ACL's on ACE Appliance

Similar Messages

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Logging user commands in Cisco ACE appliance

  Good afternoon gentlemen
  I need to configure the same as shown below in Cisco ACE Appliance. The requirement is logging all user access login (whether failed or succeeded) and also logging all commands that users issue.
  #IOS commands
  no logging console
  logging buffered 307200 informational
  service timestamps log datetime localtime show-timezone
  logging trap debugging
  login on-failure log
  login on-success log
  archive
     log config
        logging enable
        logging size 500
        hidekeys
        notify syslog contenttype plaintext
  If you guys have an idea please answear
  Regards
  Christian

  Hello Arun,
  we saw before the message you report, it's probably a symptom of:
  CSCtx03563
  or
  CSCue38032
  I would suggest opening a TAC case to get this properly investigated.
  Kind Regards,
  Francesco

• Cisco ACE Appliance showing error while boot

  Hello Everyone,
  I intend to Configure two ACE appliance in one arm mode, Post configuration I have tried to test the functionalities of the same.
  Below are the queries which I am having now.
  >Post reboot of the appliance it popped with the error ,pls clarify .
       Starting sysmgr processes.. Please wait...tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
  tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
  Done!!!
  > Please confirm whether SNAT is compusory for one-arm mode setup . as our requirement is to loadbalance only the requests from the clients .
       the reply from server should go back to the client directly .
  > How can I achieve the HA config with out dedicated port . as I have configured port channel for all the 4 ports . I am not interested to provide the seperate port for HA.
  Thanks in advance

  Hi,
  > Please confirm whether SNAT is compusory for one-arm mode setup .  as our requirement is to loadbalance only the requests from the clients  .
       the reply from server should go back to the client directly .
  **Mos of the times SNAT is require but is not must.  For example, you can have the servers connected to a L2 Switch, using the ACE as DG and you probably don't need SNAT.
  The important is to have the response of the server going back to the ACE with or without NAT
  > How can I achieve the HA config with out dedicated port . as I have  configured port channel for all the 4 ports . I am not interested to  provide the seperate port for HA.
  ***Configure in the portchannel the ft-port vlan command.  Remember that the FT vlan should be L2, no L3 devices in between the ACEs
  Cesar R
  ANS Team

• How to monitor memory on Cisco ACE Appliance 4710?

  I'm trying to monitor the memory usage in balancers Cisco ACE Appliance 4710 with version A3 (2.2), but the OIDs cpmCPUMemoryUsed (.1.3.6.1.4.1.9.9.109.1.1.1.1.12) and cpmCPUMemoryFree (.1.3.6.1.4.1.9.9. 109.1.1.1.1.13) not work.
  What the right OID to monitor memory usage in balancers Cisco ACE 4710 Appliance?

  HI,
  You need to use  CISCO-ENHANCED-SLB-MIB .
  cpmProcExtMemAllocatedRev .1.3.6.1.4.1.9.9.109.1.2.3.1.1 (this gives the memory allocated to each process)
  You can also read up on the mib
  Hope this helps
  Venky

• Ace appliance connectivity design

  v have a 4710 appliance ad want to use it for LB
  following the current setup
  firewall,2950 switch, servers
  firewall inside interface is connected to 2950 switch in vlan 100
  all servers are connected to the same switch in vlan 100. firewall is the default gateway
  we want to connect the ace appliance into this setup. dont want to use the appliance in routing mode because of the default gateway change for servers.
  how to get the ace appliance work in this setup in bridge mode
  i am aware there will be 2 vlans created within ace. in this case one vlan will be 100 and say second is 200
  100 vlan will be facing firewall and 200 will be facing the servers
  does that mean all switch ports configured for server vlan should be changed from 100 to 200
  then connect one interface of ace in vlan 100 and other in 200
  how will the traffic from the servers wil then reach default gateway?
  there is no intervlan routing there.

