Cant seem to upgrade ACE 4710

Similar Messages

• Upgrading ACE 4710 & Licensing

  Hello
  We have two pairs of ACE 4710s, one pair running A3(2.4) and the other pair A3(2.0). We plan to upgarde the second pair so that they are running the same image as the first pair (we know they are not the latest, but this is the first step in a larger rollout plan, and to aid some troublshooting for a major issue we are seeing.)
  I have details of the upgrade steps, but my question is with regards to the licenses which are now enforced after (2.0). We currently have the following on the first pair, but are these part of the default licenses for (2.4) or would we need to purchase these as well?
  ACE-AP-500M-LIC
  ACE-AP-C-100-LIC
  ACE-AP-OPT-50-K9
  ACE-AP-SSL-05k-K9
  Thanks in advance
  Shaun

  According to the release notes, the default with the ACE running A3 is :
  •Performance: 1 gigabit per second (Gbps) appliance throughput
  •Virtualization: 1 admin context and 5 user contexts
  •Secure Sockets Layer (SSL): 100 transactions per second (TPS)
  •Hypertext Transfer Protocol (HTTP) compression: 100 megabits per second (Mbps)
  so you don't have to purchase anything

• Cannot Telnet to ACE 4710 after upgrade to A4(2.3)

           I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
  now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok   
  when i do a " sh telnet"
  comes back with
  No Session Information is available
  sh telnet maxsessions
  telnet maxsessions 16
  Can anybody help?

  further this post, it was not a resource problem as had allocated 5% for the Admin context.
  I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
  though this morning (Monday) Can now telnet in ok very strange
  I was connecting via the AUX line of a 2851 router to the console port.
  whe I disconnected this morning I saw the following message
  INIT: id "T0" respawning too fast : disabled for  5 minutes
  not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
  was it a coincidence
  anybody any ideas

• I have just upgraded to ios7 but cant seem to close any apps to save battery, on the old system it was just a double click and deleting the icons along the bottom of the screen, how do i do it now?? any help?

  i have just upgraded to ios 7 but cant seem to close any apps to save battery life, on th eold system it was just a double click and  deleting the icons along the bottom of the screen, any ideas how to now?
  Help?

  Close inactive apps
  1. Double tap the home button to bring up the multi-tasking view
  2. Swipe up on the screenshot of the app you want to exit.
  3. The app will fly off the screen

• ACE 4710 upgrading software problem

  I logged into ACE 4710 to upgrade the image to c4710ace-mz.A1_8_0.bin. I logged in with Admin status and I got the following message, "
  ACE4710/Admin# delete image:c4710ace-mz.3.0.0_A1_7a.bin
  delete: cannot remove 'c4710ace-mz.3.0.0_A1_7a.bin': Permission denied"
  Is this a bug? Is there a workaround? Thank you.

  I am getting the same message again when i tried to delete an image and put a new image on.
  ACE4710/Admin# dir image:
  180784189 May 20 07:52:18 2008 c4710ace-mz.A1_8_0.bin
  176933319 May 6 07:10:04 2008 c4710ace-mz.A1_7b.bin
  Usage for image: filesystem
  714985472 bytes total used
  167362560 bytes free
  882348032 bytes total
  ACE4710/Admin# delete image:4710ace-mz.A1_7b.bin
  delete: cannot remove '4710ace-mz.A1_7b.bin': No such file or directory
  How can this issue be resolved?

• Upgrade steps for ACE 4710

  Hi Everyone
  We will be upgrading our ACE 4710s from A3(2.2) to A4(1.0). We have a pair in high availability mode. Has anyone here got any tips on how we can get a smooth upgrade without downtime? Is this even possible?
  Thanks
  A

  Of course it is possible to upgrade with no downtime!
  However it is always recommended to schedule the upgrade in a maintenance window to minimize the impact in case of any issues.
  You can normally find the documented procedure here for the upgrade:
  http://cco/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/upgrade.html#wp1012243
  I find in fact the best would be the following:
  1. Upgrade the stand by module first.
  2. Once reloaded, switchover to the standby and verify all services working correctly.
  3.Upgrade the new stand by module.
  4. Eventually switch over again to restore the active box as per the original configuration.
  By doing this, if for some reason the first switchover at point 2. would not work, you can switch back to a safe scenario which you are sure to work.
  Cheers,
  Domenico.

