ACE VIP & ACL

Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,

Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
    serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
    loadbalance vip inservice
    loadbalance policy Internet-FMP
    loadbalance vip icmp-reply active
Hope this helps!
Pablo

Similar Messages

ACE VIP not accessible from client

i have clint vlan configured with vlan 30
and servers vlan with vlan 100..
i have 2 real servers in server vlan 172.16.100.20 and 172.16.100.30
ACE VIP is active and serverfarm is OPERATIONAL
from client and Serve i am able to ping to VIP.
but when i try to browse http://VIP from client its not working.
could any one help me to identify the issue why i am not abl to access http://VIP or https://VIP from cient

Hi ssivanan,
I need more information to asnwer for your question. Can you pls put your configuration ?
Here are some points I like to check.
+ Are you able to browse the contents locally, specifying own ip address on the one of servers ?
+ Do those servers have a route to vlan 30 ?
+ How does the browsing not working ? Can you elaborate ?
+ What do you see in "show conn" when it fails ?
Great documents on CCO. Worth checking.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_Troubleshooting_Connectivity
- Kim

HTTP/HTTPS on the same ACE VIP - best practice

I currently have a VIP representing one server farm that contains two http servers:-
class-map match-all VIP-HTTP-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-xxxxx.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
I have a couple of queries with regards to URL re-writes:-
1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
ssl url rewrite location "www\.cisco\.com\secure-forms"
2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
Any advice or personal experiences would be gratefully received.
Thanks
Matthew

Back again!
Could someone possibly cast their eye over the following config?
The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
rserver host server1
description *** HTTP server 1 ***
ip address 10.100.194.2
inservice
rserver host server2
description *** HTTP server 2 ***
ip address 10.100.194.3
inservice
rserver redirect REDIRECT_TO_HTTPS
webhost-redirection https://www.website.co.uk/%p 302
inservice
rserver redirect REDIRECT_TO_HTTP
webhost-redirection http://www.website.co.uk/%p 302
inservice
class-map type http loadbalance Secure_Pages
match http url /secure.*
class-map type http loadbalance Non-Secure_Pages
*** DO NOT *** match http url /secure.*
class-map match-all VIP-HTTP-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq www
class-map match-all VIP-SSL-website.co.uk
2 match virtual-address 10.79.18.10 tcp eq https
policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
class Secure_Pages
serverfarm REDIRECT_TO_HTTPS
class class-default
serverfarm serverfarm-website.co.uk
policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
class Non-Secure_Pages
serverfarm REDIRECT_TO_HTTP
class class-default
serverfarm serverfarm-website.co.uk
serverfarm host serverfarm-website.co.uk
failaction purge
rserver server1 80
probe PING_SERVER
probe http-website.co.uk
inservice
rserver server2 80
probe PING_SERVER
probe http-website.co.uk
inservice
serverfarm redirect REDIRECT_TO_HTTPS
rserver REDIRECT_TO_HTTPS
inservice
serverfarm redirect REDIRECT_TO_HTTP
rserver REDIRECT_TO_HTTP
inservice
many thanks

