Configuring ACE Module for Redundancy

Similar Messages

• Configuring ACE 4710 for Load Balancing Speech servers

  Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
  hostname ace471001
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  rserver host nss01
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 10.20.17.21 255.255.248.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  How would I configure my speech server to isten on 554?
  Thanks in advance

  Hello Reginald
  Currently you have only basic network configuration, there is no loadbalancing config
  I'm not sure what exactly you're asking about , but basically you need to have
  - real servers configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
  - serverfarm configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
  - L7 policy map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
  - L4 policy map , class-map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
  And then apply it on necessary interface.
  This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
  links are for old config guids , but basic is pretty much the same for all versions.
  Please check them and try to narrow down your question a bit.

• How to configure login modules for certificate logon

  Hello,
  perhaps someone of you has also tried to implement SSO via Client Certificates and is able to help me...
  I have configured the login modules for rule based authentication with the option Rule1.getUserFrom = wholeCert and I have attached my certificate to my user in useradmin.
  And also added the login module to the template ticket, as suggested by the documentation at help.sap.com
  But when I logon to the portal or other application (for example useradmin) via https the authentication doesn't work (but I'm still able to logon via password).
  I also tried auto. certifcate mapping and mapping by subject name but in every case the system ignores the configured login module. There are no errors in the log files.
  Thank You,
  Frank

  Hi Frank,
  did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
  You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
  Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
  Let me know if this helps...
  Yonko

• Ping from standby ACE module

  Hi,
  Is the ping to another host from standby ACE module restricted ?

  Ok. It is resolved.
  I did not configure the BVI for redundant module via peer ip address command on the active module.

• How to Virtual IP configuration in ACE module?

  Hi,
  I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
  I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
  Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
  Regards,
  Rachit.

  Hi Rachit,
  Here is a basic configuration example:
  access-list Allow_Access line 10 extended permit ip any any
  rserver host test
    ip address 10.198.16.98
    inservice
  rserver host test2
    ip address 10.198.16.93
    inservice
  serverfarm host test
    rserver test 80
      inservice
    rserver test2 80
      inservice
  sticky http-cookie test group2
    cookie insert
    serverfarm test
  class-map match-all VIP
    2 match virtual-address 10.198.16.122 tcp eq www
    policy-map type loadbalance first-match test
    class class-default
      sticky-serverfarm group1
  policy-map multi-match clients
    class VIP
      loadbalance vip inservice
      loadbalance policy test
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 112
  interface vlan 112
    ip address 10.198.16.91 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
    service-policy input NSS_MGMT
    service-policy input clients
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.198.16.65
  Here is the configuration guide:
  http://tools.cisco.com/squish/101AD
  Cesar R

• Configuring FT on ACE Modules

  Hi,
  I am trying to configure FT on ACE modules, with the following commands
  ft interface vlan 20
    ip address 172.16.20.1 255.255.255.252
    peer ip address 172.16.20.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 20
  ft group 1
    peer 1
    priority 150
    associate-context Admin
    inservice
  The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

  Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
  ft interface vlan 212
    ip address 172.31.1.221 255.255.255.252
    peer ip address 172.31.1.222 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 212
  ft group 2
    peer 1
    priority 50
    peer priority 150
    associate-context Admin
    inservice
  HQ-ACE1/Admin# sh int
  vlan212 is up, administratively up
    Hardware type is VLAN
    MAC address is 00:23:5e:25:72:f1
    Mode : routed
    IP address is 172.31.1.221 netmask is 255.255.255.252
    FT status is standby
    Description:not set
    MTU: 1500 bytes
    Last cleared: never
    Last Changed: Tue Sep  6 12:46:06 2011
    No of transitions: 1
    Alias IP address not set
    Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
    Assigned from the Supervisor, up on Supervisor
       8654909 unicast packets input, 735611030 bytes
       1151150 multicast, 161 broadcast
       0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
       13020418 unicast packets output, 1672055521 bytes
       0 multicast, 163 broadcast
       0 output errors, 0 ignored

• Inventory collection fails for ACE module (RME 4.3.1)

  I am trying to collect the inventory and ultimately the configurations for my ace modules.  When i try to do an inventory collection I get the error
  Device sensed, but collection failed
  Anybody have any ideas?
  Chris

  Post your IC_Server.log.
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• SSL initiation for SMPP on ACE module

  Hi Community,
  we have a new requirement to enable a connection to a server with SMPP protocol wrapped inside a SSL channel for transport over internet. Can any one suggest if the ACE module support to do SSL initiation to secure standard SMPP (3.4) servers?
  Kind regards

  Hi,
  ACE does support SSL initiation. Please visit the below link for details. Ace also supports SSL termination and End-to-End SSL.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/initiate.html
  Regards,
  Kanwal

• ACS support for ACE Module

  Does ACS for Windows 3.3 support AAA for the ACE module?

