ACL's on ACE Appliance
Hi,
In the ACE Appliance management remote access examples there is an ACL which has "permit ip any any" but in my test configurations it works fine without this. For example, icmp is controlled by whether or not there is a matching class-map entry in the management class and this works whether the ACL is present or not.
What's the purpose of the "permit ip any any" ACL?
thanks,
Andrew.
I think there is a difference between traffic to the interface and traffic over the interface.
You can have a working management policy for ssh access and ICMP to the interface but to make sure traffic flows from the client side to the server side you need to allow it.
So that is where the permit IP any any access-list is necessary to make sure traffic flows through the ACE. IIRC there will be no traffic flowing through the appliance if you don't have the permit ip any access-list on the according interfaces.
The closest thing to this might be on a PIX or ASA. You have the ICMP traffic through the interface controlled by the ACL statements and ICMP traffic towards the interface controlled by the ICMP statement itself.
I hope that explains if i didn't get you wrong.
If am writing total BS i probably get corrected soon. :)
Roble
Similar Messages
-
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Logging user commands in Cisco ACE appliance
Good afternoon gentlemen
I need to configure the same as shown below in Cisco ACE Appliance. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
#IOS commands
no logging console
logging buffered 307200 informational
service timestamps log datetime localtime show-timezone
logging trap debugging
login on-failure log
login on-success log
archive
log config
logging enable
logging size 500
hidekeys
notify syslog contenttype plaintext
If you guys have an idea please answear
Regards
ChristianHello Arun,
we saw before the message you report, it's probably a symptom of:
CSCtx03563
or
CSCue38032
I would suggest opening a TAC case to get this properly investigated.
Kind Regards,
Francesco -
Cisco ACE Appliance showing error while boot
Hello Everyone,
I intend to Configure two ACE appliance in one arm mode, Post configuration I have tried to test the functionalities of the same.
Below are the queries which I am having now.
>Post reboot of the appliance it popped with the error ,pls clarify .
Starting sysmgr processes.. Please wait...tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
Done!!!
> Please confirm whether SNAT is compusory for one-arm mode setup . as our requirement is to loadbalance only the requests from the clients .
the reply from server should go back to the client directly .
> How can I achieve the HA config with out dedicated port . as I have configured port channel for all the 4 ports . I am not interested to provide the seperate port for HA.
Thanks in advanceHi,
> Please confirm whether SNAT is compusory for one-arm mode setup . as our requirement is to loadbalance only the requests from the clients .
the reply from server should go back to the client directly .
**Mos of the times SNAT is require but is not must. For example, you can have the servers connected to a L2 Switch, using the ACE as DG and you probably don't need SNAT.
The important is to have the response of the server going back to the ACE with or without NAT
> How can I achieve the HA config with out dedicated port . as I have configured port channel for all the 4 ports . I am not interested to provide the seperate port for HA.
***Configure in the portchannel the ft-port vlan command. Remember that the FT vlan should be L2, no L3 devices in between the ACEs
Cesar R
ANS Team -
How to monitor memory on Cisco ACE Appliance 4710?
I'm trying to monitor the memory usage in balancers Cisco ACE Appliance 4710 with version A3 (2.2), but the OIDs cpmCPUMemoryUsed (.1.3.6.1.4.1.9.9.109.1.1.1.1.12) and cpmCPUMemoryFree (.1.3.6.1.4.1.9.9. 109.1.1.1.1.13) not work.
What the right OID to monitor memory usage in balancers Cisco ACE 4710 Appliance?HI,
You need to use CISCO-ENHANCED-SLB-MIB .
cpmProcExtMemAllocatedRev .1.3.6.1.4.1.9.9.109.1.2.3.1.1 (this gives the memory allocated to each process)
You can also read up on the mib
Hope this helps
Venky -
Ace appliance connectivity design
v have a 4710 appliance ad want to use it for LB
following the current setup
firewall,2950 switch, servers
firewall inside interface is connected to 2950 switch in vlan 100
all servers are connected to the same switch in vlan 100. firewall is the default gateway
we want to connect the ace appliance into this setup. dont want to use the appliance in routing mode because of the default gateway change for servers.
how to get the ace appliance work in this setup in bridge mode
i am aware there will be 2 vlans created within ace. in this case one vlan will be 100 and say second is 200
100 vlan will be facing firewall and 200 will be facing the servers
does that mean all switch ports configured for server vlan should be changed from 100 to 200
then connect one interface of ace in vlan 100 and other in 200
how will the traffic from the servers wil then reach default gateway?
there is no intervlan routing there.The servers should be in vlan 200 and the FW in vlan 100.
These are your switch port settings.
On the appliance you bridge vlan 200 and vlan 100 using a bvi interface.
Like this, for the FW and the servers, vlan 200 and vlan 100 are the same.
