Cisco ACE and license upgrades

Similar Messages

• Urgent!!! Cisco ACE and asymetric routing assistance needed

  I am wondering if someone can give me pointers on the cisco ACE
  and asymetric routes. I've attached the diagram:
  -Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
  -Firewall External interface is 192.168.15.1/24,
  -Firewall Internal interface is 192.168.192.1/24,
  -F5_BigIP External interface is 192.168.192.4/24,
  -F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
  -host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
  -Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
  pointing to the F5_BigIP,
  -host_y is dual-home to both VLAN_A and VLAN_B with the default
  gateway on host_y pointing to VLAN_A which is 192.168.196.1,
  -host_x CAN ssh/telnet/http/https to both of host_y IP addresses
  of 192.168.196.10 and 192.168.197.10.
  In other words, from host_x, when I try to connect to host_y
  via IP address of 192.168.197.10, the traffics will go through VLAN_B
  but the return traffics will go through VLAN_A. Everything
  is working perfectly for me so far.
  Now customer just replaces the F5_BigIP with Cisco ACE. Now,
  I could not get it to work with Asymetric route with Cisco ACE. In
  other words, from host_x, I can no longer ssh or telnet to host_y
  via IP address of 192.168.197.10.
  Anyone knows how to get asymetric route to work on Cisco ACE?
  Thanks in advance.

  That won't work because ACE uses the vlan id to distinguish between flows.
  So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
  Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
  You would need to force your host to respond on the same vlan the traffic came in.
  This could be done with client nat on ACE using different nat pool.
  Gilles.

• VPC / Cisco ACE and the Nexus 2K and 5K

  Hi all,
  So we have a test environment that looks like the following. We have 2 5K's switch 1 and switch 2. Switch 1 has two 10gb connections downstream to a 2K and switch 2 has two 10Gb connections downstream to the other 2K. We have a few servers that are multi-homed with LACP and VPC via the 2Ks and it works a treat.
  We have our Cisco ACE 01, ports 1 and 2 going to one of the 2K's and we have ports 3 and 4 going to the other 2K, ACE02 ports 1 and 2 going to one of the 2K's and we have ports 3 and 4 going to the other 2K. If i enable VPC and none LACP based etherchannel i cannot get the ACE's talking to each other, but looking at the VPC status its all healthy and up.
  Has anyone managed to multi-home the ACE between two 2K's with VPC successfully? 
  If I disable the links so each ACE only has links upstream in a traditional port-channel and not cross connected, the ACE's can see each other with no issues.
  Cheers

  Doh.. so we had a cable patching issue in the end. Let this be a lesson to all networking chaps - always check the basics first! Now we have patched the cables as per design the VPC has been established and works.
  Now we  have VPC is working we are simulating link failures. When we restore a shutdown physical port within the port-channel/VPC that sits between the 2K and ACE (simulating a port failure) the ACE's lose sight of each other for about 10 seconds and causes an short outage until the port is up and up. The logs on the ACE show 'the Peer x.x.x.x is not reachable. Error: Heartbeat stopped. No alternate interface configured' but the VLAN for the FT interface is carried over all four ACE NIC's that are multi-homed to two 2K's... very strange, i would not expect this, it's like the MAC addresses for the FT interface are waiting to be timed out on the 2K until they are switched on another interface within the port-channel and VPC.
  Anyone seen this before?

• Cisco ACE and firewall design

  Guys,
  If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
  Sent from Cisco Technical Support iPad App

  Hi,
  With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
  Firewall ---------Switch ---------------- Load Balancer ---
  As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
  Regards,
  Siva

• Cisco ACE and IIS Virtual Directories

  Hello All,
  I have the Load Balancing between to servers working correctly except for on thing. If I enter www.domainname.com\apps into the browser it will returns a 302 page, but if I enter www.domainname.com\apps\ the page will Pull up. Is there a way for the ACE to add the \ after the Virtual Directory?

  Here is an example of the configuration:
  rserver host NET01
    ip address 10.0.20.24
    inservice
  rserver host NET02
    ip address 10.0.20.25
    inservice
  serverfarm host NET-Farm
    predictor leastconns
    rserver NET01 80
    rserver NET02 80
      inservice
  parameter-map type http HTTP_PARAMETER_MAP
    persistence-rebalance
  sticky ip-netmask 255.255.255.255 address source NET-IP
    replicate sticky
    serverfarm NET-Farm backup Maintenance
  class-map match-all NET
    2 match virtual-address 10.0.20.21 tcp eq https
  policy-map type loadbalance first-match NET
    class class-default
      sticky-serverfarm NET-IP
      insert-http x-forward header-value "%is"
  policy-map multi-match int71
  class NET
      loadbalance vip inservice
      loadbalance policy NET
      loadbalance vip icmp-reply active
      nat dynamic 6 vlan 71
      appl-parameter http advanced-options HTTP_PARAMETER_MAP
  interface vlan 71
  no icmp-guard
    nat-pool 6 10.0.20.21 10.0.20.21 netmask 255.255.255.255 pat

