ACE VIP & ACL
Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,
Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
loadbalance vip inservice
loadbalance policy Internet-FMP
loadbalance vip icmp-reply active
Hope this helps!
Pablo
Similar Messages
-
ACE VIP not accessible from client
i have clint vlan configured with vlan 30
and servers vlan with vlan 100..
i have 2 real servers in server vlan 172.16.100.20 and 172.16.100.30
ACE VIP is active and serverfarm is OPERATIONAL
from client and Serve i am able to ping to VIP.
but when i try to browse http://VIP from client its not working.
could any one help me to identify the issue why i am not abl to access http://VIP or https://VIP from cientHi ssivanan,
I need more information to asnwer for your question. Can you pls put your configuration ?
Here are some points I like to check.
+ Are you able to browse the contents locally, specifying own ip address on the one of servers ?
+ Do those servers have a route to vlan 30 ?
+ How does the browsing not working ? Can you elaborate ?
+ What do you see in "show conn" when it fails ?
Great documents on CCO. Worth checking.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_Connectivity
- Kim -
HTTP/HTTPS on the same ACE VIP - best practice
I currently have a VIP representing one server farm that contains two http servers:-
class-map match-all VIP-HTTP-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
I have a couple of queries with regards to URL re-writes:-
1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
ssl url rewrite location "www\.cisco\.com\secure-forms"
2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
Any advice or personal experiences would be gratefully received.
Thanks
MatthewBack again!
Could someone possibly cast their eye over the following config?
The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
rserver host server1
description *** HTTP server 1 ***
ip address 10.100.194.2
inservice
rserver host server2
description *** HTTP server 2 ***
ip address 10.100.194.3
inservice
rserver redirect REDIRECT_TO_HTTPS
webhost-redirection https://www.website.co.uk/%p 302
inservice
rserver redirect REDIRECT_TO_HTTP
webhost-redirection http://www.website.co.uk/%p 302
inservice
class-map type http loadbalance Secure_Pages
match http url /secure.*
class-map type http loadbalance Non-Secure_Pages
*** DO NOT *** match http url /secure.*
class-map match-all VIP-HTTP-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
class Secure_Pages
serverfarm REDIRECT_TO_HTTPS
class class-default
serverfarm serverfarm-website.co.uk
policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
class Non-Secure_Pages
serverfarm REDIRECT_TO_HTTP
class class-default
serverfarm serverfarm-website.co.uk
serverfarm host serverfarm-website.co.uk
failaction purge
rserver server1 80
probe PING_SERVER
probe http-website.co.uk
inservice
rserver server2 80
probe PING_SERVER
probe http-website.co.uk
inservice
serverfarm redirect REDIRECT_TO_HTTPS
rserver REDIRECT_TO_HTTPS
inservice
serverfarm redirect REDIRECT_TO_HTTP
rserver REDIRECT_TO_HTTP
inservice
many thanks -
ACE VIP OK HTTP, NOK other TCP port
Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
inservice
rserver PRD2 80
inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
inservice
rserver PRD2 4444
inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
sticky-serverfarm SC-IP-PRD-HTTP
insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
loadbalance vip inservice
loadbalance policy LB-NAT-VIP-TCP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
class NAT-VIP-HTTP
loadbalance vip inservice
loadbalance policy LB-VIP-HTTP
loadbalance vip icmp-reply active
nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe : PROBE-TCP
type : TCP
state : ACTIVE
port : 4444 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : SF-TCP
real : PRD1[4444]
10.10.10.1 8853 1 8852 SUCCESS
real : PRD2[4444]
10.10.10.2 8853 1 8852 SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
PROBE-TCP, type = TCP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: PRD1
10.10.10.1:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: PRD2
10.10.10.2:4444 8 OPERATIONAL 0 0 0
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
class: NAT-VIP-TCP
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: LB-NAT-VIP-TCP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regardsHi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad -
ACE - VIP address on different subnet
Hello,
Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?
Fe:
VIP is 10.10.10.1/24 on VLAN 10
Interface of ACE in VLAN 10 is 192.168.1.1/24
On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?
Thanks.Unfortunately I dont have a test environment either to verify this.
I dont think you will see arp entries as the address doesnt belong to an interface.
You should see the VIPs active (sh service policy detail) for these non-interface VIPs.
If those are active then I think once client request hits the ACE it should take care of it.
I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.
But yes you need actual clients to test this scenario.
Syed -
ACE VIP not Responding to Ping and cant Connect
Hello All,
I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.
Pls HELP!!!
See the configs!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=
sh runGenerating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
hostname STERLING-ACE
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 10,200,205,210,215
no shutdown
--More--
access-list INBOUND line 10 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit icmp any any echo
probe http BANK-APP
interval 2
faildetect 2
passdetect interval 2
expect status 200 200
open 1
probe icmp PING
description ***simple ping monitor***
interval 10
passdetect interval 60
passdetect count 2
receive 1
probe tcp TCP80
interval 10
passdetect interval 10
passdetect count 2
--More--
receive 1
open 5
rserver host BANK-APP-SERVER1
description ***GUI SERVER 1***
ip address 172.20.1.50
probe PING
inservice
rserver host BANK-APP-SERVER2
description ***GUI SERVER 2***
ip address 172.20.1.51
probe PING
inservice
rserver host BANK-APP-SERVER3
description ***GUI SERVER 3***
ip address 172.20.1.52
probe PING
inservice
rserver host BANK-APP-SERVER4
description ***GUI SERVER 4***
ip address 172.20.1.53
probe PING
--More--
inservice
rserver host THIN-CLIENT1
description ***CLI SERVER 1***
ip address 172.20.1.34
probe PING
inservice
rserver host THIN-CLIENT2
description ***CLI SERVER 2***
ip address 172.20.1.35
probe PING
inservice
rserver host THIN-CLIENT3
description ***CLI SERVER 3***
ip address 172.20.1.36
probe PING
inservice
rserver host THIN-CLIENT4
description ***CLI SERVER 4***
ip address 172.20.1.37
probe PING
inservice
--More--
serverfarm host CLI-GROUP
predictor leastconns
probe TCP80
rserver THIN-CLIENT1
inservice
rserver THIN-CLIENT2
inservice
rserver THIN-CLIENT3
inservice
rserver THIN-CLIENT4
inservice
serverfarm host GUI-GROUP
predictor leastconns
probe TCP80
rserver BANK-APP-SERVER1
inservice
rserver BANK-APP-SERVER2
inservice
rserver BANK-APP-SERVER3
inservice
rserver BANK-APP-SERVER4
inservice
--More--
parameter-map type connection TCP-PARAM-MAP
set timeout inactivity 360000
class-map type management match-any REMOTEACCESS
description remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol xml-https any
6 match protocol http any
7 match protocol https any
class-map match-all TCP-CLASS
description TCP CONNECTION TIMER
2 match any
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
policy-map type management first-match REMOTEPOLICY
--More--
class REMOTEACCESS
permit
policy-map type loadbalance first-match HTTP_LB1
class class-default
serverfarm CLI-GROUP
policy-map type loadbalance first-match HTTP_LB2
class class-default
serverfarm GUI-GROUP
policy-map multi-match HTTP_MULTI_MATCH1
class VS_WEB1
loadbalance vip inservice
loadbalance policy HTTP_LB1
loadbalance vip icmp-reply
policy-map multi-match HTTP_MULTI_MATCH2
class VS_WEB2
loadbalance vip inservice
loadbalance policy HTTP_LB2
loadbalance vip icmp-reply
policy-map multi-match TCPIP-POLICY
class TCP-CLASS
connection advanced-options TCP-PARAM-MAP
service-policy input REMOTEPOLICY
service-policy input TCPIP-POLICY
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
interface vlan 200
description ***THIN CLIENT VLAN****
ip address 172.20.1.33 255.255.255.240
no icmp-guard
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH1
no shutdown
interface vlan 210
description ***BANK APP SERVER VLAN****
ip address 172.20.1.49 255.255.255.240
no icmp-guard
--More--
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH2
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.200
username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1 role Admin domain
default-domain
username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/ role Admin domain de
fault-domain
STERLING-ACE/Admin#
Thanks!!Hi Joshua,
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
You have applied
"service-policy input HTTP_MULTI_MATCH1" in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
Can you apply the service policy in VLAN 10 and let me know the result. -
ACE: VIP Out of service, Still accepts TCP connections
Hi Guys. I am looking at a issue with an ACE. SW is 3.0(0)A3(2.6)
We have a setup where most of it appears fine. It detect the loss of rservers, probes fail, the VIP stops responding to Pings, but it still accept TCP connections, even though there is nothing behind to accept them.
The question is, is this correct behaviour? and if so is there any reference I can look at to confirm?
While this behaviour is inconvenient for us. I can see why it may actually be correct.
Thanks,
Paul.Hello Paul,
This is expected behaviour for L7 LB connections:
The 'down' VIP will reply to SYN requests, but will then send a RST packet.
This is because the ACE doesn't know what to do with the L7 connection until it has been build up. Only when the L7 connection is 'open' we notice that all the vserver which could serve this request are down.
So it is correct and expected, but not exactly desired. It's just a side effect of the design. So far I do not known of any plans to change this behaviour. However similar limitations have been addressed in the past, like: CSCsq17137.
Hope this helps, Peter -
ACE VIPs not advertising or visible
Hi,
The VIPs on my ACE configuration are not advertising themselves. They don't show up in the ARP table in the upstream router/firewall.
The VIPs are configured to be "Inservice". I have probes that are successful. I can access the real servers behind the ACE successfully via pings, ssh, http, etc.
Here's part of my config:
policy-map multi-match int204-n2
class SMTP_Inbound_LB
loadbalance vip inservice
loadbalance policy SMTP_Inbound_LB-l7slb
loadbalance vip icmp-reply active
Is there anything else I need to add? The VIPs aren't responding to pings. The VIPs aren't showing up in the arp table of the upstream router/firewall.
I know there used to be a "loadbalance vip advertise" command, but that command is no longer valid or available.
I am running code version A1.8(0) on the ACE 4710 appliance.
I have this ACE also configured as a bridge. Is there something special I need to add to make the VIPs advertise themselves, respond to pings, etc.?
Any help would be appreciated.
Thank you.Hi Gilles,
Yes, the policy is assigned to both VLAN interfaces of the bridge-group.
Yes, all VIPs show INSERVICE when I run the command "show service-policy int204-n2"
None of the VIPs are responding to pings or showing up in arp table of the upstream router/firewall.
The VIPs are part of the local subnet. I can't ping the local interface (BVI interface) of the bridge-group from the upstream firewall/router.
Yes, the ACE has an arp entry for the upstream router/firewall. The upstream firewall is also the ACE's default-gateway for this context.
Thanks,
Herman -
Hopefully an easy one to solve, I'm new to ACE appliances.
I have two ACE appliances in bridged mode and configured as redundant pairs, they are connected to two separate 6500 switches. What I am seeing in the switch logs is the following error:
%SPANTREE-SP-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel1 on VLAN066
The bridged vlans are 66 & 76.
i have "access-list bpduallow ethertype permit any" in my config and it is assigned to both of the bridged vlans, on both ACE appliances, with "access-group input bpduallow"
Is this correct or do I need a specific "access-list bpduallow ethertype permit bpdu" entry in the ACL? I would have thought the "permit any" included it.
And if this is correct and allowing bpdu packets through why would I be getting the the error on the switch?