  The servers should be in vlan 200 and the FW in vlan 100.
  These are your switch port settings.
  On the appliance you bridge vlan 200 and vlan 100 using a bvi interface.
  Like this, for the FW and the servers, vlan 200 and vlan 100 are the same.
  Here is bridge config.
  interface vlan 30
  bridge-group 30
  no normalization
  access-group input ANY
  nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat
  nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat
  service-policy input PERMIT-ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown
  interface vlan 330
  bridge-group 30
  no normalization
  access-group input ANY
  nat-pool 1 172.16.1.1 172.16.1.1 netmask 255.255.255.255 pat
  nat-pool 2 10.51.0.77 10.51.0.77 netmask 255.255.255.255 pat
  service-policy input PERMIT-ALL
  service-policy input remote_mgmt_allow_policy
  interface bvi 30
  ip address 192.168.30.10 255.255.255.0
  peer ip address 192.168.30.11 255.255.255.0
  no shutdown

• Cisco ACE Appliance Redundant configuration

  How cisco ACE appliance changes its Ip address and MAC address after failover???

  Hi Birendra,
  Could you please elaborate more on your question?
  FT mac's depend upon FT group that you have configured and they remain same. They will not change after failover.
  Here's a document at the link which explains in details about different MAC addresses in ACE:
  https://supportforums.cisco.com/docs/DOC-8723
  Let me know if you have any questions.
  Regards,
  Kanwal

• ACE Module vs ACE Appliance

  Hello,
  What is the difference between ACE Module and ACE Appliance? why the ACE Module is better? or ACE Appliance, what is the advantage between Module and Appliance.
  anyone can explain me?
  Best Regards

  In the past Cisco has been shipping two line of Loadbalancing products
  First line ( modules dedicated for 6500/7600 chassis ) includes CSM & CSM-S & SSLSM (for ssl offloading)
  The other line comprises of appliance based CSS series products.
  ACE module is a next generation module replacing CSM modules that fits into 6500/7600 chassis.
  It gives you upto 16Gbps throughput (versus CSM's 4Gbps throughput).
  ACE appliance is a next gen replacement of CSS line of appliance based products.
  CSS appliances were used to come in different Hardware models with varied
  performance capacities. ACE appliance is a single hardware with various licenses
  used to scale the performance/features.Ace appliance supports upto 4Gbps of throughput.
  Previously CSS & CSM code terminologies & command set was different. For example a real server
  was termed as "service" in CSS & was called "real" in CSM . Similarly "probe" in CSM was "keepalive"
  in CSS.
  With ACE line of products you get the same terminologies & command sets for both
  modules & Appliances.
  ACE Appliance & ACE modules are functionality vise coming closer with every new release but
  still there are some differences.
  For example following ACE appliance features are not available in ACE module:
  Appl optimization (flash forward, Delta Encoding)
  Embedded Device manager
  Http compression
  Which one is better than the other really depends on your requirement
  From Performance perspective Module give you much higher performance then Appliance.
  SO if performance is your criteria the ACE module is better than ACE appliance.(Some performance metrics at the end of the post).
  If you are looking for Application optimization & HTTP compression along with Loadbalancing
  then it can only be achieved with ACE appliance.
  If you are not using 6500/7600 series chassis in your environment then you can only use ACE appliance
  (unless you are open to buy module+chassis due to performance requirement).
  Some performance metrics
  Ace Appliance supports 1 Million concurrent connections where as Ace Module supports 4 Million.
  Ace Appliance supports 120K L4 conn/sec where as Ace Module supports 380K L4 conn/sec.
  Ace Appliance supports 40K L7 conn/sec where as Ace Module supports 133K L7 conn/sec.
  Ace Appliance supports upto 4Gbps throughput where as Ace Module supports 16Gbps throughput .
  HTH
  Syed Iftekhar Ahmed

• ACE appliance - XML

  Good Day,
  I have an ACE appliance, but i have not license of ACE XML GATEWAY. I want to balance traffic XML, and I want to acelerate this traffic, is it posible without license GATEWAY XML? if the answer is not .... I can balance traffic XML with CSS 11501?

  Hi,
  The cisco ACE XML Gateway is not a license for the ace appliance but a different box see this video: http://www.cisco.com/cdc_content_elements/flash/dataCenter/acexml/index.html
  And yes you can loadbalance xml with the ace appliance as you could in css and yes the ace appliance will accelerate traffic.
  But the ACE XML GATEWAY will be better in security & acceleration.
  Dimitri

• CSS and ACE appliance SSL TPS

  Hi,
  Can someone explain how are SSL Transactions per second calculated on CSS and ACE?
  We need to select appropriate SSL license needed for future ACE appliance, wich is defined in terms of TPS.
  We also currently have CSS device with SSL module. Is there any way to find current SSL TPS info on a CSS device?
  Thank you and regards,
  Jasmina

