ACE vs Radware WSD
I am in need to defend the Cisco ACE vs the Radware WSD as a load balancing solution. Can you give me talking points as to why the ACE is better than the WSD?
About two years ago i had a similar issue with Citrix Netscaler vs. Cisco ACE(CSM).
I don't think there is a doc showing the advantages of an ACE vs. the competitors in marketing lingo.
What i did was to check out the technical specs of the Netscaler Series and compare it vs. the ACE in terms of connection per second, SSL setups, throughput, general features and scalability of the product. I had to do an internal presentation to convince the management part. It is kind of annoying to do stuff like this as tech but it helps keeping the disfavored toys out of the system. :)
If you already have a lot of Cisco equipment, pointing out that sticking to a vendor will probably support the manageability/maintainability of the network could also be a feasible argument.
Roble
Similar Messages
-
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
Cisco ACE - Firewall load balancing
I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
inservice
rserver FW2
inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdownHello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown -
Problem with ACE and Internet Explorer 8
I have a problem with ACE (system A2(1.1)) and Internet Explorer 8.
exactly:
ACE is configured as end-to-end ssl with 2 rserver and with the sticky source address. When user is opening the virtual address from IEv7, the web portal (On Microsoft IIS) works fine.
If user opens the same web portal but using IEv8, the session is suspended after 60 seconds.
I think, that the reason is http keep-allive, which is sending every 60 seconds from the user's internet browser.
Here is some information about this. http://en.wikipedia.org/wiki/HTTP_persistent_connection
Do you have any idea how to resolve this problem: upgrade ACE, change the configuration on IIS or ACE ??
Please help.Hi Kazik,
Using a persistent connection or HTTP keepalives should not have any negative effect on the ACE, so, giving you a straight-forward answer to fix it is not going to be easy.
I would recommend you to open a TAC case to have this investigated further. When you do, please, provide the following data:
A showtech from the Admin context of the ACE
A traffic capture taken on the TenGig interface connecting the switch with the ACE backplane while doing a test connection (preferably one with IE7 and one with IE8 to compare)
If possible, a copy of the SSL private key. Being able to decrypt the traffic capture to look inside the HTTP flow would really make troubleshooting much easier.
Regards
Daniel -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Cannot Telnet to ACE 4710 after upgrade to A4(2.3)
I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok
when i do a " sh telnet"
comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
Can anybody help?further this post, it was not a resource problem as had allocated 5% for the Admin context.
I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
though this morning (Monday) Can now telnet in ok very strange
I was connecting via the AUX line of a 2851 router to the console port.
whe I disconnected this morning I saw the following message
INIT: id "T0" respawning too fast : disabled for 5 minutes
not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
was it a coincidence
anybody any ideas -
How can I use multiple client side vlans in ACE?
In CSM we have a default-gateway per Client VLAN, in ACE there is no equivalent command! How does the ACE handles routing in this situation?
Hi,
Talk about a deja-vu. I was faced with the exact same challenge about a year ago.
Basically, I think you're looking at two options:
1) Firewall-consolidation - Consolidate your four firewalls into one, having one dedicated interface towards the ace and route all your vips using the ace as
next-hop. It looks like your firewalls are virtual (but I don't know), so it's duable. But I don't know if this is even an option for you.
2) Per. clientvlan context - Context A for vlan1001, Context B for vlan1002 and so on. Each context handles clienttraffic for the respective vlan and since
each context handles it's own routingtable, simply use the firewall-address as your default route. But from your drawing, it looks like your server-vlans
are all connected to the same ace, so you will need to split that up. Assign each servervlan to an ace-context as you do with the clientside-vlans.
Well, a third option would be NAT in your firewall. Unless you have a specific need for the original client-ip the reach the ace, you could nat incoming clientsessions in each of the firewalls to an interface-address on that firewall, hence the ace will see the clientrequest as originating from the firewall and since ace has connected routes to each of the firewall, it wall return traffic to respective firewall and leave it to him to return the traffic to the client.
Since each firewall will present the packets with a unique NAT'ed address, you can apply different policies, parameters etc. for that NAT-address, if this is required.
hth
/Ulrich -
Office 2013 64 bit get rid of WSD ports and never see them again
I have some users with enormous spreadsheets, so we upgraded to Office 2013 64 but (from Office 2010 32 bit). The OS is Windows7 64 bit.
