Certificates vanished - ACE Module. Strange!

Similar Messages

• Unable to import PKCS12 certificate file to ACE module

  Hi,
  I'm currently in the process of replacing my CSS-appliances with the ACE module. So far everything's been smooth, but when I'm trying to import a certificate file to the respective context using the "crypto import"-command, ACE can't recognize the filetype, it's just marked as UNKNOWN. On the CSS I had to specify PKCS12 as the fileformat, but this is apparently not an options on the ACE. Does anyone know the equivalent commmand on how to import a PKCS12-file to the ACE?
  Thankx
  /Ulrich
  PS! I haven't created a cert chaingroup, as I was told this would not be necessary.

  Hi Ulrich,
  Short answer is you cannot import PKCS12 format. You'll need to extract the component parts into PEM format outside of the ACE and then use crypto import.
  You will also need a chaingroup unless this is a self-signed certificate. Again any intermediate and root certificates will need to be in PEM format.
  HTH
  Cathy

• Presenting a Client Certificate from ACE?

  Hi Folks,
  This is a bit of an odd one, so please stick with me!
  A bit of background:
  We currently visit a secure 3rd party website from our company, in order to identify our company to the website we have to use a client-side certificate to authenticate us (before we then login to the website).
  As we have a large number of machines loading a client-certificate on to each one has not proved agile enough (this is more a legacy thing).  So to work around this we have used a Stunnel proxy which the clients are forwared too (HTTP), which then proxies the connection as HTTPS and provides the end website with the Client Cert and does all the bits for SSL.   The Stunnel service was meant to be a tempory workaround, about 3 or so years ago (don't you just love those?) and is hosted on a desktop PC which has recently started to crash - there's no real support on this either - which leads me onto the question:
  Can the ACE module replace the Stunnel Box in this scenario?
  Is it possibile to load a client certificate onto the ACE and get it to provide this to an end webserver.  I realise that the ACE is probably not designed for this function, however this would get us onto something more stable and has a better internal support function.
  I've attached a really basic diagram of how the connectivity operates - but I'm happy to consider suggestions on alternative ways of doing it.
  Thanks in advance
  Kev

  Hi.
  It seems to be not possible : http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/initiate.html
  I have to check if other products can do what you want, but I have some doubts...

• Can not import ACE module to ANM

  Hello,
  Good day.
  I recently facing an interesting problem.
  We are running ANM 5.1.0 to manage our LB contexts, those contexts are configured on ACE20-MOD-K9 module which installed in Catalyst6500 switch. Our installation is like this, two ACE20-MOD-K9 modules installed into same Catalyst6513 different slots. And  those two ACE modules serves different Data Halls, contexts configured on those modules are completely seperated, different VLAN, different subnet no relation at all.
  I'm able to import the catalyst chassis into ANM and under Config>Guided Setup>Import Device>Modules, I'm able to see both ACE modules but only one module able to be imported, another one I can not even choose it. There are slightly difference those two modules show themselves in that page. The one I'm able to import shows exactly it's module type and version number but another one is showing someting strange.
  Slot#      Model                     Type            Serial #      State                 Version                Description                                      #VC
  3            ACE20-MOD-K9      ACE v2.3      XXXXXX      up                     A2(3.5)                Application Control Engine Module      28
  9            ACE20-MOD-K9      Module         XXXXXX      Not Imported      ace2t_main_d      Application Control Engine Module      N/A  <---problem module
  Does any was facing samiliar problem?
  Thanks

  I think I found something related to my issue.
  In ANM operating Guidance,section"Importing ACE Modules after the Host Chassis has been Imported" mentioned some restriction. The module in slot 9 actually has samiliar situation, show module commands shows that Catalyst chassis doesn't really recognize the software version that might caused ANM not able to figure out if that module is supported or not so it makes a simple decision deny import. I will try to reboot that module see if we can fix this issue.
  "Guidelines and Restrictions
  ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x) software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you that it failed to import the unrecognized ACE configuration and that device discovery failed.
  However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier ANM release contained an inventory with an ACE module that supported the A1(6x) software release or an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows the A1(x) software release to reside in the ANM database and will support operations for the release. ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software version.
  We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE software release, and that you instruct ANM to recognize the updated release. See the "Instructing ANM to Recognize an ACE Module Software Upgrade" section.
  See the Supported Device Tables for the Cisco Application Networking Manager for a complete list of supported ACE module and ACE appliance software releases."
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/5.2/user/guide/UG_manage_devices.html