Here is bridge config.
interface vlan 30
bridge-group 30
no normalization
access-group input ANY
nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat
nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat
service-policy input PERMIT-ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 330
bridge-group 30
no normalization
access-group input ANY
nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat
nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat
service-policy input PERMIT-ALL
service-policy input remote_mgmt_allow_policy
interface bvi 30
ip address 192.168.30.10 255.255.255.0
peer ip address 192.168.30.11 255.255.255.0
no shutdown -
Cisco ACE Appliance Redundant configuration
How cisco ACE appliance changes its Ip address and MAC address after failover???
Hi Birendra,
Could you please elaborate more on your question?
FT mac's depend upon FT group that you have configured and they remain same. They will not change after failover.
Here's a document at the link which explains in details about different MAC addresses in ACE:
https://supportforums.cisco.com/docs/DOC-8723
Let me know if you have any questions.
Regards,
Kanwal -
Hello,
What is the difference between ACE Module and ACE Appliance? why the ACE Module is better? or ACE Appliance, what is the advantage between Module and Appliance.
anyone can explain me?
Best RegardsIn the past Cisco has been shipping two line of Loadbalancing products
First line ( modules dedicated for 6500/7600 chassis ) includes CSM & CSM-S & SSLSM (for ssl offloading)
The other line comprises of appliance based CSS series products.
ACE module is a next generation module replacing CSM modules that fits into 6500/7600 chassis.
It gives you upto 16Gbps throughput (versus CSM's 4Gbps throughput).
ACE appliance is a next gen replacement of CSS line of appliance based products.
CSS appliances were used to come in different Hardware models with varied
performance capacities. ACE appliance is a single hardware with various licenses
used to scale the performance/features.Ace appliance supports upto 4Gbps of throughput.
Previously CSS & CSM code terminologies & command set was different. For example a real server
was termed as "service" in CSS & was called "real" in CSM . Similarly "probe" in CSM was "keepalive"
in CSS.
With ACE line of products you get the same terminologies & command sets for both
modules & Appliances.
ACE Appliance & ACE modules are functionality vise coming closer with every new release but
still there are some differences.
For example following ACE appliance features are not available in ACE module:
Appl optimization (flash forward, Delta Encoding)
Embedded Device manager
Http compression
Which one is better than the other really depends on your requirement
From Performance perspective Module give you much higher performance then Appliance.
SO if performance is your criteria the ACE module is better than ACE appliance.(Some performance metrics at the end of the post).
If you are looking for Application optimization & HTTP compression along with Loadbalancing
then it can only be achieved with ACE appliance.
If you are not using 6500/7600 series chassis in your environment then you can only use ACE appliance
(unless you are open to buy module+chassis due to performance requirement).
Some performance metrics
Ace Appliance supports 1 Million concurrent connections where as Ace Module supports 4 Million.
Ace Appliance supports 120K L4 conn/sec where as Ace Module supports 380K L4 conn/sec.
Ace Appliance supports 40K L7 conn/sec where as Ace Module supports 133K L7 conn/sec.
Ace Appliance supports upto 4Gbps throughput where as Ace Module supports 16Gbps throughput .
HTH
Syed Iftekhar Ahmed -
Good Day,
I have an ACE appliance, but i have not license of ACE XML GATEWAY. I want to balance traffic XML, and I want to acelerate this traffic, is it posible without license GATEWAY XML? if the answer is not .... I can balance traffic XML with CSS 11501?Hi,
The cisco ACE XML Gateway is not a license for the ace appliance but a different box see this video: http://www.cisco.com/cdc_content_elements/flash/dataCenter/acexml/index.html
And yes you can loadbalance xml with the ace appliance as you could in css and yes the ace appliance will accelerate traffic.
But the ACE XML GATEWAY will be better in security & acceleration.
Dimitri -
Hi,
Can someone explain how are SSL Transactions per second calculated on CSS and ACE?
We need to select appropriate SSL license needed for future ACE appliance, wich is defined in terms of TPS.
We also currently have CSS device with SSL module. Is there any way to find current SSL TPS info on a CSS device?
Thank you and regards,
JasminaWhat is the method used to calculate SSL TPS requirement.
example,
Current: Peak SSL Transactions 6,000
If I expect a peak concurrent connection of 200,000 what would be the methodology for calculating SSL TPS needs. (Some sample calculation steps would be appreciated.)
Can I interpret the licensing as follows,
SSL TPS: SSL Transactions per second: Number of NEW transactions that can be setup by ACE per second. (Does this mean established SSL transactions are not counted by the license, though each of the packets in established transactions require SSL termination!)
Thanks
Sri -
Cisco ACE Issue accessing SAP applications through ACE appliance
Hi,
I have website whose VIP resides on my ACE appliance. That site has many links on it which are SAP applications.