  What is the method used to calculate SSL TPS requirement.
  example,
  Current: Peak SSL Transactions  6,000
  If I expect a peak concurrent connection of 200,000 what would be the methodology for calculating SSL TPS needs. (Some sample calculation steps would be appreciated.)
  Can I interpret the licensing as follows,
  SSL TPS: SSL Transactions per second: Number of NEW transactions that can be setup by ACE per second. (Does this mean established SSL transactions are not counted by the license, though each of the packets in established transactions require SSL termination!)
  Thanks
  Sri

• Cisco ACE Issue accessing SAP applications through ACE appliance

  Hi,
  I have website whose VIP resides on my ACE appliance. That site has many links on it which are SAP applications.
  For one link, when i click it first time, user is asked for authentication which is not  actually required and get blank page.
  When I click back (go to main site again) and again click the same link, it opens normally without any authentication prompt.
  Rest all links on the site have no issues and open normally.
  I had same issue with acceptance for same application and below parameter map resolved the issue
  parameter-map type http case_param
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
    length-exceed continue
  I tried using same parameter map with persistance rebalance disbaled but still it does not work.
  What could be the issue in this case?

  Hi,
  The SAP has front end server to which ACE is sending traffic dstined to particular VIP. front end server then communicates with backend server for all date related to all applications. When client is using different applications, url in browser remains the same. All applications are working fine except this single application.
  same setup is working fine with cisco CSS and even the accepatnce is working fine for same set of applications.
  I am getting bad tcp checksum messges in capture output.
  10.38.199.196 is client IP....10.36.64.40 is VIP and , 10.36.64.86 is nat ip  and 10.36.32.55 is front end server which is user interface to various applications

• Difference between ACE module and ACE appliance

  Hi All,
  Can someone help to understand the difference between ACE module and ACE appliance, as i am observing ACE module is providing more throughput when compared the ACE appliance, Is the only advantage we getting with contexts ....
  thanks inadvance,
  Narayana Mallidi

  Hi Narayan,
  Apart from providing throughput, ACE module has more to offer ,
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_ACE_Resource_Limits
  The above link will provide a comparision of ACE module and Ace appliance interms of scalability. Apart from that legacy modules wont support compression, but ACE 30 module can support compression.
  The major advantage of ACE 30 module is with resepct to SSL throughput, SSL TPS, L4 & L7 CPS, & Concurent Connections per second, apart from the increased contexts
  ACE 4710 Data Sheet :
  http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html
  ACE20 Data Sheet
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html
  ACE 30 Data Sheet
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/data_sheet_c78_632383.html
  Regards
  Abijith

• Tacacs authentication with ACE appliance not working

  Hi All,
  I'm having trouble with a Cisco ACE 4710 appliance using tacacs to authenticate ssh/telnet remote users. Following the CCO documentation we have configured the backend tacacs server (Cisco Secure ACS) and setup the ACE with the required configuration.
  tacacs-server key 7 "letmein"
  tacacs-server host 192.168.1.1 timeout 5
  aaa group server tacacs+ ACStac
    server 192.168.1.1
  aaa authentication login default group ACStac local
  So far no luck in successfully authenticating any users. I can see in the log on the ACS a key mismatch error however I have 100% verified the keys are identical, im thinking this may be a bug?
  Furthermore when I paste in the tacacs-server key it gets converted to a type 7 in the running configuration even though I use the no encryption option. Anyone have any ideas? The ACE is running version A3(2.3)
  Thanks in advance

  Hi Matt,
  Please remove the shared secret of teh NDG and test.
  Regards,
  Anisha
  P.S.: please rate this post if ypou feel your query is answered

• Cisco ACE appliance backend Requests

  Hi,
  I have a question about the Cisco ACE 4700x  appliances.
  I hope that someone can help me out with the next question please, which is:
  does the appliance support backend server selection based on URL, hostnames or IP?
  if yes, where can i find more details about it ?
  Thank you

  Here it is.
  class-map type http loadbalance match-all DOMAIN-ONLY-CM  2 match http header Host header-value "xxx[.]domain[.]com"class-map type http loadbalance match-all DOMAIN-AND-PATH-CM  2 match http header Host header-value "www[.]domain[.]com"  3 match http url /very-long-path/.*

• EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

  Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
  Does anyone have any ideas how to troubleshoot this problem with the appliance?

  If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml