ACE TLS1.0 Enforcement Behavior
ACE 30 module running A4(2.3) code. I want to turn off SSLv3 support, but seeing some different behavior when doing so. Perhaps someone can explain the ACE behavior.
When ACE is set to all versions (SSLv3 and TLS1.0), if a TLS1.2 Client Hello is received, it is accepted and the ACE responds with a Server Hello with Version: TLS1.0 (0x0301) and the communications continues without issue.
When "version tls1" is configured in the same SSL parameter map, the same TLS1.2 Client Hello is received, but the ACE sends a SSL Fatal Alert packet back to the client due to Protocol Version with Version: SSL 3.0 (0x0300) as the version.
I understand that the ACE doesn't support TLS1.1 and 1.2 in this version of code, but why does it accept the TLS1.2 Client Hello when version is all, but rejects it when version is set for tls1?
Hi Dave,
The SSLv3 version is not supported anymore by ACE and that was the recommended fix.
The following resolved caveats apply to software version A5(3.1b):
CSCur02195—The ACE 4710 and ACE30 include a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
1. CVE-2014-6271
2. CVE-2014-6277
3. CVE-2014-6278
4. CVE-2014-7169
5. CVE-2014-7186
6. CVE-2014-7187
CSCur23683—ACE30 : evaluation of SSLv3 POODLE vulnerability.
Note ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2. A performance degradation of 9% may be observed while using TLS1.0 compared to SSLv3.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Similar Messages
-
Application control Enforcement Behavior on Running Processes
Hi
I have a policy that prevents spotify to launch.
First time user tries to start spotify the user is informed that spotify
is not allowed and why.
The following times the user tries to start spotify no enforcement
message is displayed, only informing the user that spotify could not
start and not why.
Is this the correct/expected behavior ?
/matsMats,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/ -
ACE 4710 icmp/routing behavior
Hello,
I'm using an ACE4710 as load balancer.
I have 3 Interface
INTERNET 10.47.100.249 255.255.255.0
INTRANET 10.47.99.240 255.255.255.0
PROXY 10.47.98.240 255.255.255.0
Traffic coming from INTRANET is balanced on interface PROXY if is HTTP.
Routing table is
0.0.0.0 10.47.100.190
10.44.0.0/14 10.47.99.254
When I issue a tracert to i.e www.cisco.com
tracert www.cisco.com
www.cisco.com [198.133.219.25]
my.router.com [10.47.2.234]
www.cisco.com [198.133.219.25]
www.cisco.com [198.133.219.25]
www.cisco.com [198.133.219.25]
www.cisco.com [198.133.219.25]
etc ...
It seams that once the ICMP ECHO TTL Exceeded reply pass through the ACE the ACE instead to Send the ECHO TTL Exceeded with IP source is IP is sending back the SOurce IP of the requested destinatin in this case www.cisco.com. Is that correct ?I tried that but is not working ..
access-list icmp_traffic line 10 extended permit icmp any any
class-map match-any ICMP_traffic
description ip inspect ICMP
2 match access-list icmp_traffic
policy-map multi-match L4_SLB_POLICY
class L4_WEB_TRAFFIC
loadbalance vip inservice
loadbalance policy HTTP_SLB_POLICY
class ICMP_traffic
inspect icmp error
and I also did
interface vlan 950
no normalization
no icmp-guard
interface vlan 953
no normalization
no icmp-guard
interface vlan 954
no normalization
no icmp-guard
the ACE seams always replace the IP header addres of the error packet .. -
Slow connection in one server if accessing through Cisco ACE
Hi,
Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
What need to do in my configuration? Below is my configuration
logging enable
logging timestamp
logging trap 7
logging buffered 7
logging monitor 7
logging host 167.81.126.5 udp/514
logging host 137.55.152.147 udp/514
resource-class SG_01
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_0.bin
login timeout 30
peer hostname singapore-ace2
hostname singapore-ace1
interface gigabitEthernet 1/1
channel-group 14
no shutdown
interface gigabitEthernet 1/2
channel-group 14
no shutdown
interface gigabitEthernet 1/3
channel-group 14
no shutdown
interface gigabitEthernet 1/4
channel-group 14
no shutdown
interface port-channel 14
description ISOLAN-ACE-TRUNK
ft-port vlan 99
switchport trunk native vlan 1
switchport trunk allowed vlan 12,14,112
no shutdown
clock timezone SGT 8 0
ntp server 137.55.152.1
context Admin
member SG_01
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
ip domain-name ysn.psg.philips.com
probe http singapore_01
description This probe used to monitor application url-app-script
interval 5
passdetect interval 5
request method get url /insiteserverstatus/insiteserverstatus.aspx
expect status 200 200
open 1
probe http singapore_02
description This probe used to monitor IIS-login-page
interval 5
passdetect interval 5
request method get url /InSiteLumiledsApplication/
expect status 200 200
open 1
probe icmp uplink