We were working just fine with TCP ports for the printers. But Office 2013 64 bit installs WSD ports (not the trial version BTW, but as soon as you buy the full version it re-installs and messes up your printers)
How do I stop Office Pro 2013 64 bit from putting in these WSD port monitors. I don't need them. I just want fixed IP TCP ports.
CarolChiHi
OSS Note 1466118 - Hardware & Software requirements for Analysis, edition for MS Office has been updated (document version 7, valid from 2014/06/20).
Software requirements on Windows 8 & 8.1
32bit OS
OS: Windows 8 and 8.1
Excel: 2007, 2010 and 2013
Powerpoint: 2007, 2010 and 2013
64bit OS, 32bit MS Office
OS: Windows 8 and 8.1
Excel: 2007, 2010 and 2013
Powerpoint: 2007, 2010 and 2013
64bit OS, 64bit MS Office
OS: Windows 8 and 8.1 64bit
Excel: 2010 and 2013 (64bit version of MS Office)
Powerpoint: 2010 and 2013 (64bit version of MS Office)
I did receive a reply from SAP regarding the issue I was having with Office 2013 64bit crashing and they recommended to apply Analysis 1.4 SP7 Hotfix 1 (patch 1) and see if that corrects the issue, will test later when I am back at the office.
Regards
Derek -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
ACE - Inspection per VIP and other Questions
I have my ACE up and running with SLB for HTTP, terminating SSL and inspection for the traffic flowing through the ACE.
One thing i haven't figured out yet is how to let the ACE distinguish between inspecting only the VIP traffic versus inspecting the whole traffic flowing through the routed VLAN.
My service-policy is currently bound on the xfer net VLAN which also services the VIP.
I made a "match url" rule with action reset for the regex "admin". If try to access the link "slb.foo.local/admin" via the VIP it works but it unfortunatly also works if i access the real servers in the VLAN behind the ACE directly.
A: Any idea how to solve that with best practice?
B: I haven't found a way to create a self signed certificate so far. Is it not implemented or did i just miss it?
C: Is an ACL mandatory to get traffic flowing via the VIP to the real servers? I have the feeling that without an ACL permitting the traffic explicitly there won't be a flow at all.
D: The commands "loadbalance vip icmp-reply active" and "loadbalance vip advertise active" for RHI are now two times in my config. Do i only need them once in my policy or does it make sense to keep them per HTTP and HTTPS Class?
The corresponding config:
class-map match-all HTTP-INSPECT-L4CLASS
description HTTP protcol deep packet inspection
2 match port tcp eq www
class-map type http inspect match-any HTTP-INSPECT-L7CLASS
description HTTP - Deep packet Inspection - Definition
2 match content length range 0 256
3 match url [/]admin
4 match url .asp
class-map match-all L4-VIP-CLASS
2 match virtual-address 10.10.10.85 tcp eq www
class-map match-all L4-VIP-CLASS-SSL
2 match virtual-address 10.10.10.85 tcp eq https
class-map type http loadbalance match-any L7-SLB-CLASS-1
3 match http header Host header-value "10.10.10.85*"
4 match http header Host header-value "slb.foo.local*"
class-map type management match-any REMOTE_ACCESS
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGM_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7-SLB-Policy
class L7-SLB-CLASS-1
serverfarm LB-Testfarm
policy-map type inspect http all-match HTTP-INSPECT-L7POLICY
class HTTP-INSPECT-L7CLASS
reset
policy-map multi-match L4-SLB-POLICY
class L4-VIP-CLASS
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAMETER_MAP
class L4-VIP-CLASS-SSL
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SSL-PSERVICE-Server
class HTTP-INSPECT-L4CLASS
inspect http policy HTTP-INSPECT-L7POLICY
interface vlan 444
description XFER-ACE
ip address 10.10.10.83 255.255.255.240
access-group input All
access-group output All
service-policy input L4-SLB-POLICY
service-policy input REMOTE_MGM_ALLOW_POLICY
no shutdown
interface vlan 555
description ACE-Server
ip address 10.10.10.97 255.255.255.240
access-group input All
access-group output All
no shutdown
Thanks for reading...
RobleGilles hope you still read this thread :)
In another Post you mentioned that the ACE features URL rewriting. I am desperate looking for this feature but can't find it anywhere in the docs.