ACE VIP OK HTTP, NOK other TCP port

Hi,
we are having issues in configuring load balancing for a TCP port. For HTTP it's working without issues and we have the ACE also balancing for other TCP ports.
Here goes the relevant config:
probe http PROBE-HTTP
interval 5
passdetect interval 2
passdetect count 1
request method get url /idc/
expect status 200 200
probe tcp PROBE-TCP
port 4444
interval 5
passdetect interval 10
rserver host PRD1
ip address 10.10.10.1
inservice
rserver host PRD2
ip address 10.10.10.2
inservice
serverfarm host SF-HTTP
probe PROBE-HTTP
rserver PRD1 80
    inservice
rserver PRD2 80
    inservice
serverfarm host SF-TCP
probe PROBE-TCP
rserver PRD1 4444
    inservice
rserver PRD2 4444
    inservice
sticky ip-netmask 255.255.255.255 address source SC-IP-PRD-HTTP
timeout 10
serverfarm SF-HTTP
class-map match-all NAT-VIP-HTTP
2 match virtual-address 10.10.35.1 any
class-map match-all NAT-VIP-TCP
2 match virtual-address 10.10.35.1 tcp eq 4444
policy-map type loadbalance first-match LB-VIP-HTTP
class class-default
    sticky-serverfarm SC-IP-PRD-HTTP
    insert-http x-forward header-value "%is"
policy-map type loadbalance first-match LB-NAT-VIP-TCP
class class-default
    serverfarm SF-TCP
policy-map multi-match POLICY-RSERVER-VIP
class NAT-VIP-TCP
    loadbalance vip inservice
    loadbalance policy LB-NAT-VIP-TCP
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 200
class NAT-VIP-HTTP
    loadbalance vip inservice
    loadbalance policy LB-VIP-HTTP
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 200
interface vlan 200
description SERVER-SIDE
ip address 10.10.14.2 255.255.255.0
alias 10.10.14.1 255.255.255.0
peer ip address 10.10.14.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.4.6 10.10.4.6 netmask 255.255.255.255 pat
service-policy input AllowICMP
service-policy input POLICY-RSERVER-VIP
no shutdown
The probe are OK, but nothing seems to get to the VIP:
ACE/CTX# show probe PROBE-TCP
probe       : PROBE-TCP
type        : TCP
state       : ACTIVE
   port      : 4444    address     : 0.0.0.0         addr type : -
   interval : 5       pass intvl : 10              pass count : 3
   fail count: 3       recv timeout: 10
                       --------------------- probe results --------------------
   probe association   probed-address probes     failed     passed     health
   ------------------- ---------------+----------+----------+----------+-------
   serverfarm : SF-TCP
     real      : PRD1[4444]
                       10.10.10.1     8853       1          8852       SUCCESS
     real      : PRD2[4444]
                       10.10.10.2     8853       1          8852       SUCCESS
ACE/CTX# show serverfarm SF-TCP detail
serverfarm     : SF-TCP, type: HOST
total rservers : 2
active rservers: 2
description    : -
state          : ACTIVE
predictor      : ROUNDROBIN
failaction     : -
back-inservice    : 0
partial-threshold : 0
num times failover       : 0
num times back inservice : 1
total conn-dropcount : 0
Probe(s) :
    PROBE-TCP, type = TCP
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: PRD1
       10.10.10.1:4444      8      OPERATIONAL 0          0          0
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0
   rserver: PRD2
       10.10.10.2:4444      8      OPERATIONAL 0          0          0
         max-conns            : -         , out-of-rotation count : -
         min-conns            : -
         conn-rate-limit      : -         , out-of-rotation count : -
         bandwidth-rate-limit : -         , out-of-rotation count : -
         retcode out-of-rotation count : -
         load value           : 0
ACE/CTX# show service-policy POLICY-RSERVER-VIP
Status     : ACTIVE
Interface: vlan 1 200
service-policy: POLICY-RSERVER-VIP
    class: NAT-VIP-TCP
      nat:
        nat dynamic 1 vlan 200
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
      loadbalance:
        L7 loadbalance policy: LB-NAT-VIP-TCP
        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
        VIP State: INSERVICE
        curr conns       : 0         , hit count        : 0
        dropped conns    : 0
        client pkt count : 0         , client byte count: 0
        server pkt count : 0         , server byte count: 0
        conn-rate-limit      : 0         , drop-count : 0
        bandwidth-rate-limit : 0         , drop-count : 0
      compression:
        bytes_in : 0
        bytes_out : 0
I see a lot of this messages in the logging of the ACE:
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
show logging | i 4444
22:02:52 : %ACE-6-302023: Teardown TCP connection 0x18b6 for vlan200:10.10.14.2/26768 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1051 TCP FINs
22:02:55 : %ACE-6-302022: Built TCP connection 0x14dc for vlan200:10.10.14.2/30318 (10.10.10.1/30318) to vlan200:10.10.10.1/4444 (10.10.14.2/4444)
22:02:55 : %ACE-6-302023: Teardown TCP connection 0x14dc for vlan200:10.10.14.2/30318 to vlan200:10.10.10.1/4444 duration 0:00:00 bytes 1103 TCP FINs
22:02:57 : %ACE-6-302022: Built TCP connection 0xc6c for vlan200:10.10.14.2/26784 (10.10.10.2/26784) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
22:02:57 : %ACE-6-302023: Teardown TCP connection 0xc6c for vlan200:10.10.14.2/26784 to vlan200:10.10.10.2/4444 duration 0:00:00 bytes 1103 TCP FINs
22:03:02 : %ACE-6-302022: Built TCP connection 0x151a for vlan200:10.10.14.2/26800 (10.10.10.2/26800) to vlan200:10.10.10.2/4444 (10.10.14.2/4444)
The client request it's going trough an ASA, in the ASA side I see that the TCP connection it' half-open with SAaB flags. It seems that the VIP never replies with SYN+ACK to the ASA...
Thank you.
Best regards