• Slow connection in one server if accessing through Cisco ACE

  Hi,
  Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
  What need to do in my configuration? Below is my configuration
  logging enable
  logging timestamp
  logging trap 7
  logging buffered 7
  logging monitor 7
  logging host 167.81.126.5 udp/514
  logging host 137.55.152.147 udp/514
  resource-class SG_01
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 10.00 maximum equal-to-min
  boot system image:c4710ace-mz.A3_2_0.bin
  login timeout 30
  peer hostname singapore-ace2
  hostname singapore-ace1
  interface gigabitEthernet 1/1
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/2
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/3
    channel-group 14
    no shutdown
  interface gigabitEthernet 1/4
    channel-group 14
    no shutdown
  interface port-channel 14
    description ISOLAN-ACE-TRUNK
    ft-port vlan 99
    switchport trunk native vlan 1
    switchport trunk allowed vlan 12,14,112
    no shutdown
  clock timezone SGT 8 0
  ntp server 137.55.152.1
  context Admin
    member SG_01
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 9 extended permit icmp any any
  ip domain-name ysn.psg.philips.com
  probe http singapore_01
    description This probe used to monitor application url-app-script
    interval 5
    passdetect interval 5
    request method get url /insiteserverstatus/insiteserverstatus.aspx
    expect status 200 200
    open 1
  probe http singapore_02
    description This probe used to monitor IIS-login-page
    interval 5
    passdetect interval 5
    request method get url /InSiteLumiledsApplication/
    expect status 200 200
    open 1
  probe icmp uplink
    description This probe used in conjunction with ft track host
    interval 2
    faildetect 2
    passdetect interval 3
  parameter-map type connection PARAM_L4STICKY-IP
    exceed-mss allow
  rserver host sggysnysn1ms013
    ip address 137.55.152.135
    inservice
  rserver host sggysnysn1ms014
    ip address 137.55.152.136
    inservice
  rserver host sggysnysn1ms018
    ip address 137.55.152.145
    inservice
  serverfarm host PLI9058
    probe singapore_01
    probe singapore_02
    rserver sggysnysn1ms013
      inservice
    rserver sggysnysn1ms014
      inservice
    rserver sggysnysn1ms018
      inservice
  sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
    timeout 720
    replicate sticky
    serverfarm PLI9058
  class-map type management match-any HTTPS-ALLOW_CLASS
  class-map match-all L4STICKY-IP_141:ANY_CLASS
    2 match virtual-address 137.55.152.141 any
  class-map type http loadbalance match-any NO_MS018
    50 match source-address 137.55.155.31 255.255.254.0
  class-map type management match-any SSH-ALLOW_CLASS
    2 match protocol ssh source-address 167.81.124.0 255.255.255.192
    3 match protocol ssh source-address 167.81.126.0 255.255.255.192
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
    class class-default
      sticky-serverfarm SG_GROUP_01
      insert-http X-Forwarded-For header-value "%is"
  policy-map multi-match PLI9058-VIPs_POLICY
    class L4STICKY-IP_141:ANY_CLASS
      loadbalance vip inservice
      loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
      loadbalance vip icmp-reply
      connection advanced-options PARAM_L4STICKY-IP
  interface vlan 12
    description Client-side vlan
    bridge-group 1
    no normalization
    mac-sticky enable
    access-group input ALL
    access-group output ALL
    service-policy input PLI9058-VIPs_POLICY
    no shutdown
  interface vlan 14
    ip address 137.55.152.236 255.255.255.248
    peer ip address 137.55.152.237 255.255.255.248
    service-policy input remote_mgmt_allow_policy
    no shutdown
  interface vlan 112
    description Server-side vlan
    bridge-group 1
    no normalization
    access-group input ALL
    access-group output ALL
    nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
    no shutdown
  interface bvi 1
    ip address 137.55.152.189 255.255.255.192
    alias 137.55.152.188 255.255.255.192
    peer ip address 137.55.152.190 255.255.255.192
    description Bridge-Group 1 Virtual Interface
    no shutdown
  ft interface vlan 99
    ip address 192.168.1.1 255.255.255.252
    peer ip address 192.168.1.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 100
    heartbeat count 10
    ft-interface vlan 99
  ft group 1
    peer 1
    priority 150
    peer priority 50
    associate-context Admin
    inservice
  ft track host test1
    track-host 137.55.152.234
    peer track-host 137.55.152.235
    peer probe uplink priority 50
    probe uplink priority 50
  ip route 0.0.0.0 0.0.0.0 137.55.152.233

  Hi Earsdale,
  All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
  I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
  Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
  If you need help with this troubleshooting, you can always open a TAC service request
  Regards
  Daniel

• How can I get ACE demo license in cisco?

