it?
C: Is an ACL mandatory to get traffic flowing via the VIP to the real servers? I have the feeling that without an ACL permitting the traffic explicitly there won't be a flow at all.
D: The commands "loadbalance vip icmp-reply active" and "loadbalance vip advertise active" for RHI are now two times in my config. Do i only need them once in my policy or does it make sense to keep them per HTTP and HTTPS Class?
The corresponding config:
class-map match-all HTTP-INSPECT-L4CLASS
description HTTP protcol deep packet inspection
2 match port tcp eq www
class-map type http inspect match-any HTTP-INSPECT-L7CLASS
description HTTP - Deep packet Inspection - Definition
2 match content length range 0 256
3 match url [/]admin
4 match url .asp
class-map match-all L4-VIP-CLASS
2 match virtual-address 10.10.10.85 tcp eq www
class-map match-all L4-VIP-CLASS-SSL
2 match virtual-address 10.10.10.85 tcp eq https
class-map type http loadbalance match-any L7-SLB-CLASS-1
3 match http header Host header-value "10.10.10.85*"
4 match http header Host header-value "slb.foo.local*"
class-map type management match-any REMOTE_ACCESS
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGM_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7-SLB-Policy
class L7-SLB-CLASS-1
serverfarm LB-Testfarm
policy-map type inspect http all-match HTTP-INSPECT-L7POLICY
class HTTP-INSPECT-L7CLASS
reset
policy-map multi-match L4-SLB-POLICY
class L4-VIP-CLASS
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAMETER_MAP
class L4-VIP-CLASS-SSL
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SSL-PSERVICE-Server
class HTTP-INSPECT-L4CLASS
inspect http policy HTTP-INSPECT-L7POLICY
interface vlan 444
description XFER-ACE
ip address 10.10.10.83 255.255.255.240
access-group input All
access-group output All
service-policy input L4-SLB-POLICY
service-policy input REMOTE_MGM_ALLOW_POLICY
no shutdown
interface vlan 555
description ACE-Server
ip address 10.10.10.97 255.255.255.240
access-group input All
access-group output All
no shutdown
Thanks for reading...
RobleGilles hope you still read this thread :)
In another Post you mentioned that the ACE features URL rewriting. I am desperate looking for this feature but can't find it anywhere in the docs.
Since i am terminating ssl on the front and speaking plain http on the back end i have some problems with the portal application and links to non-secure documents.
I don't think i can make the appl. admins fix the problem or make the company for the portal
rewrite the code. (3 letters NOT starting with an I)
From the SCA Docs i found following description which matches my problem.
[quote]
When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS
[/quote]
EDIT:
Another thing...
I currently redirect all my http traffic to a certain https url with a redirect rserver. Works fine.
I am still thinking about how to solve the same problem with ssl/https portion of my vip.
vip:443 -> redirect to vip:443/url/foo/bar/
I tried something like...
vip:443 -> redirect to vip:444/url/foo/bar/
But somehow that didn't work out. You have a valid "conceptional" approach to this issue?
Roble -
I am getting up to speed on the ACE and was wondering if someone could please clarify a couple of things for me as the docs I am using are pretty confusing.
We have the ACE module in a Cisco 65XX switch, along with FWSM.
1) Do I need to create a Layer 3 int on the switch for the Vlan's that I have assigned to the ACE?
2) I have created a Layer 3 Client side and a Server side Vlans on the ACE. Do I need to create a default gateway for each of these Vlan's or create just one DG and point it to the switch?
3)Do I need to create a class map, a policy map and a service policy for the Client and Server Vlan L3 interfaces on the ACE?
Thanks much.Have you had a chance to read through the config guide?
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/rtbrgdgd.html
In general,
1) yes for client-side vlans
no for server-side vlans
2) just one default route to an SVI on MSFC
3) yes -
We just have switched our local server from 32-bit to 64-bit machine and now we have Windows Server 2008 R2 Service
Pack 1 with MS Office 2007. On server we are running an application in ASP.Net 3.5 using visual studio
2008. All users have 32-bit windows 7 and MS Office 2007.
when user tries to import data from Excel to Database (SQL Server 2005), error comes as
"microsoft.ace.oledb.12.0 provider is not registered on local machine".
I have tried a solution by installing Access Database Engine 2007 Office System Driver on the Server, but the error
was same. Now what should I do to resolve this problem??? Should we install Office 2010 64-bit on the Server or is there any other solution???Hi,
Thanks for your posting.
the file can be made in excel 2007, try to install:2007 Office System Driver: Data Connectivity Components
http://www.microsoft.com/en-us/download/details.aspx?id=23734
Regards.