Hi Norberto,
The log messages you are getting are most probably the probe connections and not a failure, looking to them you will see your ACE is establishing TCP connection on 4444 then it will teardown the connection with FIN which is expected since you are using TCP keepalives.
I would recommend to go back and define the problem exactly, what are you exteriancing when you try to telnet on port 4444 toward the VIP from the client?
Run sniffing software on the client, the server and enable capture on ACE and ASA will give you exact idea what you are experiencing.
Note: The ASA and the ACE has great capture feature which will show you exactly the packet flows.
Note: Since you are applying NAT on the client requests, you should see the NATed IP address on the server capture.
Note: With L4 load balancing the ACE is not spoofing the clients' request, it just forward the SYN, SYN+ACK and ACK between the server and the client.
Let me know if you have any other questions.
Best regards,
Ahmad

ACE - VIP address on different subnet

Hello,
Is it possible to configure a VIP address that is different from the VLAN subnet where it is applied on?
Fe:
VIP is 10.10.10.1/24 on VLAN 10
Interface of ACE in VLAN 10 is 192.168.1.1/24
On the upstream routers, a static route points to the VIP address (subnet) with next-hop the ACE address?
Thanks.

Unfortunately I dont have a test environment either to verify this.
I dont think you will see arp entries as the address doesnt belong to an interface.
You should see the VIPs active (sh service policy detail) for these non-interface VIPs.
If those are active then I think once client request hits the ACE it should take care of it.
I have deployed such solution with FWSM (no VIPs there but used Natted addresses not belonging to any attached interface ) and as per that experience I think it should work.
But yes you need actual clients to test this scenario.
Syed

ACE VIP not Responding to Ping and cant Connect

Hello All,
I recently deployed an ACE 4710 Appliance. Configs seems right but clients cant Ping the VIP and acnt also connect to the VIP. Also VIP Dosent show in 'sh arp'.
Pls HELP!!!
See the configs!!
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.11 10:48:14 =~=~=~=~=~=~=~=~=~=~=~=
sh runGenerating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
hostname STERLING-ACE
interface gigabitEthernet 1/1
channel-group 1
no shutdown
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
channel-group 1
no shutdown
interface port-channel 1
switchport trunk allowed vlan 10,200,205,210,215
no shutdown
--More--
access-list INBOUND line 10 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
access-list INBOUND line 24 extended permit icmp any any echo
probe http BANK-APP
interval 2
faildetect 2
passdetect interval 2
expect status 200 200
open 1
probe icmp PING
description ***simple ping monitor***
interval 10
passdetect interval 60
passdetect count 2
receive 1
probe tcp TCP80
interval 10
passdetect interval 10
passdetect count 2
--More--
receive 1
open 5
rserver host BANK-APP-SERVER1
description ***GUI SERVER 1***
ip address 172.20.1.50
probe PING
inservice
rserver host BANK-APP-SERVER2
description ***GUI SERVER 2***
ip address 172.20.1.51
probe PING
inservice
rserver host BANK-APP-SERVER3
description ***GUI SERVER 3***
ip address 172.20.1.52
probe PING
inservice
rserver host BANK-APP-SERVER4
description ***GUI SERVER 4***
ip address 172.20.1.53
probe PING
--More--
inservice
rserver host THIN-CLIENT1
description ***CLI SERVER 1***
ip address 172.20.1.34
probe PING
inservice
rserver host THIN-CLIENT2
description ***CLI SERVER 2***
ip address 172.20.1.35
probe PING
inservice
rserver host THIN-CLIENT3
description ***CLI SERVER 3***
ip address 172.20.1.36
probe PING
inservice
rserver host THIN-CLIENT4
description ***CLI SERVER 4***
ip address 172.20.1.37
probe PING
inservice
--More--
serverfarm host CLI-GROUP
predictor leastconns
probe TCP80
rserver THIN-CLIENT1
    inservice
rserver THIN-CLIENT2
    inservice
rserver THIN-CLIENT3
    inservice
rserver THIN-CLIENT4
    inservice
serverfarm host GUI-GROUP
predictor leastconns
probe TCP80
rserver BANK-APP-SERVER1
    inservice
rserver BANK-APP-SERVER2
    inservice
rserver BANK-APP-SERVER3
    inservice
rserver BANK-APP-SERVER4
    inservice
--More--
parameter-map type connection TCP-PARAM-MAP
set timeout inactivity 360000
class-map type management match-any REMOTEACCESS
description remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol xml-https any
6 match protocol http any
7 match protocol https any
class-map match-all TCP-CLASS
description TCP CONNECTION TIMER
2 match any
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
policy-map type management first-match REMOTEPOLICY
--More--
class REMOTEACCESS
    permit
policy-map type loadbalance first-match HTTP_LB1
class class-default
    serverfarm CLI-GROUP
policy-map type loadbalance first-match HTTP_LB2
class class-default
    serverfarm GUI-GROUP
policy-map multi-match HTTP_MULTI_MATCH1
class VS_WEB1
    loadbalance vip inservice
    loadbalance policy HTTP_LB1
    loadbalance vip icmp-reply
policy-map multi-match HTTP_MULTI_MATCH2
class VS_WEB2
    loadbalance vip inservice
    loadbalance policy HTTP_LB2
    loadbalance vip icmp-reply
policy-map multi-match TCPIP-POLICY
class TCP-CLASS
connection advanced-options TCP-PARAM-MAP
service-policy input REMOTEPOLICY
service-policy input TCPIP-POLICY
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
interface vlan 200
description ***THIN CLIENT VLAN****
ip address 172.20.1.33 255.255.255.240
no icmp-guard
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH1
no shutdown
interface vlan 210
description ***BANK APP SERVER VLAN****
ip address 172.20.1.49 255.255.255.240
no icmp-guard
--More--
access-group input INBOUND
service-policy input HTTP_MULTI_MATCH2
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.200
username admin password 5 $1$ouG5.Okh$jwBoWkMiWstoTPwb9K9ku1 role Admin domain
default-domain
username www password 5 $1$M31zwdiF$iY8Y5e9nV2sMM2HxwrQI7/ role Admin domain de
fault-domain
STERLING-ACE/Admin#
Thanks!!