• Theres are free upgrade for my mac on our apple store and i cant seem to download it, theres are free upgrade for my mac on our apple store and i cant seem to download it

  theres are free upgrade for my mac on our apple store and i cant seem to download it, theres are free upgrade for my mac on our apple store and i cant seem to download it?

  It'd be really helpful it you told us what the upgrade is, which Mac you currently have, and what OS you're currently using. And you only need to say it once.

• TCP SYNSEEN with load balancing Cisco ACE 4710

  I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012,  but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
  If I bypass the ACE the hosts can browse without problems. 
  I have tested with another ACE appliance and the same configuration but the behaviour is the same.
  I need help as soon as possible,
  thanks,
  I've attached the Show conn, show conn detail and show run.

  Hi Cesar,
  Thank you for your answer,
  The issue was solved,
  We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
  The ACE reloaded because an electrical failure so it losted the NAT config.
  We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
  Regards,

• ACE 4710. Unable to clear ssh sessions

  Hi.
  Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
  According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  ACE/CONTEXTO_A# show ssh session-info
  Session ID     Remote Host         Active Time
  13728          222.98.54.158:50556   67:43:38
  13732          200.44.158.70:46172   67:43:36
  13735          200.44.158.70:46174   67:43:36
  13737          200.44.158.70:46177   67:43:36
  ACE/CONTEXTO_A#
  ACE/CONTEXTO_A# clear ssh 13728
  ACE/CONTEXTO_A# clear ssh 13732
  ACE/CONTEXTO_A# clear ssh 13735
  ACE/CONTEXTO_A# clear ssh 13737
  ACE/CONTEXTO_A# show ssh session-info
  Session ID     Remote Host         Active Time
  13728          222.98.54.158:50556   67:43:54
  13732          200.44.158.70:46172   67:43:52
  13735          200.44.158.70:46174   67:43:52
  13737          200.44.158.70:46177   67:43:52

  Hello,
  Seems to be working for me in my tests.  Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
  ace-appliance-15/CTX1# sho ssh sess
  Session ID     Remote Host         Active Time
  24705          161.44.77.245:1586     0: 1:42
  25100          161.44.77.245:1589     0: 0:27
  25116          161.44.77.245:1590     0: 0:16
  ace-appliance-15/CTX1# clear ssh 25116
  ace-appliance-15/CTX1#
  ace-appliance-15/CTX1# sho ssh sess
  Session ID     Remote Host         Active Time
  24705          161.44.77.245:1586     0: 2: 5
  25100          161.44.77.245:1589     0: 0:50
  What version of software are you running on your 4710?  I am running the latest A3(2.4).  Can you try this version?
  Thanks,
  Sean

• ACE 4710 and mangled HTTP requests

  After replacing a Cisco CSS/SSL  Accelorator and PIX firewall with an ACE 4710 to do load balancing and  SSL encryption behind an ASA firewall we started seeing mangled HTTP  requests in the Apache access logs for the servers in the server farm.  Here is one example:
  XX.XX.XXX.XXX  - - [21/Oct/2012:01:42:12 -0500]  "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  Rather  than appearing just after the timestamp, the "POST /register/LServlet"  is tacked on to header information that shouldn't even appear in the  log. Also the first letter in that header information is always missing  (heckoutFlag instead of checkoutFlag in this example). 
  The  mangled request always shows up as a 501 HTTP error and shows up late  in the Apache access logs (timestamp is out of chronogical order) and  always appears with several duplicate POSTs:
  XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XX.XXX  - - [21/Oct/2012:01:42:12 -0500]   "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet"  "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  This is occurring for several different URLs and not just the one above and for multiple web browsers.
  The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
  A recent ACE software upgrade to A5(2.1) has not fixed the problem.
  Has anyone seen this before?
  Thanks for any insight you can provide.
  -Kari