• ACE module - end-to-end SSL

  Hello,
  I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
  I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
  Is there any clear documentation on how to configure an end to end SSL ?
  I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
  I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
  Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

  just don't know where to start.
  I feel like you do not have the right key/cert.
  This would be the very first thing to verify.
  Where did you get your key and cert ?
  What certificate authority signed your certificate ?
  The creation of the session key requires the use of an RSA key pair (private/public).
  Every server must have a public and a private key associated with a certificate signed by a certificate authority.
  If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
  Maybe you should start be reading on the subject from various article available on the WEB.
  openssl is a great tool to generate keys and certficates.
  I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
  Then import everything into ACE.
  Once you have valid key/cert we can continue with the configuration.
  Gilles

• ACE module hung and required hard reset !!Plz help

  ACE module had bit flip and it was hunged after that.I was not able to run any command(i.e For ex if i run show ft status nothing was displayed).I was not able to run any command on the standby ACE as well is this could be both the ACE module ACTIVE?
  Manuaaly reboot from the ACE did not work. I had to forced hardare reset from cat 6500.
  Is this a bug or strange behaviour?
  I am running ACE A2(2.3) version on the module.
  Thanks
  ALEX

  Usually in the case of the bit flip the ace will reset itself, which clears the problem.  In order to understand what is happining to your ACE, you would have to open a TAC case, and provide show tech information, as well as any files that were generated in the "core:" directory.  You can view these using the command "dir core:"
  It seems odd that the standby ACE also wouldn't respond to any command input.  Did you have to reset it as well? If you had to reset it as well, then it may have encountered the same conditions that caused the hang on the primary.
  Was there any syslog messages generated on the 6500 switch during the time?

• ACE module, TLS and smtp

  Hello,
  On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.
  If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.
  So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.
  There are absolutely no lines in the log that could help me find out what's happening.
  I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...
  So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?
  Thanks a lot for any help you can give me!
  Regards,
  Marc.

  SMTP over TLS is not supported in ACE currently.
  SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.
  In case of SMTP client needs to open a new conn.
  So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.
  You can get more details at
  http://tools.ietf.org/html/rfc2487
  Syed

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• How to Virtual IP configuration in ACE module?

  Hi,
  I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
  I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
  Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
  Regards,
  Rachit.

  Hi Rachit,
  Here is a basic configuration example:
  access-list Allow_Access line 10 extended permit ip any any
  rserver host test
    ip address 10.198.16.98
    inservice
  rserver host test2
    ip address 10.198.16.93
    inservice
  serverfarm host test
    rserver test 80
      inservice
    rserver test2 80
      inservice
  sticky http-cookie test group2
    cookie insert
    serverfarm test
  class-map match-all VIP
    2 match virtual-address 10.198.16.122 tcp eq www
    policy-map type loadbalance first-match test
    class class-default
      sticky-serverfarm group1
  policy-map multi-match clients
    class VIP
      loadbalance vip inservice
      loadbalance policy test
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 112
  interface vlan 112
    ip address 10.198.16.91 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
    service-policy input NSS_MGMT
    service-policy input clients
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.198.16.65
  Here is the configuration guide:
  http://tools.cisco.com/squish/101AD
  Cesar R

• Load Balancing on ACE Modules

  hi,
  Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
  Regards.

  You can have 1 context active on one ACE and the other context active on the other ACE.
  If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
  Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
  If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
  Easier to implement and troubleshoot.
  Gilles.