Hi Joshua,
class-map match-all VS_WEB1
2 match virtual-address 10.0.0.115 any
class-map match-all VS_WEB2
2 match virtual-address 10.0.0.113 any
You have applied
"service-policy input HTTP_MULTI_MATCH1" in VLAN 200 and 210 but as per the config I believe it should be applied to VLAN10.
interface vlan 10
description ***LAN LEG***
ip address 10.0.0.66 255.255.255.0
no icmp-guard
access-group input INBOUND
no shutdown
Can you apply the service policy in VLAN 10 and let me know the result.

ACE: VIP Out of service, Still accepts TCP connections

Hi Guys. I am looking at a issue with an ACE. SW is 3.0(0)A3(2.6)
We have a setup where most of it appears fine. It detect the loss of rservers, probes fail, the VIP stops responding to Pings, but it still accept TCP connections, even though there is nothing behind to accept them.
The question is, is this correct behaviour? and if so is there any reference I can look at to confirm?
While this behaviour is inconvenient for us. I can see why it may actually be correct.
Thanks,
Paul.

Hello Paul,
This is expected behaviour for L7 LB connections:
The 'down' VIP will reply to SYN requests, but will then send a RST packet.
This is because the ACE doesn't know what to do with the L7 connection until it has been build up. Only when the L7 connection is 'open' we notice that all the vserver which could serve this request are down.
So it is correct and expected, but not exactly desired. It's just a side effect of the design. So far I do not known of any plans to change this behaviour. However similar limitations have been addressed in the past, like: CSCsq17137.
Hope this helps, Peter

ACE VIPs not advertising or visible

Hi,
The VIPs on my ACE configuration are not advertising themselves. They don't show up in the ARP table in the upstream router/firewall.
The VIPs are configured to be "Inservice". I have probes that are successful. I can access the real servers behind the ACE successfully via pings, ssh, http, etc.
Here's part of my config:
policy-map multi-match int204-n2
class SMTP_Inbound_LB
loadbalance vip inservice
loadbalance policy SMTP_Inbound_LB-l7slb
loadbalance vip icmp-reply active
Is there anything else I need to add? The VIPs aren't responding to pings. The VIPs aren't showing up in the arp table of the upstream router/firewall.
I know there used to be a "loadbalance vip advertise" command, but that command is no longer valid or available.
I am running code version A1.8(0) on the ACE 4710 appliance.
I have this ACE also configured as a bridge. Is there something special I need to add to make the VIPs advertise themselves, respond to pings, etc.?
Any help would be appreciated.
Thank you.