  Hi Kari,
  Do you have a sample of the configuration which you got with the CSS?
  What is the current configuration which you got on the ACE?
  Can you shows this output: # show stats http?
  Jorge

• ACE 4710 Web Optimization Licnesing

  I currently have a 4710 running the 1Gbps package. We are utilizing Application Acceleration and are comg very close to hitting our 10,000 Web Optimization connection limit. I am trying to find out how to upgrade that.
  I see in our license usage an option of ACE-AP-OPT-UP1-K9 but can find no information on this part number. Does anyone know if this is even available and what it brings you connection limit to?
  ACE01/Admin# show license usage
  License                      Ins   Lic    Status   Expiry Date   Comments
                                    Count
  ACE-AP-C-UP1                  No     -    Unused                 -
  ACE-AP-C-UP2                  No     -    Unused                 -
  ACE-AP-C-UP3                  No     -    Unused                 -
  ACE-AP-01-LIC                 No     -    Unused                 -
  ACE-AP-01-UP1                 No     -    Unused                 -
  ACE-AP-02-LIC                 No     -    Unused                 -
  ACE-AP-02-UP1                 No     -    Unused                 -
  ACE-AP-04-LIC                 No     -    Unused                 -
  ACE-AP-04-UP1                 No     -    Unused                 -
  ACE-AP-04-UP2                 No     -    Unused                 -
  ACE-AP-VIRT-5                 No     -    Unused                 -
  ACE-AP-500M-LIC               No     -    Unused                 -
  ACE-AP-VIRT-020               No     -    Unused                 -
  ACE-AP-C-100-LIC              No     -    Unused                 -
  ACE-AP-C-500-LIC              Yes    1    In use   never         -
  ACE-AP-C-500-UP1              No     -    Unused                 -
  ACE-AP-OPT-50-K9              No     -    Unused                 -
  ACE-AP-C-1000-LIC             No     -    Unused                 -
  ACE-AP-C-2000-LIC             No     -    Unused                 -
  ACE-AP-OPT-LIC-K9             Yes    1    In use   never         -
  ACE-AP-OPT-UP1-K9             No     -    Unused                 -
  ACE-AP-SSL-05K-K9             Yes    1    In use   never         -
  ACE-AP-SSL-07K-K9             No     -    Unused                 -
  ACE-AP-SSL-100-K9             No     -    Unused                 -
  ACE-AP-SSL-UP1-K9             No     -    Unused                 -
  ACE-AP-SSLUP-5K-K9            No     -    Unused                 -
  ACE-AP-VIRT-020-UP            No     -    Unused                 -

  Unfortunately, ACE-AP-OPT-LIC-K9 is not available on ACE4710 and
  ACE 4710 cannot handle more than 10,000 concurrent connections..
  When you use the ACE to perform a specific set of application
  acceleration and optimization functions, and the ACE reaches the
  maximum of 10,000 concurrent connections, the appliance stops
  accepting any additional concurrent connections until the count
  drops below 10,000.
  http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_x/command/reference/optimize.html#wp1048813
  Regards,
  Yuji

• ACE 4710: Config Allows all traffic except large HTTP downloads

  Hi Folks,
  Got an ACE 4710 with a basic config that seems to work for all traffic except large downloads.
  I've attached the current config
  As I mentioned I can do normal HTTP to a standard destination like google or SSH through the ACE or ICMP
  If i try to get a large file from the server side of ACE, then a trace shows that the first and subsequent 1460Byte packets dont go through ACE
  I've thought of parse lengths, but i cannot see any that seem to affect the generic L4 maps that I am trying to use
  Cheers
  Alan

  I've seen a similar fault. I suppose a lower MSS was sent in the TCP SYN handshake packets (1300 or 1380?) and the packets exceeding that value were dropped by the ACE. This is the default behavior which can be switched to a less strict mode by either
  exceed-mss allow
  or
  no normalization
  commands.
  In our case, a linux web server was whose replies wouldn't keep to the MSS limit.