Since i am terminating ssl on the front and speaking plain http on the back end i have some problems with the portal application and links to non-secure documents.
I don't think i can make the appl. admins fix the problem or make the company for the portal
rewrite the code. (3 letters NOT starting with an I)
From the SCA Docs i found following description which matches my problem.
[quote]
When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS
[/quote]
EDIT:
Another thing...
I currently redirect all my http traffic to a certain https url with a redirect rserver. Works fine.
I am still thinking about how to solve the same problem with ssl/https portion of my vip.
vip:443 -> redirect to vip:443/url/foo/bar/
I tried something like...
vip:443 -> redirect to vip:444/url/foo/bar/
But somehow that didn't work out. You have a valid "conceptional" approach to this issue?
Roble -
I am getting up to speed on the ACE and was wondering if someone could please clarify a couple of things for me as the docs I am using are pretty confusing.
We have the ACE module in a Cisco 65XX switch, along with FWSM.
1) Do I need to create a Layer 3 int on the switch for the Vlan's that I have assigned to the ACE?
2) I have created a Layer 3 Client side and a Server side Vlans on the ACE. Do I need to create a default gateway for each of these Vlan's or create just one DG and point it to the switch?
3)Do I need to create a class map, a policy map and a service policy for the Client and Server Vlan L3 interfaces on the ACE?
Thanks much.Have you had a chance to read through the config guide?
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/rtbrgdgd.html
In general,
1) yes for client-side vlans
no for server-side vlans
2) just one default route to an SVI on MSFC
3) yes -
We just have switched our local server from 32-bit to 64-bit machine and now we have Windows Server 2008 R2 Service
Pack 1 with MS Office 2007. On server we are running an application in ASP.Net 3.5 using visual studio
2008. All users have 32-bit windows 7 and MS Office 2007.
when user tries to import data from Excel to Database (SQL Server 2005), error comes as
"microsoft.ace.oledb.12.0 provider is not registered on local machine".
I have tried a solution by installing Access Database Engine 2007 Office System Driver on the Server, but the error
was same. Now what should I do to resolve this problem??? Should we install Office 2010 64-bit on the Server or is there any other solution???Hi,
Thanks for your posting.
the file can be made in excel 2007, try to install:2007 Office System Driver: Data Connectivity Components
http://www.microsoft.com/en-us/download/details.aspx?id=23734
Regards.
Vivian Wang
TechNet Community Support -
Not able to run a reconciliation from IDM on a the securID/ACE server UNIX
I have configured a securID/ACE adapter in IDM 7.1 so that it can provision updates of user accounts. RSA 6.1.2 server is running on Linux RHEL 2.6.9. I am able to connect to RSA form IDM, but when I run a reconciliation I get the following error,
Error iterating accounts for resource RES-User-RSA-Projects:
com.waveset.util.WavesetException: Trouble constructing User 'null'
Below is the stack trace that I extracted from IDM (debug): The stack below tells me that IDM is not able to establish a connection to the RSA server. I have made sure that the login account that I am using in the RSA adapter parameters belongs to the same group that owns /opt/ace/utils/tcl/bin/tcl-sd.
Is there anything else I need to do? Has anybody out there faced a similar issue and found a resolution?
SecurIdUnixResourceAdapter#getFeatures() Entryno args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit void
SecurIdUnixResourceAdapter#getLoginScript() Entry no args
SecurIdUnixResourceAdapter#getTclshPath() Entry no args
SecurIdUnixResourceAdapter#getTclshPath() Exit returned= /opt/ace/utils/tcl/bin/tcl-sd
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 24
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 2
SecurIdUnixResourceAdapter#getResourceAttributeValue() Entry no args
SecurIdUnixResourceAdapter#getResourceAttributeValue() Exit returned= 6
SecurIdUnixResourceAdapter#getUserExtensionMapNames() Entry no args
SecurIdUnixResourceAdapter#getUserExtensionMapNames() Exit void
SecurIdUnixResourceAdapter#getLoginScript() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorscript() Entry no args
SecurIdUnixResourceAdapter#procSetup() Entry no args
SecurIdUnixResourceAdapter#procSetup() Exit void
SecurIdUnixResourceAdapter#procTearDown() Entry no args
SecurIdUnixResourceAdapter#procTearDown() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorscript() Exit void
SecurIdUnixResourceAdapter#getAccountIteratorResult() Entry no args
SecurIdUnixResourceAdapter#getAccountIteratorResult() Exit void
SecurIdUnixResourceAdapter#constructUser() Entry no args
SecurIdUnixResourceAdapter#constructUser() Info Database connection is not established!
