Allowing Multicast to work between real servers behind the CSM??

Similar Messages

• HT204371 Does Airport Express need to be configured to allow AirPlay to work between an iPhone 4s and an iPad2?

  Does Airport Express need to be configured to allow AirPlay to work between an iPhone 4s and an iPad2? 
  Also, attempting to use Airplay with iOS7 shuts off sound to the speakers while allowing sound thru the ear buds!  The fix was to restart by depressing the lock switch (opposite the sound out port).

  Does Airport Express need to be configured to allow AirPlay to work between an iPhone 4s and an iPad2?
  You need a minimum of three things for AirPlay:
  An iTunes host. This can be a Mac, PC, or iOS device.
  A wired or wireless network.
  An AirPlay Speaker. This can be an AirPort Express, Apple TV, or a AirPlay-Ready device.
  Is your goal to stream between two iOS devices?

• Cannot get Telnet to work between two servers on same subnet

  I need to test if communication is open on port 8444 between two servers.
  I installed telnet client on a Server 2008 R2 server and telnet server on a Server 2008 SP2 server.  I also manually started the Telnet service that was set to disabled on the SP2 server.  I disabled the Windows firewall on both servers.  They
  are both on the same subnet so they don't need to go through any routers and I can ping successfully.
  When I try to telnet to the remote server by typing telnet "ip address" 8444, I get an error that says "Could not open connection to host, on port 8444:  Connection failed.
  I tried other ports like port 80 and got the same error.
  What else is needed to get this to work?

  VMs have nothing to do with it, as long as there's network communication between the servers.
  As I said, there must be a service or application listening on that port for it to respond. For example, try this:
  C:\> telnet
  When the telnet prompt opens, type in:
  open mail.messaging.microsoft.com 25
  If it works, you should see this:
  220 CH1EHSMHS035.bigfish.com Microsoft ESMTP MAIL Service ready at Thu, 7 Feb 2013 00:57:33 +0000
  That means that Microsoft's mail servers are LISTENING on port 25 and it responded. And note, telnetting to port 25 is a non-default telnet port, because port 23 is the default telnet port. When you type in a space and then a port number, you're telling
  the telnet client to use that port.
  That is the SAME THING if some sort of application or service is listening on port 8444 on that other server you're trying to telnet to. If there is no app or service listening, it will just time out.
  And no, installing the TELNET service on that sercver will NOT answer to any port other than 23. The telnet service by default, uses TCP 23, unless you specify otherwise.
  So once again, what service or app on that server is supposed to be listening on 8444?
  Ace Fekay
  MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
  This post is provided AS-IS with no warranties or guarantees and confers no rights.

• Hit the VIP from the server side behind the CSM in L2?

  We have a CSM w/ 4.1.6 and would like our RIPS to be able to access a VIP on the same CSM they are on the same subnet but different vlans in L2 design. Any ideas to make this work?

  According to DE, the SSL blade will apply its local subnet mask to the incoming packet's source IP. In your case, you had a /24 subnet mask configured on the SSL's vlan, so addresses that end with .0 or .255 would be discarded since the blade treated them as network or broadcast addresses.
  The workaround is to configure the lowest subnet mask on the SSL proxy vlan where traffic is received (like a /8).
  Configure ssl-proxy vlan with lowest mask to receive traffic or configure ssl-proxy vlan where traffic received to lowest mask (ie,. /8 mask) or load next maintenance release image 2.1(2)

• I need to all icmp through the ACE to servers behind the ACE

  I have been trying to figure this out and I've made several attempts at a configuration that will work, but I just don't get it.  Here's what I have configured.  I'm trying to ping from a server outside of the ACE to a server on vlan 308.  I send my ICMP it should ingress through vlan 302 and hit the server on vlan 308.  Instead I get nothing and I see no traffic hits on my policy or from the show icmp statistics.  I am able to ping the IP addresses on vlan 302 but nothing on the inside.
  access-list icmp line 10 extended permit icmp any any
  class-map match-all icmp-allow-inspect
    2 match access-list icmp
  policy-map multi-match icmp-allow-inspect-mmpl
    class icmp-allow-inspect
      inspect icmp error
  interface vlan 302 --------- public facing VIPs- ingress
    ip address 71.113.93.37 255.255.255.224
    alias 71.113.93.36 255.255.255.224
    peer ip address 71.113.93.38 255.255.255.224
    service-policy input mgmt
    service-policy input icmp-allow-inspect-mmpl
    no shutdown
  interface vlan 308 ---------- server - L2
    ip address 10.60.22.130 255.255.255.192
    alias 10.60.22.129 255.255.255.192
    peer ip address 10.60.22.131 255.255.255.192
    service-policy input icmp-allow-inspect-mmpl
    no shutdown