description This probe used in conjunction with ft track host
interval 2
faildetect 2
passdetect interval 3
parameter-map type connection PARAM_L4STICKY-IP
exceed-mss allow
rserver host sggysnysn1ms013
ip address 137.55.152.135
inservice
rserver host sggysnysn1ms014
ip address 137.55.152.136
inservice
rserver host sggysnysn1ms018
ip address 137.55.152.145
inservice
serverfarm host PLI9058
probe singapore_01
probe singapore_02
rserver sggysnysn1ms013
inservice
rserver sggysnysn1ms014
inservice
rserver sggysnysn1ms018
inservice
sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
timeout 720
replicate sticky
serverfarm PLI9058
class-map type management match-any HTTPS-ALLOW_CLASS
class-map match-all L4STICKY-IP_141:ANY_CLASS
2 match virtual-address 137.55.152.141 any
class-map type http loadbalance match-any NO_MS018
50 match source-address 137.55.155.31 255.255.254.0
class-map type management match-any SSH-ALLOW_CLASS
2 match protocol ssh source-address 167.81.124.0 255.255.255.192
3 match protocol ssh source-address 167.81.126.0 255.255.255.192
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm SG_GROUP_01
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match PLI9058-VIPs_POLICY
class L4STICKY-IP_141:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply
connection advanced-options PARAM_L4STICKY-IP
interface vlan 12
description Client-side vlan
bridge-group 1
no normalization
mac-sticky enable
access-group input ALL
access-group output ALL
service-policy input PLI9058-VIPs_POLICY
no shutdown
interface vlan 14
ip address 137.55.152.236 255.255.255.248
peer ip address 137.55.152.237 255.255.255.248
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 112
description Server-side vlan
bridge-group 1
no normalization
access-group input ALL
access-group output ALL
nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
no shutdown
interface bvi 1
ip address 137.55.152.189 255.255.255.192
alias 137.55.152.188 255.255.255.192
peer ip address 137.55.152.190 255.255.255.192
description Bridge-Group 1 Virtual Interface
no shutdown
ft interface vlan 99
ip address 192.168.1.1 255.255.255.252
peer ip address 192.168.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 99
ft group 1
peer 1
priority 150
peer priority 50
associate-context Admin
inservice
ft track host test1
track-host 137.55.152.234
peer track-host 137.55.152.235
peer probe uplink priority 50
probe uplink priority 50
ip route 0.0.0.0 0.0.0.0 137.55.152.233Hi Earsdale,
All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
If you need help with this troubleshooting, you can always open a TAC service request
Regards
Daniel -
// From JAVA PROGRAMMING: FROM THE BEGINNING, by K. N. King /
// Copyright (c) 2000 W. W. Norton & Company, Inc. //
import jpb.*;
import java.io.*;
import java.lang.Thread;
public class bjack{
public static int playerCount=0;
public static int dealerCount=0;
public static int computerCount=0;
// public static int cCard1 = 0;
//public static int cCard2 = 0;
public static int newCard = 0;
int ep, pl;
BJStates bjstates;
public bjack (BJStates parent, int episodes, int plays)
bjstates = new BJStates(this, 1000, 100);
//int ep, pl;
public static void main(String[] args) {
int playerWins = 0;
int dealerWins = 0;
int computerWins = 0;
SimpleIO.prompt("Learn or Play?");
String userInput1 = SimpleIO.readLine();
if (userInput1.equalsIgnoreCase("P"))
while (true) {
// Choose two cards for both player and dealer
Card playerCard1 = Card.pickRandom();
Card playerCard2 = Card.pickRandom();
Card dealerCard1 = Card.pickRandom();
Card dealerCard2 = Card.pickRandom();
Card computerCard1 = Card.pickRandom();
Card computerCard2 = Card.pickRandom();
Card nCard = Card.pickRandom();
// Display player's cards
System.out.println("Your cards: " + playerCard1 +
" " + playerCard2);
System.out.println("Computer cards: " + computerCard1 +
" " + computerCard2);
System.out.println("Dealer cards: " + dealerCard1 +
" " + dealerCard2);
// Compute initial counts for player and dealer and computer
int playerCount = getCount(playerCard1) +
getCount(playerCard2);
int dealerCount = getCount(dealerCard1) +
getCount(dealerCard2);
int computerCount = getCount(computerCard1)+
getCount(computerCard2);
//int cCard1 = getCount(computerCard1);
//int cCard2 = getCount(computerCard2);
int newCard = getCount(nCard);
// Check whether player's count is 21. If so, dealer
// must have 21 or lose automatically.
if (playerCount == 21) {
if (dealerCount != 21 && computerCount != 21)
dealerCount = 0;
computerCount = 0;
} else {
// Player's count was not 21. Ask player to draw
// additional cards and determine new value of
// player's hand.
playerCount = getPlayerCards(playerCard1,
playerCard2);
// Player loses if new count exceeds 21
if (playerCount > 21)
playerCount = 0;
else {
// Player's count does not exceed 21. Show dealer's
// cards.