• ACE 4710 HTTP Probes

  Using the ACE 4710 for loadbalancing a Sharepoint site.
  We currently have a HTTP probe setup to check the port 80 status of the rserver.
  Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
  Thanks for any information.

  Has anyone figure this out?  I am tring to get healthchecks/probes setup in this same fashion.  I have 2 servers with 1 IP but have many sites.  I want to probe each side and ensure I get a 200 code.  I also have to provide credentials to the site.  It seems that if i open IE I can log in just fine to the site with the credentials.  However there is an active x control box that is wanting to be installed.  When I set this up on my ACE it seems I am getting a http 401 unauthorized error.  I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that.  Do you think this is a problem because of the active x control wanting to be downloaded?  Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
  probe http HTTP-80-OUR.DOMAIN.COM
    interval 15
    passdetect interval 60
    credentials
    request method get url http://our.domain.com/default.aspx
    expect status 200 200
    header Host header-value "our.domain.com"
    open 1
  rserver host SERVER-A
    ip address X.X.X.47
    inservice
  rserver host SERVER-B
    ip address X.X.X.48
    inservice
  serverfarm host FARM-AB
    predictor leastconns
    probe HTTP-80-OUR.DOMAIN.COM
    rserver SERVER-A
      inservice
    rserver SERVER-B
      inservice
  ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
  probe       : HTTP-80-OUR.DOMAIN.COM
  type        : HTTP
  state       : ACTIVE
  description :
     port      : 80      address     : 0.0.0.0         addr type  : -
     interval  : 15      pass intvl  : 60              pass count : 3
     fail count: 3       recv timeout: 10
     http method      : GET
     http url         : http://our.domain.com
     conn termination : GRACEFUL
     expect offset    : 0         , open timeout     : 1
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations ip-address      port  porttype probes   failed   passed   health
     ------------ ---------------+-----+--------+--------+--------+--------+------
     serverfarm  : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
       real      : SERVER-A[0]
                  X.X.X.47      80    DEFAULT  414      406      8        FAILED
     Socket state        : CLOSED
     No. Passed states   : 1         No. Failed states : 2
     No. Probes skipped  : 0         Last status code  : 401
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Received invalid status code
     Last probe time     : Wed Jun  2 17:44:18 2010
     Last fail time      : Wed Jun  2 13:37:04 2010
     Last active time    : Wed Jun  2 13:34:19 2010
       real      : SERVER-B[0]
                  X.X.X.48      80    DEFAULT  414      406      8        FAILED
     Socket state        : CLOSED
     No. Passed states   : 1         No. Failed states : 2
     No. Probes skipped  : 0         Last status code  : 401
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Received invalid status code
     Last probe time     : Wed Jun  2 17:44:20 2010
     Last fail time      : Wed Jun  2 13:37:06 2010
     Last active time    : Wed Jun  2 13:34:21 2010

• ACE 4710 A3(2.0) and ACS - TACACS+

  Hi.
  I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
  ACE 4710:
  tacacs-server host 10.7.50.20 key 7 "fewhg"
  aaa group server tacacs+ tacacs_server_group
      server 10.7.50.20
      deadtime 15
  aaa authentication login default group tacacs_server_group local none
  aaa accounting default group tacacs_server_group local
  aaa authentication login error-enable
  ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
  The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
  It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
  https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
  Any help is appreciated and thanks in advance!

  are you using telnet or ssh ?
  if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
  http://tools.cisco.com/squish/03240

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.