• Reuse of context in ACE module

  Hi all, just have a question about som reuse of resources in a ACE module context.  I don't want to make a new context, and can reuse most of the existing configuration in one of my context.  The config is not complex and difficult, but I'm not sure if I can do this.
  The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
  Since I haven't decided the ip addresses to be used, they are just xx in the config below.
  The changes I want to implement are in bold.  Will this work for me?
  probe http WEBGUI_D2
  description Probe for http mot webgui
  interval 10
  passdetect interval 10
  passdetect count 1
  request method get url /D2/auth/login.aspx
  expect status 200 302
  header User-Agent header-value "IDENTITY"
  rserver host cwi003
  description content server logon
  ip address 10.163.22.27
  inservice
  rserver host cwi004
  description content server logon
  ip address 10.163.22.28
  inservice
  rserver host cwi503
  description content server logon 2
  ip address 10.163.22.23
  inservice
  rserver host cwi504
  description content server logon 2
  ip address 10.163.22.24
  inservice
  serverfarm host SF_LOGON_D2
  probe WEBGUI_D2
  rserver cwi003 80
     inservice
  rserver cwi004 80
     inservice
  serverfarm host SF_LOGON2_D2
  probe WEBGUI_D2
  rserver cwi503 80
     inservice
  rserver cwi504 80
     inservice
  sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
  timeout 20
  replicate sticky
  serverfarm SF_LOGON_D2
  serverfarm SF_LOGON2_D2
  class-map match-all VS_LOGON_D2
  3 match virtual-address 10.163.22.13 any
  class-map match-all VS_LOGON2_D2
  3 match virtual-address 10.163.22.xx any
  policy-map type loadbalance first-match PM_ONE_ARM_LB
  class class-default
     sticky-serverfarm STICKYGROUP1
  policy-map multi-match PM_ONE_ARM_MULTI_MATCH
  class VS_LOGON_D2
     loadbalance vip inservice
     loadbalance policy PM_ONE_ARM_LB
     nat dynamic 5 vlan 1240
  class VS_LOGON2_D2
     loadbalance vip inservice
     loadbalance policy PM_ONE_ARM_LB
     nat dynamic 6 vlan 1240
  interface vlan 1240
  description Client_server
  ip address 10.163.22.11 255.255.255.0
  peer ip address 10.163.22.12 255.255.255.0
  access-group input INBOUND
  nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
  nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
  service-policy input PM_ONE_ARM_MULTI_MATCH
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.163.22.1
  BR
  Geir

  Thanks for your reply.
  Hope I understand you correct.  This sould be the config I need to paste into the existing context.
  rserver host cwi503
    description content server logon 2
    ip address 10.163.22.23
    inservice
  rserver host cwi504
    description content server logon 2
    ip address 10.163.22.24
    inservice
  serverfarm host SF_LOGON2_D2
    probe WEBGUI_D2
    rserver cwi503 80
      inservice
    rserver cwi504 80
      inservice
  sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
     timeout 20
     replicate sticky
     serverfarm SF_LOGON2_D2
  class-map match-all VS_LOGON2_D2
     3 match virtual-address 10.163.22.xx any
  policy-map type loadbalance first-match PM_ONE_ARM_LB2
    class class-default
      sticky-serverfarm STICKYGROUP2
  policy-map multi-match PM_ONE_ARM_MULTI_MATCH
    class VS_LOGON2_D2
      loadbalance vip inservice
      loadbalance policy PM_ONE_ARM_LB2
      nat dynamic 6 vlan 1240
  interface vlan 1240
    nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
  Br
  Geir

• ACE module - Qos - set ip tos #

  All,
  Trying to mark traffic to/from L4 rules in the ACE.
  Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.
  Enable qos globally on the 6500 host, but don't see the traffic being marked.
  sh mls qos says that packets are being modified by module 5 (ACE)
  But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
  sh mls qos:
  QoS is enabled globally
    Policy marking depends on port_trust
    QoS ip packet dscp rewrite enabled globally
    Input mode for GRE Tunnel is Pipe mode
    Input mode for MPLS is Pipe mode
  QoS Trust state is CoS on the following interface:
  Te3/1
  QoS Trust state is DSCP on the following interface:
  Gi2/3
    Vlan or Portchannel(Multi-Earl) policies supported: Yes
    Egress policies supported: Yes
  ----- Module [5] -----
    QoS global counters:
      Total packets: 207147888661
      IP shortcut packets: 0
      Packets dropped by policing: 0
      IP packets with TOS changed by policing: 2663386
      IP packets with COS changed by policing: 4889352
      Non-IP packets with COS changed by policing: 0
      MPLS packets with EXP changed by policing: 0
  Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

  Well... hopefully someone knows how to classify traffic coming from the ACE.
  I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.
  However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.
  You'll have a bunch of little conversations like this with no tos value full of push-acks:
  10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
  10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
  10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
  10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
  10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
  10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
  10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
  10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
  10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
  10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
  10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
  But then you'll see another conversation pop up with the correct markings
  10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
  I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
  I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
  So.... PLEASE... Anyone???  Ideas???