  Hi everyone,
  I would like to get ACE demo license..
  minimum 50VC and 16G bandwidth to demo on my customer site.
  But I can't find the demo license in cisco
  Now I use the cisco ACE demo, I can't open service request to get license , due to demo device,
  Thank you

  HI,
  To get the ACE demo licenses, contact your Cisco account representative.
  As per my knowledge there is no link where you can download the demo license. Or the other way is to contact the cisco licensing team providing your device data.
  Regards,
  Inayath.

• UC560 - license counts and end-of-sale for license upgrades?

  One of our customers would like to keep their UC560 system in production for awhile, but we may need to add licenses.
  First, with the UC560 now past end-of-sale, how long will we be able to buy license upgrades?  I could not find any information when I tried searching. It looks like the distributors are still selling L-UC-PRO-8U=.
  Second, how does Cisco count the UC560 licenses?  (I'm sure I knew this when I went through the training courses.)  Here is their current license summary:
  #show platform software license
  License UDI                  : UC560-FXO-K9:...
  Maximum User Licenses        : 40
  Used User Licenses           : 24
  Available User Licenses      : 16
  Base License                 : 24
  CSL Base License             : 16
  Max number of upgrade PAK allowed: 13
  In one post, I read that the license count was based on the number of ephones. Based on this report, it looks like only registered ephones are being counted. It doesn't look like floating extensions or extension mobility user profiles count against the "Used User Licenses" total.  Does that sound right?
  Thanks!  -dpm

  Adobe doesn't care, they don't have to. I like Phsotoshop and have been using it professionally for 20 years, but lets face it, I wouldnt mind some really good competition from another source. It didnt use to be the only game in town, and doesnt have to remain so.
  I could brainstorm how I would want competing software to look like. Pshop is not the easiest workflow possible. Illustrator is clearly deficient to even CorelDraw, and certainly Freehand. I've been meaning to reconnect with CorelDraw. It did some cool things.
  Google Chrome is pulling a lot of manoevers software wise and I hope they try to go a little deeper and give Adobe a run for their money on the one program they feel justifies unbelievable gouging. Go investigate Ableton Live if you want to see what a company that cares about its customers is doing, ADOBE. Audition is a JOKE compared to Ableton Live. Thank God we're not powned on the audio side by these suits.
  The idea that a company would peddle buggy software, which CS4 was..., although some of that was Apple's fault, is bad, the upgrade prices were ridiculous, and this is the end of the road for me currently. The idea that a company would actively
  push away customers is pretty incredible. "But I sent you an email!" Whoops, you gotta pay $1900 for production premium CS6! HAHAHAHAHA. Time for a YT video with my old hard copy box. Sounds like a good idea.
  There are too many options on the motion graphics side, and I'll keep a static machine to run Pshop and AE CS4.
  The masters of the universe will have theit way, and the rest must bow to their ambivalent greed. At least that's the way they think. It would seem that Adobe and Apple really, really want some upstarts to come up. Maybe $360 for a year to figure out an exit might work. It will be interesting to see if this hits earnings. VERY interesting.

• Can I download the Acrobat X trial version and purchase my license upgrade?

  I wish to upgrade Acrobat 8 from my dead workstation to Acrobat X on my new workstation (Windows7 OS). I do not have installation CD newer than Acrobat 6. Can I download the Acrobat X trial version and purchase my license upgrade?

  You are welcome to download the trial and enter the serial number for your purchsed version of Adobe Acrobat X.

• Cisco CSS and ACE study guide

  Hi,
  Im ready to kick start Cisco CSS and ACE load balancers. I found that 642-972 DCASD and 642-975 DCASI are the relevant exams for that. But, they are expired now. And, I couldn't even find the old materials for those. Could you please anyone assist me in getting started with this?

  Hi Kanwal,
  Thanks for your reply. BTW, wasn't there any specific study guides for 642-972 DCASD and 642-975 DCASI from Cisco? The reason behind this question is, I want to go step by step starting from how load balancing works, the basics and terminologies of load balancing and its various options and operations etc. I have been working with Network Security and just stepping in to DC operations.

• Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP

  Hello Dears,
  I'm trying to implement Cache loadbalancing through Cisco ACE Module.
  I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
  I'm afraid that I have a problem in the returned traffic PBR.
  can anyone help please.
  Thanks

  Hi Ibrahim
  I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
  msfc---vlan 265---ACE--vlan 264----CE farm
  interface vlan 265
    description Interface_With_MSFC_SUBS_2_INTERNET
    ip address 168.168.1.52 255.255.255.248
    access-group input PERMIT_ALL
    service-policy input L3L4_PM
    no shutdown
  ip route 0.0.0.0 0.0.0.0 168.168.1.50
  ip access-list extended HSDPA_2_CACHE
  permit tcp 168.168.0.0 0.0.255.255 any eq www   <<<-- wrong
  ip access-list extended Internet_2_CACHE
  permit tcp any eq www 168.168.0.0 0.0.255.255   <<<---wrong
  interface Vlan 265
  description Interface_With_ACE
  ip address 168.168.1.50 255.255.255.248
  route-map INTERNET_2_HSDPA permit 10
  description "PBR for Response HTTP Traffic"
  match ip address Internet_2_CACHE
  set ip next-hop 168.168.1.52
  route-map HSDPA_2_INTERNET permit 10
  match ip address HSDPA_2_CACHE
  set ip next-hop 168.168.1.52
  regards
  Andrew

• T3 Oracle´s proprietary tunneling protocol and Cisco ACE

  Does anybody know if it is possible to load balance the T3 Oracle´s proprietary tunneling protocol supported by Oracle Weblogic with Cisco ACE?
  TIA,
  Claudio Uemura

  HI Claudio,
  I don't know much about T3 protocol, in short you can load balance almost anything really, the issue becomes to how granular and if you can do any intelligent inspection besides source and dest ip and if there are multiple different connections on different ports. These last points sort of decide whether it's worth it.
  - If you find the specifics about the connection ( port, type of protocol and type of connection ( long-lived or short lived) you should be able to setup a basic rule to test. A sniffer trace will give you the most information if oracle website does not explain T3 in detail.
  - From a quick search there also looks to be a method to encapsulate T3 inside a http packet on weblogic servers, if this were the case then you could do some deep packet inspection with regex etc to get more granular load balancing
  http://forums.oracle.com/forums/thread.jspa?threadID=706909
  I would think it's defintely worth looking at both options
  cheers,
  Chris

• 2 Cisco WLC 5508 controllers and software upgrade 7.6.130 + FUS 1.9

  Hi
  I have two WLC 5508 controllers that need 7.6.130 and FUS 1.9 installed. (Current version 7.3 and FUS 1.7)
  Configuration: One controller is at Site A and the other controller is at Site B (two different states..)
  They're configured so that if Site A goes down, Site A AP's will failover to Site B and vice versa ..
  - What would be the recommended approach for upgrading the software to 7.6.130.0 (from 7.3) and also upgrading FUS 1.9 (from 1.7)?
  My plan was to download 7.6.130.0 to both controllers and pre-download the software to all AP's (about 100 total between both sites) and then reboot the controllers at night at the same time? Or one before the other? 
  Step 2. Install FUS 1.9 to each controller.
  I'm concerned over what might happen during the upgrade and AP failover etc..
  Thanks

  This is what I would do:
  Upload v7.6.130.0 to all WLCs and then use the pre image download to push the image to all access points. 
  Dont reboot the wlc
  Image swap in the access points so that v7.6.130.0 is primary
  Move all access point to one of the WLCs (A)
  Enable ap AAA authentication on the WLC that has no access points and the one you will work on first.  This prevents access points from joining  
  Reboot the WLC (A)
  Upload the FUS 1.9.0.0
  Reboot WLC (A) this takes up to 45 minutes
  When the WLC (A) comes back online, uncheck ap AAA authentication
  Move access points from WLC (B) to WLC (A)
  Enable ap  AAA authentication on  WLC (B)
  Perform all the other task you did earlier on WLC (A)
  That's it.
  -Scott

• Cisco ace mibs for concurrent connection on real and virtual servers

  i have loaded cisco provided mibs for cisco ace into nms but i am not able to fetch the details from ace appliance 4710.where can i find IODs for this.
  would really appreciate if anyone can help me regarding this

  Hi Manohar,
  you need two MIBs:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
  The current connection you will find in the section:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  slbVServerInfoTableEntry .1.3.6.1.4.1.9.9.161.1.4.2.1
  Example:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  slbVServerNumberOfConnections  .1.3.6.1.4.1.9.9.161.1.4.2.1.6.1.44
  Use a MIB-Browser to find out the OID for each server.
  Best Regards,
  Achim

• [Cisco FAQ] - Do I load new CODE and LICENSES to the RFGW1?

  I would like to know where I can find the latest code

  All new code and licenses are loaded to the RFGW1 via a FTP server on the same network as the chassis. A laptop can also be used (if plugged direct) and the interface settings are in the same network as the gateway. The laptop must be running a simple FTP server.
  Settings for the FTP server are locatred at the bottom of the page.  Click "show FTP settings".