//System.out.println("Dealer's cards: " +
// dealerCard1 + " " + dealerCard2);
// Draw additional cards for dealer and determine
// new value of dealer's hand
dealerCount = getDealerCards(dealerCard1,
dealerCard2);
// Dealer loses if new count exceeds 21
if (dealerCount > 21)
dealerCount = 0;
// Compare player's count with dealer's count to
// determine the winner; display the outcome and
// update the win counts
if (playerCount > dealerCount && playerCount > computerCount) {
System.out.println("You win!");
playerWins++;
} else if (playerCount < dealerCount && computerCount < dealerCount) {
System.out.println("Dealer wins");
dealerWins++;
} else if (playerCount < computerCount && dealerCount < computerCount){
System.out.println("Computer wins");
computerWins++;
else
System.out.println("Tie");
// Display the win counts
System.out.println("Dealer: " + dealerWins +
" Player: " + playerWins + " Computer:" + computerWins);
// See if user wants to play again; exit from loop if
// answer is no
SimpleIO.prompt("Play again (Y/N)? ");
String userInput = SimpleIO.readLine();
if (!userInput.equalsIgnoreCase("Y"))
break;
System.out.println();
else if (userInput1.equalsIgnoreCase("L"))
while(true)
///BJStates.
/*Buffer sharedLocation = new UnsychronizedBuffer();
bjothers Bjothers = new bjothers( sharedLocation );
Bjothers.start();*/
/*public void run()
/*X whatever = new X();
class X implements Runnable {
X() {
Thread t = new Thread(this);
t.start();
public void run() {
//bjothers(); //some code that executes the functionality of the thread
bjothers Bjothers = new bjothers();
// public void run() {
/// BJStates();
/*public void Work() {
while(true)
System.out.println("+|+");
//parent.initbjothersVariables();
//BJStates.curEpisode = 0;
//B//JStates.curPlay = 0;
//running = true;
//thisThread.start();
//Q.setName("Current");
//BPlayers.player[0].setCurrentStrategy(Q);
//BPlayers.player[1].setCurrentStrategy(Q);
bjstates = new BJStates(this, ep, pl);
bjstates.setEpisodes(ep);
bjstates.setPlays(pl);
bjstates.start();
//startLearning();
SimpleIO.prompt("Stop ");
String userInput2 = SimpleIO.readLine();
if (userInput2.equalsIgnoreCase("S"))
break;
// NAME: getDealerCards
// BEHAVIOR: Adds cards to the dealer's hand until the
// value reaches 17 or more
// PARAMETERS: card1 - One of dealer's original two cards
// card2 - The other original card
// RETURNS: Value of the dealer's hand, including
// original cards and new cards
private static int getDealerCards(Card card1, Card card2) {
int dealerCount = getCount(card1) + getCount(card2);
int aceCount = 0;
// Determine number of aces among original pair of cards
if (card1.getRank() == Card.ACE)
aceCount++;
if (card2.getRank() == Card.ACE)
aceCount++;
while (true) {
// If the dealer's count exceeds 21 and the hand
// contains aces still valued at 11, then reduce the
// number of aces by 1 and reduce the count by 10
if (aceCount > 0 && dealerCount > 21) {
aceCount--;
dealerCount -= 10;
// Return if dealer's count is at least 17
if (dealerCount >= 17)
return dealerCount;
// Pick a new card and update the dealer's count
Card newCard = Card.pickRandom();
System.out.println("Dealer drew: " + newCard);
dealerCount += getCount(newCard);
// Check whether the new card is an ace
if (newCard.getRank() == Card.ACE)
aceCount++;
// NAME: getPlayerCards
// BEHAVIOR: Adds cards to the player's hand until the
// value exceeds 21 or the player decides to
// stand
// PARAMETERS: card1 - One of player's original two cards
// card2 - The other original card
// RETURNS: Value of the player's hand, including
// original cards and new cards
private static int getPlayerCards(Card card1, Card card2) {
int playerCount = getCount(card1) + getCount(card2);
int aceCount = 0;
// Determine number of aces among original pair of cards
if (card1.getRank() == Card.ACE)
aceCount++;
if (card2.getRank() == Card.ACE)
aceCount++;
while (true) {
// If the player's count exceeds 21 and the hand
// contains aces still valued at 11, then reduce the
// number of aces by 1 and reduce the count by 10
if (aceCount > 0 && playerCount > 21) {
aceCount--;
playerCount -= 10;
// Return if player's count exceeds 21
if (playerCount > 21)
return playerCount;
// Ask user whether to stand or hit
SimpleIO.prompt("(S)tand or (H)it? ");
String userInput = SimpleIO.readLine();
if (!userInput.equalsIgnoreCase("H"))
return playerCount;
// Pick a new card and update the player's count
Card newCard = Card.pickRandom();
System.out.println("You drew: " + newCard);
playerCount += getCount(newCard);
// Check whether the new card is an ace
if (newCard.getRank() == Card.ACE)
aceCount++;
//Computer Cards
//public void run() {
/* int s;
while (true) {
try {
Thread.currentThread().sleep(10);
} catch (Exception e)
System.out.println("Exception on sleep");
// Sarsa Strategy
s = bjothers.calcState(card);
// select the best action associated with s
curAction = strat[strategy].selectAction(s);
//take choosed action
switch(curAction) {
case BStrategy.HIT : {
addCard(Cards.next());
drawCards();
points = calcPoints();
if (points<=21) {
setCanPlay(true);
else
setCanPlay(false);
break;
case BStrategy.STAND : {
setCanPlay(false);
break;
default : {setCanPlay(false);}
// NAME: getCount
// BEHAVIOR: Returns the Blackjack value of a particular
// card
// PARAMETERS: c - a Card object
// RETURNS: The Blackjack value of the card c. The value
// of a card is the same as its rank, except
// that face cards have a value of 10 and aces
// have a value of 11.