• [UDP fast age support for ACE Module]

  Hello,
  I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
  It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
  (I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
  Thanks in advance!
  c.

  Hi Carlos,
  Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
  The "show version" for V2 is slightly better -
  system: Version A2(1.2) [build 3.0(0)A2(1.2)
  Cathy

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• Ace module in bridged mode with client nat

  Could someone confirm whatever a NAT is supported for ACE-20 module, please?
  Let me to explain technical details.
  I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
  if the configuration below is correct. ACE module should be configured in bridge mode with two
  vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
  NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
  "policy-map type loadbalance"
  Could you check two parts of configs and advise me if the ACE config is
  properly converted from CSM and will be working in the same way (especialy for NAT).
  Thank you in advance.
  CSM config
  =======
  vlan 36 client
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    gateway 10.36.3.1
  vlan 436 server
    ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
  natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
  sticky 30 netmask 255.255.255.255 address source timeout 60
  probe SHAREPOINT tcp
    interval 30
    failed 120
    open 3
    port 80
  probe WEBMAIL-443 tcp
    interval 5
    failed 60
    open 2
    port 443
  serverfarm WEBMAIL-443
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 443
     inservice
    real 10.36.3.102 443
     inservice
    probe WEBMAIL-443
  serverfarm WEBMAIL-80
    nat server
    nat client WEB-MAIL
    predictor leastconns
    real 10.36.3.101 80
     inservice
    real 10.36.3.102 80
     inservice
    probe SHAREPOINT
  vserver WEBMAIL-443
    virtual 10.36.3.100 tcp https
    serverfarm WEBMAIL-443
    sticky 60 group 30
    replicate csrp sticky
    replicate csrp connection
    persistent rebalance
    inservice
  vserver WEBMAIL-80
    virtual 10.36.3.100 tcp www
    serverfarm WEBMAIL-80
    replicate csrp connection
    persistent rebalance
    inservice
  ACE config
  =======
  probe tcp WEBMAIL-443
    interval 5
    open 2
    passdetect interval 60
    port 443
  probe tcp SHAREPOINT
    interval 30
    open 3
    passdetect interval 120
    port 80
  serverfarm host WEBMAIL-443
    predictor leastconns
    probe WEBMAIL-443
    rserver 10-36-3-101 443
      inservice
    rserver 10-36-3-102 443
      inservice
  serverfarm host WEBMAIL-80
    predictor leastconns
    probe SHAREPOINT
    rserver 10-36-3-101 80
      inservice
    rserver 10-36-3-102 80
      inservice
  class-map match-all WEBMAIL-80
    match virtual-address 10.36.3.100 tcp eq www
  class-map match-all WEBMAIL-443
    match virtual-address 10.36.3.100 tcp eq https
  sticky ip-netmask 255.255.255.255 address source 30
    serverfarm WEBMAIL-443
    replicate sticky
    timeout 60
  policy-map type loadbalance first-match WEBMAIL-80
    class class-default
      serverfarm WEBMAIL-80
      nat dynamic 1025 vlan 436 serverfarm primary
  policy-map type loadbalance first-match WEBMAIL-443
    class class-default
      sticky-serverfarm 30
      nat dynamic 1025 vlan 436 serverfarm primary
  parameter-map type http HTTP_ADV_OPT
    persistence-rebalance
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  interface vlan 36
    bridge-group 36
    service-policy input IFVLAN36-POLICY
    mac-sticky enable
    no shutdown
  interface vlan 436
    bridge-group 36
    nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    no shutdown
  interface bvi 36
    ip address 10.36.3.3 255.255.255.0
    peer ip address 10.36.3.4 255.255.255.0
    no shutdown

  Hello F.Makarenko-
    You will want to use PAT while you do nat, so change the natpool configuration to this:
     nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
    You also need to apply the nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
    class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
      nat dynamic 1025 vlan 436
  If you are going to build out a lot of classes, you can instead do source nat like this:
  policy-map multi-match IFVLAN36-POLICY
  class WEBMAIL-80
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-80
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class WEBMAIL-443
      appl-parameter http advanced-options HTTP_ADV_OPT
      loadbalance policy WEBMAIL-443
      loadbalance vip inservice
      loadbalance vip icmp-reply active
  class class-default
      nat dynamic 1025 vlan 436
  Regards,
  Chris Higgins