Hi Gilles,
Yes, the policy is assigned to both VLAN interfaces of the bridge-group.
Yes, all VIPs show INSERVICE when I run the command "show service-policy int204-n2"
None of the VIPs are responding to pings or showing up in arp table of the upstream router/firewall.
The VIPs are part of the local subnet. I can't ping the local interface (BVI interface) of the bridge-group from the upstream firewall/router.
Yes, the ACE has an arp entry for the upstream router/firewall. The upstream firewall is also the ACE's default-gateway for this context.
Thanks,
Herman

ACE ethertype ACL & bpdu

Hopefully an easy one to solve, I'm new to ACE appliances.
I have two ACE appliances in bridged mode and configured as redundant pairs, they are connected to two separate 6500 switches. What I am seeing in the switch logs is the following error:
%SPANTREE-SP-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel1 on VLAN066
The bridged vlans are 66 & 76.
i have "access-list bpduallow ethertype permit any" in my config and it is assigned to both of the bridged vlans, on both ACE appliances, with "access-group input bpduallow"
Is this correct or do I need a specific "access-list bpduallow ethertype permit bpdu" entry in the ACL? I would have thought the "permit any" included it.
And if this is correct and allowing bpdu packets through why would I be getting the the error on the switch?
Thanks
Mel

It's the switch IOS version that is at fault not the ACE
https://supportforums.cisco.com/message/614359

ACE VIP problem

VIP from servers on port 8888 is visible with telnet and the other way around but HTTP://VIP(IP address):8888 is not working for webportal servers,

Your server is probably sending a redirect or using hard links with its port referenced in the url.
Fix the server.
Gilles.

Should ACE VIPs be Nated By a Firewall?

Cannot seem to find the answer to this question for what the Best practice is or would be. Should the VIP privet ip be NATed at the firewall for internet access? IE, Internet firewall NAT ------> Privrt WEB server farm VIP.
thanks

Thank you, However, will this not effect incomming sticky using source IP? Firewall will be seen as the source, not the public IPs access the WEB site?
Having a Public DMZ using all public IPs , protected by a firewall, but not preforming "NAT", Just for a layer of security , this seems the way to go.
thank you