  I ran a capture and I see the traffic hit the ingress interface of the ACE, but it never gets passed to the backend server vlan.  The icmp is recieved and the connection is closed, but then I get 4 more packets marked PKT_XMT then the packet is dropped.  The capture was done on the ingress vlan.  If I do a capture on the server side vlan I get nothng at all in the capture.
  0001: msg_type: PKT_RCV
  ace_id: 6809            action_flag: 0x13
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  0002: msg_type: CON_CLOSE
  con_id: 1345505684       out_con_id: 271763861
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  0003: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0011: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0019: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0029: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0037: msg_type: PKT_DROP
  con_id: 1345505684           reason: 0
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  This is my access list and its applied globally with the access-group input ALL command.  I also have my default gateway pointing back to my upstream router and there are no other routes on the ACE.  I can ping the ingress interface from my upstream router and I can ping my gateway from the ACE.  I can ping my backend server from the ACE, but not from anything outside the ACE.  I can not ping anything behind my ACE module.
  access-list ALL line 12 extended permit icmp any any
  access-list ALL line 18 extended permit ip any any

• Real reason behind the non-feature of FM recording on Vision M 60 g

  Hi there,
  I have buyed the Vision M 30 go then for any reason, some a day it stopped freezing at the main screen and even reseting and formating the player has not make it able to work again. So I went where I had purshased it and paid the difference with the 30 go for having a 60 go using the year warantly given by Creative. Except for the very bad desagrement of loosing the AC adapter (that I paid for in the version I brought at the begining), I found also that a nice feature I was using a lot with the 30 go version was not built in the 60 go version wich is the FM recording. So here stand my real question :
  Why does Creative have not brought FM recording feature to it 60 go version ?
  BTW, for those who don't know it, in real fact, I'd mesured that autonomy on 60 go is less than 30 go. Size (thickness) is bigger (probably because of the 2 micro hardri've on over the other inside). Weight is bigger (don't have mesured the difference). Ver 30 go was always spinning to read data and sound was just impossible to hear, but the only way to know was to take it in your hand then look out for vibrations. Ver 60 works by caching data (probably to save electricity because making spinning 2 disk takes more juice than ) at a speed that makes it possible to hear in quiet enviroment at a level it is possible to hear in medias (such as movies) for wich there is quiet moments. Finaly, not the last, ver 30 go was fanless, but ver 60, probably because of the 2 disk, start the fan to lower temperature at a regular interval (probably faster in hot ambiant temperature and less in normal ones, but didn't test it to see).
  If it were to buy again, because of the no AC adaptor, no FM recording and all those reasons, having the ONLY advantage of doubbling the HD size, I don't think I would again.
  I may be a hard to convince as a consumer because I'm also an electronic/electrical engineer and my standards, expectations and observations go further than more people, but I still think you product overcome in almost every aspect of the IPOD.
  At last, I'm really sad about having upgraded to 60 go, but please, at least, 60 go beeing the top lvl of its category, just build a new firmware adding this feature ! That will almost cost you any penny at all, but the image you will give to your customer will worth money in its own way. And as we say, for 0 unhappy customer, of 0 will say it to the company. Also, in 0 happy customer, will say it to other people, but for unhappy customer, 0 people will be told to DO NOT buy the product. That was one of most important thing I've learned from my marketing course when at the Uni'versity !
  Sorry for bad English: as you may have observed, it is not my first language.

  I my own case, I was only using the radio recording feature for talk radio I was unable to listen at specific moment in the day...
  I li've in Canada and I shouldn't have to pay for USA pressure groups, nor Europeans should.
  That's very bad.
  I wish to get an official answer from Creative on this matter.Message Edited by killerfrog on 04-4-20072:2 PM