private static int getCount(Card c) {
switch (c.getRank()) {
case Card.TWO: return 2;
case Card.THREE: return 3;
case Card.FOUR: return 4;
case Card.FIVE: return 5;
case Card.SIX: return 6;
case Card.SEVEN: return 7;
case Card.EIGHT: return 8;
case Card.NINE: return 9;
case Card.ACE: return 11;
default: return 10; // TEN, JACK, QUEEN, KING
public void startLearning(int ep, int pl) {
bjstates = new BJStates(this, ep, pl);
bjstates.setEpisodes(ep);
bjstates.setPlays(pl);
bjstates.start();
}any obvious errors here?Yup:
No code tags
No indentation
Too long to read
All cluttered up -
How to name implementation of an interface
Hi there
is there any standard for naming concrete implementation of interfaces?
So if I have an interface
A
in package "interfaces"
is it sensful to call the concrete implementation of the interface interfaces.A A, too?
class A implements interfaces.A{
}? Or should it be called ConcreteA, or or or....?
Thx for your tips.
Sincerely
Karlheinz ToniJebeDiAH heres a very interesting reading.
Class and Interface Names
Class names are always nouns, not verbs. Avoid making a noun out of a verb, example DividerClass. If you are having difficulty naming a class then perhaps it is a bad class.
Interface names should always be an adjective (wherever possible) describing the enforced behaviors of the class (noun). Preferably, said adjective should end in "able" following an emerging preference in Java. i.e. Clonable, Versionable, Taggable, etc.
Class, and interface names begin with an uppercase letter, and shoule not be pluralized unless it is a collection class (see below).
Acceptable:
class FoodItem
interface Digestable
UnAcceptable:
class fooditem
class Crackers
interface Eat
Naming collection classes (in the generic sense of collection) can be tricky with respect to pluralization. In general each collection should be identified as a plural item, but not redundantly so. If you are a collection type as part of the class name (List, Map, etc.) it is not necessary to use the plural form in the class name. If you are not using the collection type in the name it is necessary to pluralize the name. If you are extending one of the java colletction class (Map, HashMap, List, ArrayList, Collection, etc.) it is good practice to use the name of the collection type in the class name.
Acceptable:
class FoodItems extends Object
class FoodItemList extends ArrayList
class FoodItemMap extends HashMap
UnAcceptable:
class FoodItem extends ArrayList
class FoodItemsList extends ArrayList
Class names should be descriptive in nature without implying implementation. The internal implementation of an object should be encapsulated and not visible outside the object. Since implementation can change, to imply implementation in the name forces the class name and all references to it to change or else the code can become misleading.
Acceptable:
AbstractManagedPanel
LayeredPanel
UnAcceptable:
PanelLayerArray
When using multiple words in a class name, the words should be concatenated with no separating characters between them. The first letter of each word should be capitalized.
Acceptable:
InverntoryItem
UnAcceptable:
Inverntory_item
Inventoryitem
Other than prefixes, no abbreviations should be used unless it is a well known abbreviation.
Acceptable:
CD=Compact Disc
US=United States
UnAcceptable:
Cust=Customer
DLR=Dealer
I found it at http://www.iwombat.com/standards/JavaStyleGuide.html -
Force implemention of constructors ?
Hi,
Suppose I want an abstract class ... and suppose I would like to force
all my children to implement some constructors.
How can it be enforced ?
not like this:abstract class Ja {
public /* abstract */ Ja(int k){ } // abstract not allowed here.
} although this approach will force the implementor to impl one class,
it does not enforce all constructors being implemented.
so ... can we use an interface ? no.
how to acheive this ? or its just not possible (i think so, but i also think
it would be useful).wheter it's an interface or an abstract superclass
or a concrete superclass, subclasses will have
to implement the specified constructors. You still
might not want them to do that, and for the samereasons.
huh ? Lost me here.Just like in my example with interfaces--if you require a subclass to support a particular constructor, you may be preventing it from fully initializing its state.
And again, constructors are mainly about state, butmethods
specified in an abstract class [...] are aboutbehavior.
I don't see your point ... so its okay to force (and
hence guarantee)
some methods to be implemented (and "behaviour") but
not okay
to do so with ctors ? Why ? Because they set the
"state" of your
object ?The point of my state vs. behavior comment was to try to find a justification for why constructors might be different from methods. I realize it begs the question "why should be able to enforce behavior, but not state?" but I was just trying to show that you can make the argument that constructors are fundamentally different from methods in at least one respect, and therefore it makes sense that the two wouldn't necessarily be symmetric with regard to their applicability in inheritance.