SecurIdUnixResourceAdapter#getFeatures() Entry no args
SecurIdUnixResourceAdapter#getFeatures() Exit voidAnybody out there who has configured SUN IDM to provision into RSA SecureID Ace/Server UNIX? Any help on this is greatly appreciated!
-
IOS XR deny ace not supported in access list
Hi everybody,
We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
interface TenGigE0/3/0/0
cdp
mtu 1568
service-policy output TK-MPLS_TG
ipv4 address 172.16.19.134 255.255.255.252
mpls
mtu 1568
policy-map TK-MPLS_TG
class class-default
service-policy TK-MPLS_EDGE-WAN
shape average 2000000000 bps
bandwidth 2000000 kbps
and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
class-map match-any W_RTP
match mpls experimental topmost 5
match dscp ef
end-class-map
class-map match-any W_EMAIL
match mpls experimental topmost 1
match dscp cs1
end-class-map
class-map match-any W_VIDEO
match mpls experimental topmost 4 3
match dscp cs3 cs4
end-class-map
class-map match-any W_DATOS-CR
match mpls experimental topmost 2
match dscp cs2
end-class-map
class-map match-any W_AVAIL
match mpls experimental topmost 0
match dscp default
end-class-map
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
bandwidth percent 2
class class-default
end-policy-map
what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
ipv4 access-list PROXY-GIT-MEX
10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
50 permit tcp host 150.2.1.100 any
60 permit tcp host 10.15.221.100 any
policy-map EDGE-MEX3-PXY
class C_PXY-GIT-MEX3
police rate 300 mbps
class class-default
end-policy-map
class-map match-any C_PXY-GIT-MEX3
match access-group ipv4 PROXY-GIT-MEX
end-class-map
we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
policy-map TK-MPLS_EDGE-WAN
class W_RTP
bandwidth percent 5
class W_VIDEO
bandwidth percent 5
class W_DATOS-CR
bandwidth percent 30
class W_EMAIL
bandwidth percent 15
class W_AVAIL
service-policy EDGE-MEX3-PXY
class class-default
end-policy-map
and we get this:
Wed Sep 17 18:35:36.537 UTC
% Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
Wed Sep 17 18:35:49.662 UTC
!! SEMANTIC ERRORS: This configuration was rejected by
!! the system due to semantic errors. The individual
!! errors with each failed configuration command can be
!! found below.
!!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
end
Any kind of help is very appreciated.That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
if you have some traffic that you want to exclude you could do something like this:
access-list PERMIT-ME
1 permit
2 permit
3 permit
access-list DENY-me
!the exclude list
1 permit
2 permit
3 permit
policy-map X
class DENY-ME
<dont do anything> or set something rogue (like qos-group)
class PERMIT-ME
do here what you wanted to do as earlier.
eventhough the permit and deny may be overlapping in terms of match.
only the first class is matched here, DENY-ME.
cheers!
xander -
ACE load balancing servers on different subnets...
Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy
Maybe you are looking for
-
Updateable Report/Pagination - rows found but not displayed
Bear with me if there is a post that covers this, as the SEARCH facility seems to be hanging when I search on Pagination. I have a SQL Query (PL/SQL Function Body Returning SQL Query) which creates an Updatable Report. If I run the Query and the sele
-
How can I delete an event that was created somewhere else and sent to me?
I have been sending myself invites from my work email (Outlook Calendar), and some of them have a recurrance. I am looking to delete some of the events, but I can't figure out how to do it. Help?
-
How to get rid of the java icon on the window
There is a java icon(top right habd corner) on every window panel. How to get rid of it?
-
Can't install oracle10g on windows vista
I downloaded oracle10g for windows vista & windows from oracle's site. But when I tried to install/setup.exe,error message that says install/setup.exe contains information about the folder.Use active/checkout instead. can anyone help me how to resolv
-
Can't control the volume of speakers on external monitor using volume buttons on macbook keyboard
The problem is exactly like this http://support.apple.com/kb/TS3520 except the update is for an older operating system, (I'm using lion). I can't find a solution that works for lion. I am using a non-apple monitor connected by a thunderbolt to hdmi c