• NAT and Servers behind CSS 11501

  All,
  Please forgive my asking this question again. I was injured shortly after asking the last time and out of work for a long period of time.
  My problem stems from needing to allow my web servers to initiate traffic to the outside world from behind our CSS boxes.
  The web servers sit behind a pair of CSS 11501 content switches in Active-Passive ASR with fate sharing. We are only interested at this time with load balancing HTTP and HTTPS.
  Everything works inbound no problem.
  What I need to do is setup some type of NAT for my 3 web servers to initiate HTTP/HTTPS for patches, send SMTP from the web apps, and initiate HTTPS for credit card validation.
  I have setup NAT on PIX units and routers no problem, but I seem to be unable to do it on these boxes. :(
  In reality something as simple as a PAT translation on the outside of the CSS boxes should be sufficient.
  Is this possible with our setup? Does anyone have some code examples?
  Thanks in advance.
  Addresses changed to protect the innocent:
  Load Balancer 1:
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  sntp server 1.1.1.41 version 1
  snmp community noway read-only
  snmp community noway read-write
  app session 1.1.1.252
  app
  logging subsystem netman level info-6
  dns primary 2.2.2.41
  dns secondary 2.2.2.42
  ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  description "Connect to Primary DMZ 1 3550 Switch"
  interface e2
  bridge vlan 2
  phy 100Mbits-FD
  description "Connected to Primary LB Server Switch"
  interface e8
  description "Inter Switch Communication (ISC) Port"
  isc-port-one
  !************************** CIRCUIT **************************
  circuit VLAN1
  description "DMZ 1 Subnet (1.1.1.x/24)"
  ip address 1.1.1.251 255.255.255.0
  ip virtual-router 1 priority 254 preempt
  ip redundant-interface 1 1.1.1.250
  ip redundant-vip 1 1.1.1.161
  ip redundant-vip 1 1.1.1.162
  ip redundant-vip 1 1.1.1.70
  ip redundant-vip 1 1.1.1.71
  ip redundant-vip 1 1.1.1.72
  ip critical-service 1 upstream_downstream
  circuit VLAN2
  description "Load Balanced Servers Subnet"
  ip address 2.2.2.2 255.255.255.0
  ip virtual-router 2 priority 254 preempt
  ip redundant-interface 2 2.2.2.1
  ip critical-service 2 upstream_downstream
  Various Services, Owners and Content
  Load Balancer 2:
  !*************************** GLOBAL ***************************
  bridge spanning-tree disabled
  sntp server 1.1.1.41 version 1
  snmp community noway read-only
  snmp community noway read-write
  app session 1.1.1.251
  app
  logging subsystem netman level info-6
  dns primary 2.2.2.41
  dns secondary 2.2.2.42
  ip route 0.0.0.0 0.0.0.0 1.1.1.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  description "Connect to Secondary DMZ 1 3550 Switch"
  interface e2
  bridge vlan 2
  phy 100Mbits-FD
  description "Connected to Secondary LB Server Switch"
  interface e8
  description "Inter Switch Communication (ISC) Port"
  isc-port-one
  !************************** CIRCUIT **************************
  circuit VLAN1
  description "DMZ 1 Subnet (1.1.1.x/24)"
  ip address 1.1.1.252 255.255.255.0
  ip virtual-router 1
  ip redundant-interface 1 1.1.1.250
  ip redundant-vip 1 1.1.1.161
  ip redundant-vip 1 1.1.1.162
  ip redundant-vip 1 1.1.1.70
  ip redundant-vip 1 1.1.1.71
  ip redundant-vip 1 1.1.1.72
  ip critical-service 1 upstream_downstream
  circuit VLAN2
  description "Load Balanced Servers Subnet"
  ip address 2.2.2.3 255.255.255.0
  ip virtual-router 2
  ip redundant-interface 2 2.2.2.1
  ip critical-service 2 upstream_downstream
  Various Services, Owners and Content.

  Gilles,
  I added the following commands, and things seem to be working.
  To circuit VLAN1
  ip redundant-vip 1 1.1.1.80
  !*************************** GROUP ***************************
  group natout
  vip address 1.1.1.80
  add service nat_web_servers
  active
  service nat_web_servers
  ip address 192.168.1.10 range 3
  active
  I do have a question about the above service commands.
  I have 3 servers behind the CSS. Let's call them 192.168.1.10, 192.168.1.11 and 192.168.1.12. Am I correct in my thinking that adding range 3 then allows a match on all 3 of those servers and the CSS will then PAT these servers from the VIP address assigned to the group?
  Otherwise, I think you have resolved this problem for us. Thank you.