As for "why is okay to enforce behavior but not state?" I don't really have a good answer. One thing that pops to mind is that sure, in theory maybe there's nothing wrong with wanting to enforce state, but the problem with actually impelementing that enforcement is, as I pointed out, you may be cheating your subclasses out of some state that they need.
I guess if you go back to the purpose of inheritance--the is-a relationship (oh, god, please, not again!) that lets you substitute a subclass wherever a superclass (or interface is expected), then constructors don't really fit into that. You have a method that requires a certain type as an arg, or assignment expression that's expecting a certain type. Your class implements the interface or extends the class so you can use it in that context, not so that you can construct it a certain way.
I realize the above paragraph is pretty mushy. I can't offer anything more concrete than that, but I think it makes sense.
¶ -
Hi,
I configured a new serverfarm with leastconns predictor for two servers on our ACE module Version A2(2.3). Probes (show probes XX detail) to the servers are successful and both servers are operational (show serverfarm APPLI detail) but connections are directed only to one server.
When I deactived the server which is receiving the connections (no inservice), the ACE start to direct connection to the second server.
There are several serverfarm, configured the same way, that are Loadbalancing traffic as correctly.
Here is a sample of my config
serverfarm host TEST_443
predictor leastconns
probe TEST_443_PROBE01
rserver TEST_RS01 443
inservice
rserver TEST_RS02 443
inservice
sticky http-cookie TEST_HTTPS TEST_443_STKY
cookie insert
timeout 720
replicate sticky
serverfarm TEST_443
probe http TEST_443_PROBE01
port 443
interval 20
passdetect interval 60
passdetect count 5
request method get url /test
expect status 302 302
connection term forced
policy-map type loadbalance first-match TEST_L7PLB_HTTPS
class class-default
sticky-serverfarm TEST_443_STKY_SF
insert-http X-Forwarded-Proto header-value "https"
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match SLB-HTTP-POLICY
class TEST_L4VIP_HTTPS
loadbalance vip inservice
loadbalance policy TEST_L7PLB_HTTPS
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 202
appl-parameter http advanced-options PERSIST
ssl-proxy server TEST_SSL_PROXY_SERVER
PS : ACE uptime is 291days, could that impact ACE behavior ?
Thanks for any troubleshooting hintsLooking at this on my phone but it looks like you L7 policy is referencing a sticky server farm that does not exist.
ie TEST_443_STKY_SF is incorrect name for sticky
If that's not it. Then check that the first server actually has a number of conns on it when a new connection is established. Sometimes when both servers have 0 conns - new incoming conns will always go to the first server
Regards
Stephen
===============================
Free network configuration management software at www.rconfig.com
Sent from Cisco Technical Support iPhone App -
ACE - Radius Auth - Server Deadtime strange behavior... bug?
Following issue...
Two ACE Contexts -> Admin and Test
Both are configured to authenticate via AAA and Radius. Everything works as intended, roles get submitted by Radius etc.
If you configure a deadtime >0 and for example you stop the Radius Service the current ACE context detects the unavailable radius server and marks it as dead after retransmit and timeout values have expired. If you activate the radius service again the ace context never clears the "Radius Server=Dead" flag.
If you don't login while doing maintenance on you're radius service everything is fine, but once the deadtimer kicks in it's over.
I verified this behavior with using context Admin and context Test the same time. I ended up with one context working with the same server perfect and one still having it marked as dead.
I got some debug output and the config for both contexts.
Ahmed or Gilles can you reproduce this behavior?
EDIT: Reloading the module and setting the "deadtime 0" fixes the behavior.
--- CONTEXT -> ADMIN ---
2006 Aug 24 16:08:06.875245 radius: (ctx:0)get_radius_server_info_from_group:
2006 Aug 24 16:08:06.875830 radius: (ctx:0)Skipping DEAD RADIUS server 10.10.10.1
2006 Aug 24 16:08:06.875888 radius: (ctx:0)radius_request_process_next_server:
All RADIUS servers failed to respond after retries.
--- CONTEXT -> TEST ---
2006 Aug 24 16:08:20.676439 radius: (ctx:0)get_radius_server_info_from_group:
2006 Aug 24 16:08:20.677049 radius: (ctx:0)radius_request_process_next_server:
found a server server index in group 0
2006 Aug 24 16:08:23.085763 radius: (ctx:0)get_radius_server_info_from_group:
2006 Aug 24 16:08:23.086024 radius: (ctx:0)radius_request_process_next_server:
found a server server index in group 0
2006 Aug 24 16:08:23.090753 radius: (ctx:0)Got context name Test
--- Configuration -> CONTEXT ADMIN ---
ace-module-01/Admin# sh run
Generating configuration....
radius-server host 10.10.10.1 key 7 "<secret>" auth-port 1645 acct-port 1646 authentication accounting
aaa group server radius RADIUS_VTY
server 10.10.10.1
deadtime 1
aaa authentication login default group RADIUS_VTY local
--- Configuration -> CONTEXT TEST ---
ace-module-01/Test#
Generating configuration....
radius-server host 10.10.10.1 key 7 "<secret>" auth-port 1645 acct-port 1646 authentication accounting
aaa group server radius RADIUS_VTY
server 10.10.10.1
deadtime 1
aaa authentication login default group RADIUS_VTY local
Software
loader: Version 12.2[118]
system: Version 3.0(0)A1(2) [build 3.0(0)A1(2)
jwilley_23:41:53-2006/06/11_/auto/adbu-rel/ws/REL_3_0_0_A1_2]
system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_2.binI see the same issue even with A1(3).
I have submitted a new ddts for this - CSCsf19177.
If you activate the 'debug radius server-monitor' command, you should see the ACE module trying to authenticate user test with password test.
However, this request never makes it to the radius server.
The bug has been logged and we will investigate.
Thanks for reporting this problem to us.
Gilles. -
Hi ,
My requirement is as follows
i have following url
http://x.x.x.x/abc
http://x.x.x./dce
http://x.x.x.x/fgh
only for http://x.x.x.x/abc should be using stickiness based on http cookie insert remaining all it should use ip based stickiness.
problem what i am facing is ,
if i access http://x.x.x.x/dce , it is not showing any COOKIE in the header ( which is as expected ) and when i access http://x.x.x./abc it showing the inserted COOKIE (again expected) , but when i am accessing the url http://x.x.x.x/dce or fgh again , it is still showing the INSERTED COOKIE is it a known behaviour?.
as far as i understand , before the session request , ACE maintains the insert cookie values in the cookie database and thus it is less processing intensive.
However , why is it inserting to all request , even though i am not configuring as such .
following is my configuration , is it a known behaviour or is it the way it should work?
serverfarm host SF-FOR-DCE
probe TCP_8032
rserver MYSERVER1 8032
inservice
rserver MYSERVER2 8032
inservice
serverfarm host SF-FOR-FGH
probe TCP_8083
rserver MYSERVER1 8083
inservice
rserver MYSERVER2 8083
inservice
serverfarm host SF-FOR-ABC
probe TCP_8081
rserver MYSERVER1 8081
inservice
rserver MYSERVER1 8081
inservice
sticky http-cookie COOKIE-SKYCHAIN STICKY-ABC
cookie insert browser-expire
timeout 720
replicate sticky
serverfarm SF-FOR-ABC
sticky ip-netmask 255.255.255.0 address source STICKY-DCE
timeout 720
replicate sticky
serverfarm SF-FOR-DCE
sticky ip-netmask 255.255.255.0 address source STICKY-EFG
timeout 720
replicate sticky
serverfarmSF-FOR-FGH
class-map type http loadbalance match-all CM7-1
2 match http url /dce/*.*
class-map type http loadbalance match-all CM7-2
2 match http url /fgh/*.*
class-map type http loadbalance match-all CM7-3
2 match http url /abc*.*
policy-map type loadbalance first-match PM7-1
class CM7-1
sticky-serverfarm STICKY-DCE
class CM7-2
sticky-serverfarm STICKY-EFG
class CM7-3
sticky-serverfarm STICKY-ABC
class-map match-any CM3-VIP
3 match virtual-address x.x.x.x tcp eq www
policy-map multi-match PM34-VIP
class CM3-VIP
loadbalance vip inservice
loadbalance policy PM7-1
loadbalance vip icmp-reply
Assistance appreciated.
thanks
-PMDAre you seeing the client still send the cookie when going to the other locations /DCE or /FGH, or are you seeing the ACE insert the cookie? If you are only seeing the client still sending the cookie this is expected behavior. The cookie is issued for the path / so if the client learned the cookie from the domain x.x.x.x it will send the cookie any time it goes to that domain regardless of the path that is being used.
Regards
Jim -
Policy Enforcement issues in AM 7.1 with multiple user repositories
Hello,
We have a scenario where we need to authenticate and authorize both ADAM and Sun Directory Server users into a web application through the same realm. The realm is setup with 2 identity repositories - one for ADAM and one for DS - both of type LDAP v3 Repo. Authentication into AM console through the ?realm=name parameter works fine in this setup for users from both repositories.
However, when we try to authenticate users into the protected web application as an AD/DS user, policy enforcement is not deterministic. Policy Agent starts allowing URL access to DENIED users also. Is this a known issue/bug with Sun Access Manager 7.1?
The policy agents in our setup are Apache, Tomcat and IIS 6.
Thanks,
SrinivasPlease provide more information. If I understand you correctly, you have a realm with 2 LDAP Auth modules configured. Are these part of an Auth Chain? What does that Chain look like? Both Required? Sufficient?
What does your URL policy look like?
Have you made sure AM Agent is not set to SSO_ONLY?
What do you mean by "Policy Agent starts allowing URL access to DENIED users also"? You see "DENIED" in a log file but the user gets through, or you are just reporting the behavior?
Thanks,
Eric -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Editable ALV Grid column behavior under ITS standalone
Hello experts,
I have a straight forward implementation of an ALV Grid with 3 columns. Two columns are display only and the third is editable. My question only involves the editable column and its behavior in a web browser served by a standalone ITS server. The underlying data type is CURR. The enterable amounts are restricted to a format of 9.99. Even so, a web user can accidentally enter a non-numeric value such as 1.x0 . We have coded a data changed event handler to check the input value for expected amounts. The event handler logic readily identifies the non-numeric value and handles the exception. Although we have full control of the internal table value, there are two problems encountered within the web browser interface:
1) We cannot return the cursor to the problem cell to prevent the user from continuing before correcting the problem.
2) We cannot reset/change to displayed value to the original internal table value (it will only refresh after a save or refresh action). So the user has no visual cue that they've entered a bad value unless they pay close attention.
Running the transaction in SAPGUI, we can force the cursor back to the erroneously cell using "CALL METHOD alv_grid->set_scroll_info_via_id" . This technique does not appear to affect the cursor within the web browser.
After searching SDN forums and SAP documentation it appears that there is no way to programmatically control the ALV Grid active cell within the web browser interface. I'm wondering if the experts can confirm this issue? If that is the way it works within the browser interface could members please suggest "user friendly" approaches to notifying the user of a data entry problem? For example, is POPUP_TO_INFORM to only option? Perhaps there is a JavaScript routine that can enforce the edit format? Please keep in mind that the standard ALV Grid techniques that work in SAPGUI don't necessarily behave the same way in the web browser. I'm most interested in advice regarding the web browser using standalone ITS as it will be another year before we can leverage WebDynPro in this scenario.
Thanks and best regards,
GaryHi Gary,
can you please create a short report which recreates the issue and post the ABAP here. The goal is that webgui and SAPGUI behaves the same way. If they don't we will try to fix it.
Best regards,
Klaus -
'''Moderator edit: Locked, duplicate of [https://support.mozilla.org/en-US/questions/910533 910533]'''
'''Anyone else having problems with FF 9.0.1? I mean multiple, strange problems! Ever since I upgraded to this latest version of Firefox 9.0.1, I have frequent "server not found" on common web sites like www.google.com, www.amazon.com, www.tvguide.com, etc.
All these problem are frequent but inconsistent. Happens most, but not all of the time. Repeated attempts to execute a site url will, eventually (usually) get a good response.
Further, when pages are found, they open up looking wrong - unformatted text, no graphics, missing html commands, etc.
Also, on several sites, I am unable to sign on or exchange information/data. Logons are not accepted, fail or are repeated over and over, responses not recognized, etc. This seems to especially true for Yahoo and ATT web sights.
Lastly, just to add insult to injury, that damnable left side tab on my Google home page (igoogle) is BACK!!
Switching to Chrome and/or IE eliminates these problems, but I still prefer FF!
'''I have reviewed the articles here and tried several alterations on the config page, but nothing has helped.'''
I have flushed my cache, cookies, history with no benefit! I have also, as I am now, started FF in safe mode band EVEN in SAFE MODE, with EVERYTHING disabled, I still get the bizzare responses and the left tab is still back.
Is there a way to reload FF completely with every thing set as itv it was BEFORE the last upgrade or to go back to an earlier version? What is it about 9.0.1 that is causing all these problems?
BTW, incidently, aabout the same time as upgrading FF, I also switched from Comcast cable ISP to ATT DSL ISP at a even higher speed - 18.0 Mbps. Not sure if that matters; I think the behavior was evident BEFORE the switch over.
Any ideas or suggestions? Are the setting in my config under "useragent" correct? The Ivp6 settings?
Your help would be greatly appreciated!
Bob Woolf''''''Cor-el,
I think it's time to bring some of those kryptonian super powers of yours in to play! :)
Yes, I am still having problems. I tried to load in the online site for my bank, Navy Federal Credit Union. I got the old "server not found" BS. I did as you suggested and executed a SHIFTED Reload and that worked, at least in the since that I was able to get the opening page.
However, when I went to sign on, the trouble appeared. Similar to the failed logons and recycling sign ons that I had seen on Yahoo and a few other sites, WHEN I logged onto NFCU's page (they have an unusual three part logon), as soon as I sign on I am IMMEDIATELY told I have "timed out" on the session and am kicked off. Repeated attempts to access my account yields the same thing over and over. I tried to sign on using Internet Explorer and there was NO PROBLEM AT ALL, so the issue is specific to FF.
I then flushed the cache and retied; no luck. I tried SAFE MODE and again no luck. I then went in a flushed the cache, again, and deleted all associated cookies. Again no luck.
Then I flushed the cache, reset ALL the preferences and tried again, still no luck.
As it stands now, I have reset the USERAGENT entries, flushed the cache, reset the preferences and, removed the cookies and still, EVEN in SAFE mode, Firefox and NFCU can't get along. Neither can Yahoo.com!