Vivian Wang
TechNet Community Support -
Not able to run a reconciliation from IDM on a the securID/ACE server UNIX
I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
Error iterating accounts for resource RES-User-RSA-Projects:
com.waveset.util.WavesetException: Trouble constructing User 'null'
Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
SecurIdUnixResourceAdapter#getFeatures() Entryno args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getLoginScript() Entry no args
SecurIdUnixResourceAdapter#getTclshPath() Entry no args
SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
SecurIdUnixResourceAdapter#getLoginScript() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
SecurIdUnixResourceAdapter#procSetup() Entry no args
SecurIdUnixResourceAdapter#procSetup() Exit void
SecurIdUnixResourceAdapter#procTearDown() Entry no args
SecurIdUnixResourceAdapter#procTearDown() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
SecurIdUnixResourceAdapter#constructUser() Entry no args
SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit voidAnybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!
-
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
ACE load balancing servers on different subnets...
Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy -
ACE- From one real server to another VIP
Hi,
I have a problem with ACE;
We have multiple serverfarms configured in the ACE module based on the application and different VIPs related to it. We are running the ACE in bridging mode. Now the requirement is from one serverfarm real server wants communicate to the VIP of the second serverfarm...Is this possible..???? Wil some NATing help in this situation. Below is the configuration.
======================
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
access-list LAN_Traffic remark For all IP Traffic
access-list LAN_Traffic line 10 extended permit ip any any
access-list LAN_Traffic line 20 extended permit icmp any any
probe http PORTAL_HTTP
passdetect interval 20
passdetect count 2
request method get url http://portal
expect status 0 600
probe http RMS_HTTP
request method get url /_wmcs
expect status 0 600
rserver host PORTAL1
ip address 172.22.11.241
inservice
rserver host PORTAL2
ip address 172.22.11.243
rserver host QGLRSPW1
inservice
rserver host RMS01
ip address 172.22.10.12
inservice
rserver host RMS02
ip address 172.22.10.8
inservice
serverfarm host PORTAL
failaction purge
probe PORTAL_HTTP
rserver PORTAL1
inservice
rserver PORTAL2
inservice
serverfarm host RMS
failaction purge
probe RMS_HTTP
rserver RMS01
inservice
rserver RMS02
inservice
class-map match-any PORTAL
2 match virtual-address 172.22.10.166 tcp any
class-map match-any RMS
2 match virtual-address 172.22.10.52 tcp eq www
3 match virtual-address 172.22.10.52 tcp eq https
policy-map type loadbalance first-match RMS-POLICY
class class-default
serverfarm RMS
policy-map type loadbalance first-match PORTAL-POLICY
class class-default
serverfarm PORTAL
policy-map multi-match SFARM-LB-POLICY
class RMS
loadbalance vip inservice
loadbalance policy RMS-POLICY
loadbalance vip icmp-reply active
class PORTAL
loadbalance vip inservice
loadbalance policy PORTAL-POLICY
loadbalance vip icmp-reply active
interface vlan 800
description ACE Client Interface
bridge-group 1
mac-sticky enable
service-policy input SFARM-LB-POLICY
no shutdown
interface vlan 898
description ACE Server Interface
bridge-group 1
mac-sticky enable
no shutdown
interface bvi 1
ip address 172.22.11.151 255.255.252.0
alias 172.22.11.153 255.255.252.0
peer ip address 172.22.11.152 255.255.252.0
description Bridge Group for 800 and 898 Interfaces
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.8.17
===================================
Pleae help..Thanks in advanceHello!
Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE.
Maybe you are looking for
-
*NEW* in Visual Composer 7.0 - Flash Component Consumption
Hi Amir, Thanks for all the wonderful links and articles. Amir, I have a question related to VC, I created a application which initially shows a Table and on click of any line item I am calling a RFC which returns a URL, which points to a Image. The
-
I am trying to place a web gallery widget onto my iWeb page. I have been successful at that and can see the web gallery preview after it is placed. However, when I save the page, then publish to dotMac, then view the page in Safari, the web widget bo
-
Strange behaviour with attachments
Hi, I'm running 10.5.2 and Mail Version 3.2 (919/919.2). When attaching for example a pdf file from the desktop in a new mail and then sending the file it converts the file to pdff format. When I look at the mail in the sent mail box it is still a pd
-
Changing short name / user name in the Finder
I just set up a new mac, and inadvertently let it default my admin account short name to myname1 (based on my .mac ID) Can I change it to : Myname I've had a rummage and saw about the advanced options in the Account preferences, and created : Myname
-
Is there a way to export the metadata for each image in Bridge?Currently the export option only includes the file name and extension.