• ACE module client and real servers on same subnet

  I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
  Configuration
  test context
  real server vlan 233
  real server subnet - 167.6.233.x
  VIP vlan - 539
  VIP subnet - 167.6.238.128/25
  production context
  real server vlan 232
  real server subnet - 167.6.232.x
  VIP vlan - 538
  VIP subnet - 167.6.238.0/25
  Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
  Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
  Here are the scenarios and questions
  1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
  2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
  3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
  4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539)  - this is not working
  5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
  Can we implement the scenarios 4 and 5?

  Hi Suresh,
  I see it's a bit complex and we do not have the config at hand.
  However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
  Alessandro
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• PAT with a single public IP and several servers behind firewall

  Hi,
  New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
  Single static public IP:  16.2.3.4
  Need to PAT several ports to three separate servers behind firewall
  One server houses email, pptp server, ftp server and web services: 10.1.20.91
  One server houses drac management (port 445): 10.1.20.92
  One server is the IP phone server using a range of ports: 10.1.20.156
  Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. 
  Here is what I have.  Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
  ASA Version 8.4(4)1
  hostname kaa-pix
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.20.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 16.2.3.4 255.255.255.0
  ftp mode passive
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network server_smtp
  host 10.1.20.91
  object service Port_25
  service tcp source eq smtp
  object service Port_3389
  service tcp source eq 3389
  object service Port_1723
  service tcp source eq pptp
  object service Port_21
  service tcp source eq ftp
  object service Port_443
  service tcp source eq https
  object service Port_444
  service tcp source eq 444
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit icmp any any echo-reply
  access-list acl-out extended permit icmp any any
  access-list acl-out extended permit tcp any interface outside eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq smtp
  access-list acl-out extended permit tcp any object server_smtp eq pptp
  access-list acl-out extended permit tcp any object server_smtp eq 3389
  access-list acl-out extended permit tcp any object server_smtp eq ftp
  access-list acl-out extended permit tcp any object server_smtp eq https
  access-list acl-out extended permit tcp any object server_smtp eq 444
  access-list acl-out extended permit tcp any object drac eq 445
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static server_smtp interface service Port_25 Port_25
  nat (inside,outside) source static server_smtp interface service Port_3389 Port_
  3389
  nat (inside,outside) source static server_smtp interface service Port_1723 Port_
  1723
  nat (inside,outside) source static server_smtp interface service Port_21 Port_21
  nat (inside,outside) source static server_smtp interface service Port_443 Port_4
  43
  nat (inside,outside) source static server_smtp interface service Port_444 Port_4
  44
  nat (inside,outside) source static drac interface service Port_445 Port_445
  object network obj_any
  nat (inside,outside) dynamic interface
  route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  prompt hostname context
  no call-home reporting anonymous

  Thanks Lcambron...I got PPTP to work.  Everything else works fine.  I can access email, access my web server, FTP server, and PPTP server.  However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445.  So I have th following lines:
  object network drac
  host 10.1.20.92
  object service Port_445
  service tcp source eq 445
  access-list acl-out extended permit tcp any object drac eq 445
  nat (inside,outside) source static drac interface service Port_445 Port_445
  Am I missing something here?  Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening.  However, externally, i cannot telnet to my external ip address of the ASA through port 445. 
  Thanks

• Two servers (serverSocket) behind the SAME firewal !?l

  Hello !
  I dont know if this is the right forum for this qusetion,
  and maybe the question is really stupid, but ...
  I made a little client/server application, just to
  play around with sockets and serverSockets.
  It works fine, but now i ask myself:
  What happens, if there are two of my servers running on two
  different computers in the SAME LAN behind the SAME
  firewall/internetgateway, and both are listening on the SAME
  port ?
  F.e. if the extern IP of this LAN/(its gateway) is
  204.556.234.123, and a client in the internet is connecting
  to it on the port, on which the two servers behind the firewall
  are listening, WHO'S ANSWERING ?
  (If this port is set to "open and forward" in the firewall)
  The one with the shorter patch-cable ? ;)
  How is it possible for the client to differenciate
  this two servers in that LAN?
  The only logical solution i found is that this two servers
  have to listen on different ports,
  but i think there has to be another explanation and/or solution.
  Do i have to take care about situations like that in my
  server-application ?
  I have the feeling that i have to...somehow.
  OK, you see i dont know much about this...
  i would be very thankful for every hint and explanation.
  Thank you very much,
  greetings,
  huni.