So, after all that,I am at my wits end. Suggestions? Should I send you a refreshed copy of my troubleshooting dump?
Keep in mine that I have, up until 9.0.1 came out, been using FF to aces s all these sites without any problems. So I guess the question has to be: Exactly what was changed in 9.0.1 from the previous version that has made it act this way?
Ideas? Suggestions? Fixing this has become a full time job!
Bob W''' -
FF 9.0.1 bizzare behavior:server not found, sites look wrong, left tab igoogle back, failed signons
'''Anyone else having problems with FF 9.0.1? I mean multiple, strange problems! Ever since I upgraded to this latest version of Firefox 9.0.1, I have frequent "server not found" on common web sites like www.google.com, www.amazon.com, www.tvguide.com, etc.
All these problem are frequent but inconsistent. Happens most, but not all of the time. Repeated attempts to execute a site url will, eventually (usually) get a good response.
Further, when pages are found, they open up looking wrong - unformatted text, no graphics, missing html commands, etc.
Also, on several sites, I am unable to sign on or exchange information/data. Logons are not accepted, fail or are repeated over and over, responses not recognized, etc. This seems to especially true for Yahoo and ATT web sights.
Lastly, just to add insult to injury, that damnable left side tab on my Google home page (igoogle) is BACK!!
Switching to Chrome and/or IE eliminates these problems, but I still prefer FF!
'''I have reviewed the articles here and tried several alterations on the config page, but nothing has helped.'''
I have flushed my cache, cookies, history with no benefit! I have also, as I am now, started FF in safe mode band EVEN in SAFE MODE, with EVERYTHING disabled, I still get the bizzare responses and the left tab is still back.
Is there a way to reload FF completely with every thing set as itv it was BEFORE the last upgrade or to go back to an earlier version? What is it about 9.0.1 that is causing all these problems?
BTW, incidently, aabout the same time as upgrading FF, I also switched from Comcast cable ISP to ATT DSL ISP at a even higher speed - 18.0 Mbps. Not sure if that matters; I think the behavior was evident BEFORE the switch over.
Any ideas or suggestions? Are the setting in my config under "useragent" correct? The Ivp6 settings?
Your help would be greatly appreciated!
Bob Woolf''''''Cor-el,
I think it's time to bring some of those kryptonian super powers of yours in to play! :)
Yes, I am still having problems. I tried to load in the online site for my bank, Navy Federal Credit Union. I got the old "server not found" BS. I did as you suggested and executed a SHIFTED Reload and that worked, at least in the since that I was able to get the opening page.
However, when I went to sign on, the trouble appeared. Similar to the failed logons and recycling sign ons that I had seen on Yahoo and a few other sites, WHEN I logged onto NFCU's page (they have an unusual three part logon), as soon as I sign on I am IMMEDIATELY told I have "timed out" on the session and am kicked off. Repeated attempts to access my account yields the same thing over and over. I tried to sign on using Internet Explorer and there was NO PROBLEM AT ALL, so the issue is specific to FF.
I then flushed the cache and retied; no luck. I tried SAFE MODE and again no luck. I then went in a flushed the cache, again, and deleted all associated cookies. Again no luck.
Then I flushed the cache, reset ALL the preferences and tried again, still no luck.
As it stands now, I have reset the USERAGENT entries, flushed the cache, reset the preferences and, removed the cookies and still, EVEN in SAFE mode, Firefox and NFCU can't get along. Neither can Yahoo.com!
So, after all that,I am at my wits end. Suggestions? Should I send you a refreshed copy of my troubleshooting dump?
Keep in mine that I have, up until 9.0.1 came out, been using FF to aces s all these sites without any problems. So I guess the question has to be: Exactly what was changed in 9.0.1 from the previous version that has made it act this way?
Ideas? Suggestions? Fixing this has become a full time job!
Bob W'''
Maybe you are looking for
-
My iMac (2009 model) will not stay connected to the internet either via wifi or by ether net.
All other devices (2 PC laptops, 1 ipad, 1iphone, Apple TV and Airport express) connect just fine and stay connected. Deeply annoyed.
-
How do I check in a TFS solution to VSO?
I'm trying to move a solution from TFS to VSO. We're not migrating it on the server, I'm just trying to check it in new under VSO. I went into the .sln & .csproj files and removed all the SCC sections. I then opened the solution and tried to change t
-
Every time i start the computer it's like if i'm doing it for the first time, and i have to set it up again. mouse configuration, apps in the dock, Apple ID... But all software installed still there and works good. how can i solve this?
-
Hi, i have some problems with the employee´s photo, i followed all the steps: 1.- Create Number Range. Transaction code: OANR 2.- Assign Documents Class. Transaction code: OAC2 3.- Document type settings. Transaction code: SM31 Table V_T585O (View) 4
-
Stickie Notes - a way to add a top label?
In stickie notes, is there a way to add a header label to a note (in the top darker yellow area? Also, is there a way to create different groups of notes. Example: a group called GROCERY LIST, then maybe a group called MAC HELP ME NOTES, and maybe a