Thanks
MelIt's the switch IOS version that is at fault not the ACE
https://supportforums.cisco.com/message/614359 -
VIP from servers on port 8888 is visible with telnet and the other way around but HTTP://VIP(IP address):8888 is not working for webportal servers,
Your server is probably sending a redirect or using hard links with its port referenced in the url.
Fix the server.
Gilles. -
Should ACE VIPs be Nated By a Firewall?
Cannot seem to find the answer to this question for what the Best practice is or would be. Should the VIP privet ip be NATed at the firewall for internet access? IE, Internet firewall NAT ------> Privrt WEB server farm VIP.
thanksThank you, However, will this not effect incomming sticky using source IP? Firewall will be seen as the source, not the public IPs access the WEB site?
Having a Public DMZ using all public IPs , protected by a firewall, but not preforming "NAT", Just for a layer of security , this seems the way to go.
thank you -
Cisco ACE VIP not responding to Pings
I've searched..... I cannot figure out why my VIPs do not ping. I have two vlans that both replay to a ping on the interface IPs. And I'm new at this, thanks in advace.
GKEL2-ACE1/35568059-Axia# show run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514
login timeout 60
crypto chaingroup walnut-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto chaingroup .dom-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1000
email support
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1001
email support
access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any
probe http HTTP1025
port 1025
interval 2
faildetect 2
passdetect interval 2
request method get url /Login.css
open 1
probe icmp PING
interval 2
faildetect 2
passdetect interval 60
probe tcp PROBE-TCP
interval 2
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver redirect REDIRECT-HTTPS
webhost-redirection https://%h%p 302
inservice
rserver host WL1
ip address 10.205.70.100
inservice
rserver host WL2
ip address 10.205.70.101
inservice
rserver host WLDev1
ip address 10.205.71.202
inservice
rserver host WLDev2
ip address 10.205.71.203
inservice
rserver host WLTest1
ip address 10.205.71.150
inservice
rserver host WLTest2
ip address 10.205.71.151
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-HTTPS
inservice
serverfarm host WEBLOGIC-7433
predictor leastconns
probe PING
rserver WL1 7433
inservice
rserver WL2 7433
inservice
serverfarm host WEBLOGIC-PROD
predictor leastconns
probe PING
rserver WL1 1025
inservice
rserver WL2 1026
inservice
serverfarm host WEBLOGIC-TEST-SSH
predictor leastconns
rserver WLTest1 22
inservice
rserver WLTest2 22
inservice
sticky http-cookie acecookie STICKY-INSERT-COOKIE
cookie insert
serverfarm WEBLOGIC-PROD
action-list type modify http REWRITE
header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request X-Forwarded-Proto header-value "%pd"
ssl url rewrite location "*.*"
ssl header-insert session Id
ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
key netcracker.cal.dom.key
cert netcracker.cal.dom.cer
chaingroup netcracker.cal.dom-wcrt100
class-map match-any L4VIPCLASS
2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
service-policy input L4LSBPOLICY
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
access-group input All
access-group output All
nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41 role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX. role Admin domain default-domainI have removed that service policy completely. It was from some knowledgebase article when I was trying to get http redirection working.
