ACE with cache engine "spoof" mode

Similar Messages

• ACE as cache engine for wccp redirection

  Does anybody know if the ACE 4710 appliance supports WCCP acting as a web-cache engine? I am exausting all possible options, and then some, for deploying a new application networking environment. I just returned from ACE training last week and found myself ramping up to deploy a new ACE.
  I have pretty much exhausted my options for topology. We discussed several different designs in class and I don't like any of them. I have some serious problems with using the ACE as a default-gateway for servers. That options is out due to how other "non application" traffic is handled. Traffic such as RDP from IT support staff, patching from SMS servers, virus dat updates, vulnerability scanning... it all routes to the ACE which has to have static routes... then clients hitting the application VIPs have to be natted so the ACE does not use the static routes and reply directly... it all becomes a very big problem over time.
  Second and third options are one-armed and direct server return... both not suitable for my requirements.
  Now... that leaves me with an option we currently have deployed. That is to use a distribution route-switch (Catalyst 4500 Sup-IV) in the middle. The Cat uses PBR to return http traffic from the web servers back to the ACE. All other traffic follows normal routing table.
  Ok... that works perfect... except PBR is not supported in the Sup-6 engine. Unbelievable... I know. This is a major fly in the ointment for this new deployment.
  Now... there is another protocol that is often used for redirection... WCCP. If the ACE were a wccp web-cache, the router could be configured to redirect ingress http to the ACE. But... the ACE would have to act as a web-cache engine and register with the Cat as a home-router.
  I am sure this option is not an option... but it would be nice. The ACE 4710 appliance has the general processor to do it but it would have to be implemented in software. I'm running A3(1.0) and I cannot find anything related to wccp. Nothing in the command-reference.
  If there are any Cisco developers interested in adding some killer funtionality... this would be it. Wccp can be done in layer-2 as well as layer-3. The Sup-6 supports layer-2 redirection. Since the ACE is generally layer-2 adjacent this would be rather easy to implement. Anyway... food for thought.

  I just would like to mention that you could have ACE in bridge mode inserted between your servers and the gateway (4500).
  All traffic will go through ACE but no need for nating and no statc routes (just one default route pointing to the 4500).
  The only problems would be if you exceed the BW of the 4710 with all your traffic.
  Regarding the WCCP support for the 4710 this is not currently in our roadmap.
  Ask your cisco account team to introduce the request.
  Thanks,
  Gilles.

• Streaming WMT (netshow) through PIX with Cache Engine

  Hello:
  I am trying to stream WMT from a pre-loaded Cache engine through a PIX firewall. I would like to use UDP for the streaming, but when I start the streaming TCP is selected by default. Forcing UDP within Windows causes an error. The PIX doesn't allow the UDP traffic through since it didn't originate from the inside. Outside the firewall UDP only works if I force it. TCP is the default. First, is UDP the best way to do this or is TCP ok since it is comming from the Cache engine? Second, how can I change the Cache engine setup to default to UDP or is this not possible?
  Thank you,
  Hampton Saussy
  Midlands Technical College

  We had a similar issue. If the firewall is not configured to accept TCP ports, then the streaming video server will perform HTTP cloaking i.e Instead of using the TCP ports it will use HTTP port 80 to get through the firewall, then the server sends the streaming video data via UDP. If UDP cannot pass through the firewall, the client requests delivery via TCP. The fixup rtsp command lets PIX Firewall pass RTSP (Real Time Streaming Protocol) packets. This command does not fix RTSP UDP connections. So I guess using TCP is a better option.

• Cache engine IP spoofing with CSS ?

  i would like to use css and cache engine in a spoofed ip source design to preserve identity of requestor.
  WCCP appears to be able to do this but not L4+ switching with CSS.
  Does anyone know of a way of doing this either as a transparent cache or proxy cache ?
  thanks in advance

  Alan, we discussed this by email in the case you opened.
  The command 'wccp spoof-client-ip enable' does work on the CE even
  if you are not using WCCP.
  On the CSS, just make a config similar to the one for one-armed transparent SCA config.
  Tested in the lab and it works.
  Gilles.