  I don't think that is correct. I am still
  having issues with ACE and ACS. See below:
  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• Can ACE module and 4710 appliance work redundant together

  Hi.
  I am setting up a testlab for ACE loadbalancing and need to test functionality on both the ACE module and the 4710 appliance.
  Can one of each of these two be set up redundant together with full functionality? Or do I have to test redundancy for 2x ACE modules and 2x 4710 appliances seperate?
  Thanks in advance for any help!

  It won't work.
  The code checks if the devices are the same during the HA negotiation.
  If you do a 'show ft peer detail' you should see at the end :
  SRG Compatibility            : WARM_COMPATIBLE
  License Compatibility        : INCOMPATIBLE
  These 2 entries indicate if the box are compatible to run HA between each other.
  The version is checked and the license.
  Both would be different between an ACE module and ACE appliance.
  Gilles

• [UDP fast age support for ACE Module]

  Hello,
  I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
  It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
  (I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
  Thanks in advance!
  c.

  Hi Carlos,
  Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
  The "show version" for V2 is slightly better -
  system: Version A2(1.2) [build 3.0(0)A2(1.2)
  Cathy

• ACE module support for IPv6 ?

  what is the latest on IPv6 support for ACE module? I saw something saying 2HCY10, but that's where we are now. Any documentation pointers to current compatability and or roadmap are greatly appreciated.
  thanks
  Bob O.

  As mklemovitch described in the following thread, IPv6 will be
  supported on ACE30 module but not in the initial release.
  There is no plan for ACE20 module.
  https://supportforums.cisco.com/message/3192517#3192517
  I'm not sure but maybe around Q3 CY11 or later.
  I cannot see the documentation regarding this feature on CCO.
  I would suggest to contact your account team for details.
  Regards,
  Yuji

• Have any one configure transparent caching on ACE module

  How to configure transparent caching on ACE module? Please kindly give me a example configure. Thank you very much.

  here is a basic config.
  The module will intercept traffic coming in on vlan 20 and loadbalance it doing a url hashing to caches in vlan 30.
  The mode is transparent so the destination ip address is preserved.
  serverfarm host CACHES
  transparent
  predictor hash url
  rserver linux1
  inservice
  rserver linux1-24
  inservice
  class-map match-all VIP-TCP80
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
  policy-map type loadbalance first-match SF-CACHES
  class class-default
  serverfarm CACHES
  policy-map multi-match SLB-CACHES
  class VIP-TCP80
  loadbalance vip inservice
  loadbalance policy SF-CACHES
  interface vlan 20
  ip address 192.168.20.123 255.255.255.0
  peer ip address 192.168.20.121 255.255.255.0
  access-group input PERMIT-ANY
  service-policy input ALLOW-ALL
  service-policy input SLB-CACHES
  no shutdown

• How to configure Login Modules Stack for Kerberos/LDAP

  Hello collegues,
  currenty we are working on UME configuration for the following use case.
  Clustered portal instance NW2004s running on AIX should be able to authenificate two groups of users.
  The first one is described by LDAP Data Source (Sun Directory Server) and using some artificial unique userID. Based on this userID, the SSO Ticket is created to get acces to the backend R/3 system. The LDAP schema has an "userdomain" attribute in it.
  The new group using ADS. These users are happy using it, because they have windows-based authentification and don't forced to type any credentials during login.
  There are plenty of blogs decribing how to connect ADS (even as a second DataSource) to UME.
  There are two unsolved problems: 
  1. ADS account attributes does not have the userID needed to get an SSO Ticket
  2. LDAP DataSource has no ADS password and can not be used for Kerberos authentification.
  What could be a solution for this case? I am sure we need an extra login module which enrich the Subject (user, which is already authentificated by SPNego module) with userID, selected from LDAP DataSource based on user attributes.
  Is there any other solution? May be I can mix some attributes in a DataSource configuration file?
  Best regards
  Sergej Naimark

  Hi Frank,
  did you configure the SSO for an individual policy configuration or did you edit and save the changes the ticket policy config? I ask, b/c if you applied the changes to the individual policy config then the SSO with certificates will be used <b>only</b> when you access the applications for that policy config.
  You can also double check the login module flags - perhaps the authentication check doesn't reach the ClientCertLM at all.
  Since you followed the help portal instruction I assume you've enabled strong crypto - it is required for client cert SSO. Ano easily committed mistake is to also not use the HTTPS port in the access URL.
  Let me know if this helps...
  Yonko