There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: LB-VIP
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http 10.205.70.80 tcp eq 80 1,3440 IN-SRVC 0 50773 53
weblogic-https 10.205.70.80 tcp eq 443 1,3440 IN-SRVC 0 7406 112
weblogic-7433 10.205.70.80 tcp eq 7433 1,3440 IN-SRVC 0 145321 30
service-policy: LB-VIP-Dev
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
weblogic-http-dev 10.205.71.90 tcp eq 80 1,3516 IN-SRVC 0 0 0
weblogic-https-dev 10.205.71.90 tcp eq 443 1,3516 IN-SRVC 0 0 0
weblogic-7433-dev 10.205.71.90 tcp eq 7433 1,3516 IN-SRVC 0 0 0
service-policy: LB-VIP-Test
Class VIP Prot Port VLAN State Curr Conns Hit Count Conns Drop
SSH_Test 10.205.71.80 tcp eq 22 1,3516 IN-SRVC 0 29 24
weblogic-http-test 10.205.71.80 tcp eq 80 1,3516 IN-SRVC 0 117 40
weblogic-https-test 10.205.71.80 tcp eq 443 1,3516 IN-SRVC 0 161 61
weblogic-7433-test 10.205.71.80 tcp eq 7433 1,3516 IN-SRVC 0 27 11
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-7433-dev
2 match virtual-address 10.205.71.90 tcp eq 7433
class-map match-any weblogic-7433-test
2 match virtual-address 10.205.71.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-http-dev
2 match virtual-address 10.205.71.90 tcp eq www
class-map match-any weblogic-http-test
2 match virtual-address 10.205.71.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
class-map match-any weblogic-https-dev
2 match virtual-address 10.205.71.90 tcp eq https
class-map match-any weblogic-https-test
2 match virtual-address 10.205.71.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-dev-policy
class class-default
serverfarm WEBLOGIC-7433-Dev
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
serverfarm WEBLOGIC-7433
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-7433-test-policy
class class-default
serverfarm WEBLOGIC-7433-Test
ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-dev-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-test-policy
class class-default
serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-dev-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-DEV
class class-default
serverfarm WEBLOGIC-DEV
action REWRITE
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
serverfarm WEBLOGIC-PROD
action REWRITE
ssl-proxy client ssl-proxy
policy-map type loadbalance first-match weblogic-https-test-policy
class L7-URL
sticky-serverfarm STICKY-INSERT-COOKIE-TEST
class class-default
serverfarm WEBLOGIC-TEST
action REWRITE
ssl-proxy client ssl-proxy-nctest
policy-map multi-match LB-VIP
class weblogic-http
loadbalance vip inservice
loadbalance policy weblogic-http-policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 3440
class weblogic-https
loadbalance vip inservice
loadbalance policy weblogic-https-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
class weblogic-7433
loadbalance vip inservice
loadbalance policy weblogic-7433-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3440
ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Dev
class weblogic-http-dev
loadbalance vip inservice
loadbalance policy weblogic-http-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-dev
loadbalance vip inservice
loadbalance policy weblogic-https-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-7433-dev
loadbalance vip inservice
loadbalance policy weblogic-7433-dev-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
policy-map multi-match LB-VIP-Test
class SSH_Test
loadbalance vip inservice
loadbalance policy SSH_Test_Policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-http-test
loadbalance vip inservice
loadbalance policy weblogic-http-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
class weblogic-https-test
loadbalance vip inservice
loadbalance policy weblogic-https-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
class weblogic-7433-test
loadbalance vip inservice
loadbalance policy weblogic-7433-test-policy
loadbalance vip icmp-reply
nat dynamic 1 vlan 3516
ssl-proxy server ssl-proxy-nctest
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
service-policy input LB-VIP-Dev
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253 -
Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP
Hi,
I have a very strange set up and need some help to get my config working
I have a ASA firewall with three VLANs
VLAN 1 = Internet
VLAN 2 = DMZ
VLAN 3 = Goes to ACE
On the ACE I have four VLANs
VLAN 3 = Goes to ASA
VALN 4 = Web Server Tier
VALN 5 = DB Tier
VALN 6 = VIPs
Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)
And they have told us that the cleints accessing the VIP will be Server A and Server B
I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.
I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT?
Could anyone guide me on this setup please?
RajHi Raj,
First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).
When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).
In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.
Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic. -
VIP is not responding When pinging from ace
hey i have a very strange type of error. everything was working fine untill it just stopped. i have two vips both were mounted and working fine and then one of the vip just stopped working you can ping and get reply from my pc but not from ace. they are connected directly with nexus 5k and was working fine. now you can have reply from for other vips and servers and all other thing but not that single vip. when you ping it on nexus you get DUP; Packets which is not understood by me there is all commands like no ip redirects are been given but i dont know wats rong.
can some1 have any idea and help ?Hi Usman,
Not sure about DUP packets that you see on nexus but from ACE's perspective we need to see what is wrong and for that i would need to look at your configuration and other outputs. Do you see that your client's request is reaching the ACE VIP ? You can check using "show conn address " and see if you see a corresponding backend connection or not. Do you see any handshake failures or any other counters increasing under "show stats crypto server" command? We need to have more information for us to look at to tell you what is going on at least from ACE's viewpoint.