• How to Configure Transparent caching on Cat 6500 with CSM in routed mode

  I am trying to configure Transparent caching on Cat 6500 with CSM in routed mode, but facing some problems in it , also I have gone thru the example config on cisco site for transparent caching using CSM on Cat 6500 , but the above does not fit my clients requirement.
  The scenario is like
  Access Switches - Cat6500 with MSFC & CSM - Internet Router
  |
  Cache Engines and Real servers
  The clients as well as real servers are on seperate VLANs (L3) and the requirement is to load balance the internet traffic using cache engines.
  I'd really appreciate any helpful suggestions or any useful links/docs/info on this.
  Thanks
  kumar

  Hello Joerg,
  Thanks for the reply.
  I have already gone thru the sample config shown by this weblink, however this link refers to configuring transparent caching on the CSM in BRIDGED MODE ( i.e both the client and server vlans are having the same IP address ) but in our case , we have multiple L3 VLANS on the CAT6509 having IP addresses in different SUBNETS , and the Real servers to be used for caching also exist on one of these VLANS. Thus, the scenario described by the Weblink does not apply here. Also , in the configuration referred by the above weblink, the VLAN 100 is configured as client , however the endusers are shown to be on vlan200 which is configured as SERVER VLAN in the CSM.
  Dont you think there is something wrong here, I mean the endusers should be on VLAN 100 (Client) and real servers on VLAN 200 (SERVER).
  So, I have to configure CSM in routed mode ( i.e both the client and server vlans will have seperate IP addresses in different subnets ) and the endusers will be on all VLANS .
  Pls let me know , how I can implement this solution.
  Thanks again
  Sudhir

• How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?

  hi.
  I found How to Configure Transparent caching on Cat 6500 with CSM in routed mode.
  But,
  I need help How to Configure Transparent caching on Cat 6500 with CSM in bridge mode?
  Please let me know sample configuration.
  thanks.

  Hi,
  I wrote the document you mentioned and I also wrote the one below.
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a00802c1201.shtml
  The one with the SSLM is a bridge mode config.
  If you replace the SSLM with a cache [or a farm of caches] it would be a similar config.
  Replace the SSL21 vserver with an HTTP vserver [most important is to keep the vlan configured on each vserver]
  Regards,
  Gilles.

• Does the Cisco Cache Engine Work with the Cisco Local Director ?

  I need to know if it is possible and how to use cisco local director to redirect traffic to the cache engine in reverse proxy configuration and transparent proxy configuration.

  In directed mode, the client browsers are configured to point to a proxy to a virtual IP address on the Local Director. I know the Local Director does not support a real server that does not have a virtual address defined so it can't transparently forward like the CSS.

• Cache Engine with a private address

  Can I configure my CE590 with a private address ( for ex. 172.16.1.1 )
  Should I translate this private address to a public address ?
  The sample configuration in the below URL comment :
  !---Important: If you configure the Cache Engine
  !---with a private address, it must get!---translated to a public address. "
  http://www.cisco.com/warp/customer/117/cache_engine/transparentconfig.htm
  please advise me
  Thanks
  Mohamed Abdallah

  Should I configure a static NAT on the router for the CE ip address
  OR use the PTR record in my DNS for the CE ip add. for the DNS reverse lookup ??
  Answer: In any event, you will need a PTR record configured in your DNS network for the CE ip address. This must be a public record so that the internet sites can do a reverse lookup. Best case senario for security is to configure static nat on the router with a public ip address that resolves to the internal private ip address of the CE
  What if I give the CE a public IP address ? Do I need PTR record in my DNS for the CE ip address?
  Answer: You can certainly do that and it does make things a bit easier. For security though, I recommend going with the private ip with nat upstream.
  Regards
  Pete..

• Problems with transaction-logs on cache engines

  Good Day All,
  I have a Cache Engine 550 here and the transaction log working.log file got quite large.
  I was not able to export it to my ftp server so I logged into the Cache engine via ftp and downloaded the file to a PC.
  I then deleted the working.log file on the Cache Engine and rebooted the cache engine.
  The working.log file was not re-created as I had hoped it might be.
  I have created a file called working.log in the correct directory. This file does not seem to get updated though so this must not be right either.
  Any suggestions?
  regards,
  amanda

  Hi Zach,
  Thank you so much for writing back. I am running an archaic version of the software... i can check tomorrow. As to the logging.... i had not enabled transaction-logging in itself so it was a silly config error ...
  :) amanda

• How to Integrate 500 Series Cache Engine with WS-C3550-48-EMI

  We are having a Catalyst 3550 L3 Switch, which is being used to provide Internet service. Now we want to integrate a 500 Series Cache Engine so that outbound http traffic is cached.
  The Cat 3550-48-EMI switch is not supporting " ip wccp web-cache redirect out" command, instead it's supporting " ip wccp web-cache redirect in" command. So for outbound traffic no caching is happening. How this can be achieved?
  Regards,
  Malay.

  in and out means catch traffic when it comes in or when it goes out respectively.
  So you can configure the 'out' on the Internet facing interface to catch the request before it goes out to the Internet.
  But you can also configure the 'in' on the client interface to catch the request when it comes into the router.
  The 'in' gives much better performance because you catch the request before doing a route loockup.
  The only disadvantage is that if you have many client vlans, you need to configure this 'in' command for each one of them.
  Regards,
  Gilles.