  F.e. if the extern IP of this LAN/(its gateway) is
  204.556.234.123, and a client in the internet is
  connecting
  to it on the port, on which the two servers behind the
  firewall
  are listening, WHO'S ANSWERING ?
  (If this port is set to "open and forward" in the
  firewall)Whichever one the firewall is told to forward it to!
  The two computers running your server have unique addresses on the internal network. The firewall will forward incoming connections to one of those addresses. Maybe it can do some simple "load balancing" by forwarding some connections to one server and some to the other, but still, any particular connection will only go to one server.

• ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

  I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
  I Thought that the traffic directed to this "spare" server shouldn't  be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
  What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
  In rispect at the following configuration 10.10.10.168 isn't reacheable
  access-list INBOUND line 8 extended permit ip any any
  access-list INBOUND line 16 extended permit icmp any any
  probe http HTTP_PROBE1
    expect status 200 200
  rserver host RS_WEB1
    ip address 10.10.10.163
    inservice
  rserver host RS_WEB2
    ip address 10.10.10.164
    inservice
  rserver host RS_WEB3
    ip address 10.10.10.165
    inservice
  rserver host RS_WEB4
    ip address 10.10.10.167
    inservice
  serverfarm host SF_FIREGROUP
    rserver RS_WEB1
      inservice
    rserver RS_WEB2
      inservice
    rserver RS_WEB3
      inservice
    rserver RS_WEB4
      inservice
  sticky ip-netmask 255.255.255.255 address source sticky-ip
    replicate sticky
    serverfarm SF_FIREGROUP
  sticky http-cookie myCookie sticky-cookie
    cookie insert browser-expire
    serverfarm SF_FIREGROUP
  class-map match-any VS_FIREGROUP
    2 match virtual-address 10.10.10.169 tcp eq www
    4 match virtual-address 10.10.10.169 tcp eq 8081
    5 match virtual-address 10.10.10.169 tcp eq 8082
    6 match virtual-address 10.10.10.169 tcp eq 8083
    7 match virtual-address 10.10.10.169 tcp eq 8084
    8 match virtual-address 10.10.10.169 tcp eq 8085
    9 match virtual-address 10.10.10.169 tcp eq 8097
  class-map match-any VS_FIREGROUP_HTTPS
    2 match virtual-address 10.10.10.169 tcp eq https
  policy-map type loadbalance first-match HTTP
    class class-default
      sticky-serverfarm sticky-cookie
  policy-map type loadbalance first-match HTTPS
    class class-default
      sticky-serverfarm sticky-ip
  policy-map multi-match HTTP_HTTPS_MULTI_MATCH
    class VS_FIREGROUP
      loadbalance vip inservice
      loadbalance policy HTTP
      loadbalance vip advertise active
    class VS_FIREGROUP_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS
      loadbalance vip advertise active
  interface vlan 4
    bridge-group 1
    access-group input INBOUND
    service-policy input HTTP_HTTPS_MULTI_MATCH
    no shutdown
  interface vlan 700
    bridge-group 1
    access-group input INBOUND
    no shutdown
  interface bvi 1
    ip address 10.10.10.150 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.10.10.1
  Thanks a lot
  Francesco

  Hi Francesco,
  Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
  But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
  Regards,
  Kanwal

• ACE 4710 Probes on other servers than the real server

  Hi,
  I wanted to know if there is a means to configure a probe that is independent of the real servers.
  The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
  The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
  From the document, there is no mention of it.
  But is there a means to do it.
  Thanks.

  Hi Ashley,
  i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
  I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
  i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
  Regards,
  Kanwal

• How e-mail is routed between two servers

  Hi ,
  Please anybody tell me how e-mail is routed between two servers , from the software point of view as well as hardware point of view .
  And how Java mail API related to that .
  Thanks,
  Kiz

  If you're looking for a simple answer there isn't one. Here's a place to start.
  http://community.roxen.com/developers/idocs/rfc/rfc974.html

• [ACE] Real servers and VIP in the same VLAN

  Hello.
  I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
  My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
  Thanks a lot,
  Miquel

  Hi Miquel,
  Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
       ==========================================================================
       One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
       ==========================================================================
  login timeout 0
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 451
  interface vlan 451
    description Servers vlan
    ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Let me know if you have any question.
  Regards,
  Kanwal

• IMessage is not working between the computer and the iPhone 4S?

  My I message is no longer working between my computer and my iphone 4s, how do i fix it? It has been working but stopped communicating with each other. I have osx 10.9.3 on Mac and 7.1.1 on the phone.

  imessages have never ever been able to work between devices that use the same appleID