For one link, when i click it first time, user is asked for authentication which is not actually required and get blank page.
When I click back (go to main site again) and again click the same link, it opens normally without any authentication prompt.
Rest all links on the site have no issues and open normally.
I had same issue with acceptance for same application and below parameter map resolved the issue
parameter-map type http case_param
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
I tried using same parameter map with persistance rebalance disbaled but still it does not work.
What could be the issue in this case?Hi,
The SAP has front end server to which ACE is sending traffic dstined to particular VIP. front end server then communicates with backend server for all date related to all applications. When client is using different applications, url in browser remains the same. All applications are working fine except this single application.
same setup is working fine with cisco CSS and even the accepatnce is working fine for same set of applications.
I am getting bad tcp checksum messges in capture output.
10.38.199.196 is client IP....10.36.64.40 is VIP and , 10.36.64.86 is nat ip and 10.36.32.55 is front end server which is user interface to various applications -
Difference between ACE module and ACE appliance
Hi All,
Can someone help to understand the difference between ACE module and ACE appliance, as i am observing ACE module is providing more throughput when compared the ACE appliance, Is the only advantage we getting with contexts ....
thanks inadvance,
Narayana MallidiHi Narayan,
Apart from providing throughput, ACE module has more to offer ,
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_ACE_Resource_Limits
The above link will provide a comparision of ACE module and Ace appliance interms of scalability. Apart from that legacy modules wont support compression, but ACE 30 module can support compression.
The major advantage of ACE 30 module is with resepct to SSL throughput, SSL TPS, L4 & L7 CPS, & Concurent Connections per second, apart from the increased contexts
ACE 4710 Data Sheet :
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html
ACE20 Data Sheet
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html
ACE 30 Data Sheet
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/data_sheet_c78_632383.html
Regards
Abijith -
Tacacs authentication with ACE appliance not working
Hi All,
I'm having trouble with a Cisco ACE 4710 appliance using tacacs to authenticate ssh/telnet remote users. Following the CCO documentation we have configured the backend tacacs server (Cisco Secure ACS) and setup the ACE with the required configuration.
tacacs-server key 7 "letmein"
tacacs-server host 192.168.1.1 timeout 5
aaa group server tacacs+ ACStac
server 192.168.1.1
aaa authentication login default group ACStac local
So far no luck in successfully authenticating any users. I can see in the log on the ACS a key mismatch error however I have 100% verified the keys are identical, im thinking this may be a bug?
Furthermore when I paste in the tacacs-server key it gets converted to a type 7 in the running configuration even though I use the no encryption option. Anyone have any ideas? The ACE is running version A3(2.3)
Thanks in advanceHi Matt,
Please remove the shared secret of teh NDG and test.
Regards,
Anisha
P.S.: please rate this post if ypou feel your query is answered -
Cisco ACE appliance backend Requests
Hi,
I have a question about the Cisco ACE 4700x appliances.
I hope that someone can help me out with the next question please, which is:
does the appliance support backend server selection based on URL, hostnames or IP?
if yes, where can i find more details about it ?
Thank youHere it is.
class-map type http loadbalance match-all DOMAIN-ONLY-CM 2 match http header Host header-value "xxx[.]domain[.]com"class-map type http loadbalance match-all DOMAIN-AND-PATH-CM 2 match http header Host header-value "www[.]domain[.]com" 3 match http url /very-long-path/.* -
EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"
Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
Does anyone have any ideas how to troubleshoot this problem with the appliance?If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
Maybe you are looking for
-
Can not see my Airport in the list of Wifi networks and is blinking organge all the time
Can not see my airport on the list of WiFi networks and is blinking orange all the time. Tried to reset several times.
-
Bug? Picture Ring proprty String and Values" returns error 1054 in LV 8.5
Should that propert exist for a Picture Ring? Ben Message Edited by Ben on 09-01-2008 07:47 AM Ben Rayner I am currently active on.. MainStream Preppers Rayner's Ridge is under construction Solved! Go to Solution. Attachments: Error_1054.PNG 27 KB
-
How to get system restored after replacing hard drive.
Bought a MacBook Pro about two years ago, hard drive failed and was replaced. Any way to get my iphoto, imovie, etc back on computer without having to pay for it since it originally came with the computer when I bought it?
-
Paticular columns in "Export to Excel" functionality of PanelCollection
Hi, I am using JDeveloper 11.1.1.5.0. I am rendering (render Property to false) some of the columns in the table before it is doing "export to excel" of PanelCollection functionality. The table should display that columns in the front end but while e
-
64 bit packages in i686 repos?!?
Just another day with pacman... I thought. [root@lysithea stijn]# pacman -Syu :: Synchronizing package databases... borromini is up to date core is up to date extra is up to date community is up to date :: Starting full system upgrade... warning: pan