Cisco ACE VIP not responding to Pings

I've searched..... I cannot figure out why my VIPs do not ping. I have two vlans that both replay to a ping on the interface IPs. And I'm new at this, thanks in advace.
GKEL2-ACE1/35568059-Axia# show run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging timestamp
logging trap 5
logging host 10.85.242.100 udp/514
login timeout 60
crypto chaingroup walnut-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto chaingroup .dom-wcrt100
cert .dom.cer
cert wcrt100.pem
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1000
email support
crypto csr-params .dom
country CA
state AB
organization-unit IT
common-name .dom
serial-number 1001
email support
access-list ANYONE line 10 extended permit ip any any
access-list ANYONE line 20 extended permit icmp any any
access-list All line 1 extended permit ip any any
probe http HTTP1025
port 1025
interval 2
faildetect 2
passdetect interval 2
request method get url /Login.css
open 1
probe icmp PING
interval 2
faildetect 2
passdetect interval 60
probe tcp PROBE-TCP
interval 2
faildetect 2
passdetect interval 10
passdetect count 2
open 1
rserver redirect REDIRECT-HTTPS
webhost-redirection https://%h%p 302
inservice
rserver host WL1
ip address 10.205.70.100
inservice
rserver host WL2
ip address 10.205.70.101
inservice
rserver host WLDev1
ip address 10.205.71.202
inservice
rserver host WLDev2
ip address 10.205.71.203
inservice
rserver host WLTest1
ip address 10.205.71.150
inservice
rserver host WLTest2
ip address 10.205.71.151
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-HTTPS
    inservice
serverfarm host WEBLOGIC-7433
predictor leastconns
probe PING
rserver WL1 7433
    inservice
rserver WL2 7433
    inservice
serverfarm host WEBLOGIC-PROD
predictor leastconns
probe PING
rserver WL1 1025
    inservice
rserver WL2 1026
    inservice
serverfarm host WEBLOGIC-TEST-SSH
predictor leastconns
rserver WLTest1 22
    inservice
rserver WLTest2 22
    inservice
sticky http-cookie acecookie STICKY-INSERT-COOKIE
cookie insert
serverfarm WEBLOGIC-PROD
action-list type modify http REWRITE
header insert response Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request Via header-value "1.1 web:%ps (ace10-8/a2)value"
header insert request X-Forwarded-Proto header-value "%pd"
ssl url rewrite location "*.*"
ssl header-insert session Id
ssl-proxy service ssl-client
ssl-proxy service ssl-proxy
key netcracker.cal.dom.key
cert netcracker.cal.dom.cer
chaingroup netcracker.cal.dom-wcrt100
class-map match-any L4VIPCLASS
2 match virtual-address 10.205.70.80 any
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
    permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
    ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
    serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
    serverfarm WEBLOGIC-7433
    ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-policy
class class-default
    serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
    sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
    serverfarm WEBLOGIC-PROD
    action REWRITE
    ssl-proxy client ssl-proxy
policy-map multi-match L4LSBPOLICY
class L4VIPCLASS
    loadbalance policy L7SLBPOLICY
policy-map multi-match LB-VIP
class weblogic-http
    loadbalance vip inservice
    loadbalance policy weblogic-http-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
class weblogic-https
    loadbalance vip inservice
    loadbalance policy weblogic-https-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
    ssl-proxy server ssl-proxy
class weblogic-7433
    loadbalance vip inservice
    loadbalance policy weblogic-7433-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
    ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Test
class SSH_Test
    loadbalance vip inservice
    loadbalance policy SSH_Test_Policy
    loadbalance vip icmp-reply
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
service-policy input L4LSBPOLICY
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
access-group input All
access-group output All
nat-pool 2 10.205.71.249 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253
username admin password 5 $1$r2r0NmEH$z8S0RxYdhwOE4RGXQ41 role Admin domain default-domain
username cust_admin password 5 $1$/tOIIfUK$yigE519cqLq1IFgX. role Admin domain default-domain