Regards,
Kanwal -
Trying to change the ACL of a domain user
I am using the Set-Acl cmdlet to add a user to another user's domain account so that the second user will be able to read the permissions available to the first user. I get an error on the very last line "this security id may not be assigned as
the owner of this object". I suspect that perhaps the error is caused because I am not permitted to change the owner of the account and the code is trying to do a wholesale rewrite of the ACL. I am allowed to add the entry to the account through
the UI and that is all I want to do via powershell. Any ideas?
$name1 = "someuser" #this is the user whose acl I want to edit
$name2 = "someotheruser" #this is the user that I want to add to the first user's acl
$objUser = Get-ADUser -LDAPFilter "(sAMAccountName=$Name1)"
$objDelegate = New-Object System.Security.Principal.NTAccount("$name2")
Set-Location AD:
$dn = $objUser.DistinguishedName
$Acl = (Get-Acl $dn)
$Ar = New-Object system.DirectoryServices.ActiveDirectoryAccessRule ($objDelegate,"GenericRead","Allow",$objUser.ObjectGUID)
$Acl.AddAccessRule($Ar)
Set-Acl -Path $dn -AclObject $AclHi Jay,
To change the AD user permission with powershell, the script below is for your reference:
Import-Module ActiveDirectory
# Figure out our domain
$root = (Get-ADRootDSE).defaultNamingContext
# Get or create the System Management container
$ou = $null
try
$ou = Get-ADObject "CN=System Management,CN=System,$root"
catch
Write-Verbose "System Management container does not currently exist."
if ($ou -eq $null)
$ou = New-ADObject -Type Container -name "System Management" -Path "CN=System,$root" -Passthru
# Get the current ACL for the OU
$acl = get-acl "ad:CN=System Management,CN=System,$root"
# Get the computer's SID
$computer = get-adcomputer $env:ComputerName
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "All"
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:CN=System Management,CN=System,$root"
I think you need to add the line to get user2's SID "$sid".
Refer to:
http://blogs.technet.com/b/mniehaus/archive/2012/01/05/creating-the-configmgr-system-management-container-with-powershell.aspx
If there is anything else regarding this matter, please feel free to let me know.
Best Regards,
Anna Wang
Maybe you are looking for
-
Compatible connectors for OIM 9.1.0
I am using OIM 9.1.0 but the problem is most of the connectors available for download are for the prior versions like 9.0.4 or before. And these connectors do not work with OIM 9.1.0 (Does not show in OIM Interface for Installation when copied to Con
-
HT1551 Apple TV and iPad 2 very low resolution pictures - how to resolve please?
Hi We've just bought Apple TV and it works fine with Netflix, with good resolution etc. However resolution is really poor and blurred when using iPad 2. What's more when iPad 2 is near the TV Netflix also goes low resolution and fuzzy. I've been havi
-
Still frame not included in rendered video file
I've been working on a video project for the last couple of days, and have run into a puzzling issue. My video ends with a still frame that lasts about 3 seconds, with text on top of the image. When I share my video to iTunes and select the "Mobile"
-
New to muse, help needed
first off i would like to say that when i selected a community to post into there wasnt one for muse so i chose dreamweaver. i have been creating a site for my real estate company in spain, i started by using dreamweaver having problems adjusting to
-
I just purchased a Blackberry Bold 9700. When I go to Yahoo finance, I no longer see the graphic for the days price movement. I get the small red "X'. Any thoughts on how I can correct this problem? Thanks, Phil