• Cache engine overloads, how to.....

  i've cisco cache engine 505 attached with cisco 2611 router. Now whenever i reload my cache engine it performs its job for 5 minutes after that it overloads and cannnot perform its job and cache engine changes its state to bypass mode.
  What could be the factors that causes this problem?
  How can i avoid this problem.
  this could be memory issue? if yes then which memory.hardisk or RAM or else?
  pls reply me as soon as possible.

  The ICAP daemon on the Content Engine continues to send updates (from the HTTP response) to the ICAP server, and it overloads the cache engine

• Issues with J2EE engine memory settings.

  Hi SDN!
  I've got Web AS server 7.0 (Java only) on laptop for development use. Laptop has 2 GB RAM and 1,83GHz Core 2 Duo CPU
  I have several issues with Java Engine.
  1)J2ee instance Settings.
  For Instance:
  - "Message server & bootstrap" node
       - max heap size: 256
  - "Servers general" node
       - max heap: 1024
       -Xmx1024m
       -Xms1024m
       -XX:PermSize=256m
       -XX:MaxPermSize=256m
  For Dispatcher:
  - "General" node:
       - max heap size: 170
       -Xms170m
       -XX:NewSize=57m
       -XX:MaxNewSize=57m
  - "Bootstrap" node:
       - max heap: 256
  For Server:
  - "General" node:
       - max heap size: 1024
       -XX:MaxPermSize=256M
       -XX:PermSize=256M
       -Xmx1024m
       -Xms1024m
       -XX:NewSize=171M
       -XX:MaxNewSize=171M
  - "Bootstrap" node:
       - max heap size: 256
  When I turn debug mode on for server via config tool, I've got 503 error and message "SAP WebAS Engine is starting... Message: Dispatcher running but no
  server connected!" but in SAP mmc server instance looked like started (green color).
  Windows Taskmanager shows me that 2GB total memory and near 600 MB of memory free.
  Also I'm confusing about these nodes ("general", "bootstrap") with similar parameters and don't know which parameters I should set up according to note
  723909.
  2) I need to modify Java applications, build, deploy to local server and debug it there. Also may be ABAP debug will be used. Please give me information
  about optimised engine (and, if needed, NWDS) settings for these tasks.
  Help will be appreciated.
  Regards, Lev

  In general terms, the bootstrap process is what is used as java is starting up and pulling objects into memory. The heap used for the bootstrap process (I believe) is returned to the system after startup.
  The server process is where the Java application server applications are so it will require the most heap.
  Does that help?

• Question about connection between cache engine and cat6k

  Dear sir,
  Here is the problem description, please give me some help, thank you so much:
  catalyst 6509 is enable for wccp v2.CE 7320 also enable the wccp v2.Wccp service 91 is configured on 6509.Service-munber 91 and port-list 1(with port number 8080) are also configured on CE 7320.Wccp communicates well about service number 91.
  but browsing web page with port number 8080 gets always failed.
  1.6509 wccp configuration:
  ip wccp web-cache redirect-list 30
  ip wccp 91
  interface Vlan10
  ip address 211.162.224.2 255.255.255.240
  ip wccp web-cache redirect out
  ip wccp 91 redirect out
  2.ce7320 wccp configuration:
  wccp router-list 1 211.161.1.49
  wccp port-list 1 8080
  wccp web-cache router-list-num 1
  wccp service-number 91 router-list-num 1 port-list-num 1 application cache
  wccp version 2
  3.show info. from 6509 and ce 7320:
  gwbn7320#sh wccp content-engines
  Content Engine List for Service: Web Cache
  IP address = 211.161.1.50
  Routers seeing this Content Engine(1)
  211.162.224.2
  Content Engine List for Service: WCCPv2 Service 91
  IP address = 211.161.1.50
  Routers seeing this Content Engine(1)
  211.162.224.2
  gwbn7320#sh statistics http savings
  Statistics - Savings
  Requests Bytes
  Total: 90685 460066803
  Hits: 936 162710
  Miss: 89749 459904093
  Savings: 1.0 % 0.0 %
  6509-left#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: 211.162.224.2
  Protocol Version: 2.0
  Service Identifier: web-cache
  Number of Cache Engines: 1
  Number of routers: 1
  Total Packets Redirected: 2525
  Redirect access-list: 30
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 146
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Service Identifier: 91
  Number of Cache Engines: 1
  Number of routers: 1
  Total Packets Redirected: 0
  Redirect access-list: -none-
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 0
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Regards,
  Sha

  Gilles,
  Thank you!
  Here is the result:
  6509-left#sh ip wccp 91 detail
  WCCP Cache-Engine information:
  IP Address: 211.161.1.50
  Protocol Version: 2.0
  State: Usable
  Redirection: GRE
  Initial Hash Info: 00000000000000000000000000000000
  00000000000000000000000000000000
  Assigned Hash Info: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  Hash Allotment: 256 (100.00%)
  Packets Redirected: 180
  Connect Time: 00:07:06
  Regards,
  Sha

• Load-balancing of transparent cache + IP spoofing + RTSP + MMS not working

  We have already in production an architecture with load-balancing of
  transparent cache + ip spoofing.
  We are unable to do the same for streaming flows (MMS and RTSP).
  We are doing PBR from our core network (2 * C6K) to redirect port 80, 554 and
  1755 toward CSS boxes, same in our access router (2* Ciso7200).
  In this config desired flows are redirected toward the CSS.
  Then CSS should load balance the traffic toward our BlueCoat proxy-cache farm.
  It's working fine for HTTP but we are unable to make it works for MMS and
  RTSP.
  Note that we are requiered to use ECMP to perform IP Spoofing on the CSS, meaning we need 4 routes for each client subnet (one route toward upstream C6K, and 3 routes for each proxy cache). We use acl to get rid off looping condition.
  Anyone who has already put in place Load-balancing of Streaming transparent cache + IP spoofing could give us some hint.
  Many thanks.
  Regards,
  Pierre Viennet

  Gilles, thanks for your input.
  Here where we are at with streaming implementation:
  - HTTP on all type off client is working
  - RTSP: TCP 554 with Real Media client is working
  - RTSP: TCP 554 with WMP not working, but it's due to a bug in Bluecoat implementation, the proxy send an error when he see a request with ( User-Agent: WMPlayer ) for RTSP content.
  - MMS: TCP 1755 not working with IP spoofing enable on the proxy but OK without IP spoofing...
  - UDP 554: not working
  - UDP 1755: not working
  I fully understand the limitation for UDP traffic.
  But I don't see why it's not working for MMS over TCP traffic.
  Note that I have the exact same configuration for RTSP and MMS.
  Why is it not working for MMS with IP spoofing? Are you aware of a difference on the way CSS handle MMS flows? or a specificity of the MMS protocol?
  Below what we can see on the different equipement when trying to launch a MMS over TCP Stream:
  c6k-Faaa#sh mls ip source 195.83.182.72
  Displaying Netflow entries in Supervisor Earl
  DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
  Pkts Bytes Age LastSeen Attributes
  202.3.225.5 195.83.182.72 tcp :1755 :1504 0 : 0
  3 124 17 18:58:12 L3 - Dynamic
  202.3.225.5 195.83.182.72 tcp :1755 :1527 0 : 0
  2 84 3 18:58:20 L3 - Dynamic
  202.3.225.5 195.83.182.72 tcp :554 :1503 0 : 0
  4 360 17 18:58:06 L3 - Dynamic
  c6k-Faaa#
  CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
  202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
  2/3 2/1
  202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
  2/7 2/3
  CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
  202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
  2/3 2/1
  202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
  2/7 2/3
  CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
  202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
  2/3 2/1
  202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
  2/7 2/3
  CSS11503_CORE1#
  TCP 192.168.4.19:1491 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1492 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1493 195.83.182.72:1755 TIME_WAIT
  TCP 192.168.4.19:1502 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1503 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1504 195.83.182.72:1755 TIME_WAIT
  TCP 192.168.4.19:1525 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1526 195.83.182.72:554 TIME_WAIT
  TCP 192.168.4.19:1527 195.83.182.72:1755 TIME_WAIT
  Many Thanks for your input.
  Pierre Viennet.

• Getting following error  while we starting up cache engine

  Hi,
  We always getting following error, when we try to restart our 4 cache engine ie 4th coherence node all the time. We are having cluster with WKA type with 6 member in it. First 3 member start normally without any issues. But the 4 th one always ends up in the following issue. Even we change starting order for coherence nodes, first 3 will go fine, from 4 th onwards, we are getting the following problem.
  2012-10-25 16:27:25.746/113.283 Oracle Coherence EE 3.4.2/411p1 <Error> (thread=DistributedCache, member=4): validatePolls: This service timed-out due to una
  nswered handshake request. Manual intervention is required to stop the members that have not responded to this Poll
  PollId=1, active
  InitTimeMillis=1351178785142
  Service=DistributedCache (4)
  RespondedMemberSet=[]
  LeftMemberSet=[]
  RemainingMemberSet=[1,2,3]
  what should we check for? Any help is greatly appreciated.
  Regards,
  chakradhar

  Hi,
  This was a problem in earlier releases of Coherence and you can try to configure the <thread-pool> for your Distributed Cache and see if the problem goes away. Here is a note from Oracle support that talks more about this problem: https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=845363.1
  HTH
  Cheers,
  _NJ