I have removed that service policy completely. It was from some knowledgebase article when I was trying to get http redirection working.
There is no more L4LSBPOLICY nor L4VIPCLASS, Thanks a lot for looking at this...
GKEL2-ACE1/35568059-Axia# show service-policy summary
service-policy: LB-VIP
Class                            VIP             Prot Port        VLAN          State    Curr Conns   Hit Count Conns Drop
weblogic-http                    10.205.70.80    tcp   eq 80       1,3440        IN-SRVC           0       50773         53
weblogic-https                   10.205.70.80    tcp   eq 443      1,3440        IN-SRVC           0        7406        112
weblogic-7433                    10.205.70.80    tcp   eq 7433     1,3440        IN-SRVC           0      145321         30
service-policy: LB-VIP-Dev
Class                            VIP             Prot Port        VLAN          State    Curr Conns   Hit Count Conns Drop
weblogic-http-dev                10.205.71.90    tcp   eq 80       1,3516        IN-SRVC           0           0          0
weblogic-https-dev               10.205.71.90    tcp   eq 443      1,3516        IN-SRVC           0           0          0
weblogic-7433-dev                10.205.71.90    tcp   eq 7433     1,3516        IN-SRVC           0           0          0
service-policy: LB-VIP-Test
Class                            VIP             Prot Port        VLAN          State    Curr Conns   Hit Count Conns Drop
SSH_Test                         10.205.71.80    tcp   eq 22       1,3516        IN-SRVC           0          29         24
weblogic-http-test               10.205.71.80    tcp   eq 80       1,3516        IN-SRVC           0         117         40
weblogic-https-test              10.205.71.80    tcp   eq 443      1,3516        IN-SRVC           0         161         61
weblogic-7433-test               10.205.71.80    tcp   eq 7433     1,3516        IN-SRVC           0          27         11
class-map type http loadbalance match-any L7-URL
2 match http url /*.*
class-map type http loadbalance match-all L7SLBCLASS
2 match http url /*
class-map type management match-any REMOTE-MANAGEMENT
2 match protocol telnet any
3 match protocol icmp any
4 match protocol ssh any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
class-map match-any SSH_Test
2 match virtual-address 10.205.71.80 tcp eq 22
class-map match-any weblogic-7433
2 match virtual-address 10.205.70.80 tcp eq 7433
class-map match-any weblogic-7433-dev
2 match virtual-address 10.205.71.90 tcp eq 7433
class-map match-any weblogic-7433-test
2 match virtual-address 10.205.71.80 tcp eq 7433
class-map match-any weblogic-http
2 match virtual-address 10.205.70.80 tcp eq www
class-map match-any weblogic-http-dev
2 match virtual-address 10.205.71.90 tcp eq www
class-map match-any weblogic-http-test
2 match virtual-address 10.205.71.80 tcp eq www
class-map match-any weblogic-https
2 match virtual-address 10.205.70.80 tcp eq https
class-map match-any weblogic-https-dev
2 match virtual-address 10.205.71.90 tcp eq https
class-map match-any weblogic-https-test
2 match virtual-address 10.205.71.80 tcp eq https
policy-map type management first-match REMOTE-MANAGEMENT
class REMOTE-MANAGEMENT
    permit
policy-map type loadbalance first-match L7SLBPOLICY
class L7SLBCLASS
    ssl-proxy client ssl-client
policy-map type loadbalance first-match SSH_Test_Policy
class class-default
    serverfarm WEBLOGIC-TEST-SSH
policy-map type loadbalance first-match weblogic-7433-dev-policy
class class-default
    serverfarm WEBLOGIC-7433-Dev
policy-map type loadbalance first-match weblogic-7433-policy
class class-default
    serverfarm WEBLOGIC-7433
    ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-7433-test-policy
class class-default
    serverfarm WEBLOGIC-7433-Test
    ssl-proxy client ssl-client
policy-map type loadbalance first-match weblogic-http-dev-policy
class class-default
    serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-policy
class class-default
    serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-http-test-policy
class class-default
    serverfarm REDIRECT-SERVERFARM
policy-map type loadbalance first-match weblogic-https-dev-policy
class L7-URL
    sticky-serverfarm STICKY-INSERT-COOKIE-DEV
class class-default
    serverfarm WEBLOGIC-DEV
    action REWRITE
policy-map type loadbalance first-match weblogic-https-policy
class L7-URL
    sticky-serverfarm STICKY-INSERT-COOKIE
class class-default
    serverfarm WEBLOGIC-PROD
    action REWRITE
    ssl-proxy client ssl-proxy
policy-map type loadbalance first-match weblogic-https-test-policy
class L7-URL
    sticky-serverfarm STICKY-INSERT-COOKIE-TEST
class class-default
    serverfarm WEBLOGIC-TEST
    action REWRITE
    ssl-proxy client ssl-proxy-nctest
policy-map multi-match LB-VIP
class weblogic-http
    loadbalance vip inservice
    loadbalance policy weblogic-http-policy
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 3440
class weblogic-https
    loadbalance vip inservice
    loadbalance policy weblogic-https-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
    ssl-proxy server ssl-proxy
class weblogic-7433
    loadbalance vip inservice
    loadbalance policy weblogic-7433-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3440
    ssl-proxy server ssl-proxy
policy-map multi-match LB-VIP-Dev
class weblogic-http-dev
    loadbalance vip inservice
    loadbalance policy weblogic-http-dev-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
class weblogic-https-dev
    loadbalance vip inservice
    loadbalance policy weblogic-https-dev-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
class weblogic-7433-dev
    loadbalance vip inservice
    loadbalance policy weblogic-7433-dev-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
policy-map multi-match LB-VIP-Test
class SSH_Test
    loadbalance vip inservice
    loadbalance policy SSH_Test_Policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
class weblogic-http-test
    loadbalance vip inservice
    loadbalance policy weblogic-http-test-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
class weblogic-https-test
    loadbalance vip inservice
    loadbalance policy weblogic-https-test-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
    ssl-proxy server ssl-proxy-nctest
class weblogic-7433-test
    loadbalance vip inservice
    loadbalance policy weblogic-7433-test-policy
    loadbalance vip icmp-reply
    nat dynamic 1 vlan 3516
    ssl-proxy server ssl-proxy-nctest
interface vlan 3440
description Internal Production
ip address 10.205.70.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.70.249 10.205.70.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP
no shutdown
interface vlan 3516
description Internal Test/Dev
ip address 10.205.71.250 255.255.255.0
mac-sticky enable
access-group input All
access-group output All
nat-pool 1 10.205.71.240 10.205.71.249 netmask 255.255.255.0 pat
service-policy input REMOTE-MANAGEMENT
service-policy input LB-VIP-Test
service-policy input LB-VIP-Dev
no shutdown
interface vlan 3520
description LB
ip address 10.205.72.1 255.255.255.0
access-group input All
access-group output All
no shutdown
ip route 0.0.0.0 0.0.0.0 10.205.70.253

Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP

Hi,
I have a very strange set up and need some help to get my config working
I have a ASA firewall with three VLANs
VLAN 1 = Internet
VLAN 2 = DMZ
VLAN 3 = Goes to ACE
On the ACE I have four VLANs
VLAN 3 = Goes to ASA
VALN 4 = Web Server Tier
VALN 5 = DB Tier
VALN 6 = VIPs
Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)
And they have told us that the cleints accessing the VIP will be Server A and Server B
I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.
I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT?
Could anyone guide me on this setup please?
Raj

Hi Raj,
First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).
When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).
In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.
Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic.

VIP is not responding When pinging from ace

hey i have a very strange type of error. everything was working fine untill it just stopped. i have two vips both were mounted and working fine and then one of the vip just stopped working you can ping and get reply from my pc but not from ace. they are connected directly with nexus 5k and was working fine. now you can have reply from for other vips and servers and all other thing but not that single vip. when you ping it on nexus you get DUP; Packets which is not understood by me there is all commands like no ip redirects are been given but i dont know wats rong.
can some1 have any idea and help ?

Hi Usman,
Not sure about DUP packets that you see on nexus but from ACE's perspective we need to see what is wrong and for that i would need to look at your configuration and other outputs. Do you see that your client's request is reaching the ACE VIP ? You can check using "show conn address " and see if you see a corresponding backend connection or not. Do you see any handshake failures or any other counters increasing under "show stats crypto server" command? We need to have more information for us to look at to tell you what is going on at least from ACE's viewpoint.
Regards,
Kanwal

Trying to change the ACL of a domain user

I am using the Set-Acl cmdlet to add a user to another user's domain account so that the second user will be able to read the permissions available to the first user. I get an error on the very last line "this security id may not be assigned as
the owner of this object". I suspect that perhaps the error is caused because I am not permitted to change the owner of the account and the code is trying to do a wholesale rewrite of the ACL. I am allowed to add the entry to the account through
the UI and that is all I want to do via powershell. Any ideas?
$name1 = "someuser" #this is the user whose acl I want to edit
$name2 = "someotheruser" #this is the user that I want to add to the first user's acl
$objUser = Get-ADUser -LDAPFilter "(sAMAccountName=$Name1)"
$objDelegate = New-Object System.Security.Principal.NTAccount("$name2")
Set-Location AD:
$dn = $objUser.DistinguishedName
$Acl = (Get-Acl $dn)
$Ar = New-Object system.DirectoryServices.ActiveDirectoryAccessRule ($objDelegate,"GenericRead","Allow",$objUser.ObjectGUID)
$Acl.AddAccessRule($Ar)
Set-Acl -Path $dn -AclObject $Acl

Hi Jay,
To change the AD user permission with powershell, the script below is for your reference:
Import-Module ActiveDirectory
# Figure out our domain
$root = (Get-ADRootDSE).defaultNamingContext
# Get or create the System Management container
$ou = $null
try
$ou = Get-ADObject "CN=System Management,CN=System,$root"
catch
Write-Verbose "System Management container does not currently exist."
if ($ou -eq $null)
$ou = New-ADObject -Type Container -name "System Management" -Path "CN=System,$root" -Passthru
# Get the current ACL for the OU
$acl = get-acl "ad:CN=System Management,CN=System,$root"
# Get the computer's SID
$computer = get-adcomputer $env:ComputerName
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "All"
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:CN=System Management,CN=System,$root"
I think you need to add the line to get user2's SID "$sid".
Refer to:
http://blogs.technet.com/b/mniehaus/archive/2012/01/05/creating-the-configmgr-system-management-container-with-powershell.aspx
If there is anything else regarding this matter, please feel free to let me know.
Best Regards,
Anna Wang

ACE VIP & ACL

Similar Messages

Maybe you are looking for