How to buy Cisco (ACE-UPG2-LIC=) 8Gbit to 16Gbit?

Similar Messages

• How can ftp service on non-standard port be load balanced using Cisco ACE.

  How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port

  Hi Samarjit,
  you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
  Regards
  Abijith

• How Cisco ACE open connections to rservers?

  Hi
  How Cisco ACE decides that a new connection must be open to an rserver? I observed a spike of connections to 10x normal and want to understand what makes ACE open more connections to the rservers (besides more traffic coming in).
  As a follow up, is there a way I can check if sessions are getting replicated across rservers? I am using 'persistence rebalance' strict along with ‘cookie-insert’ for session stickiness.
  I am on a ACE20-MOD-K9 using system A2 (3.5)
  Regards,
  Manuel

  I do not know the answer to the connection question but I may be able to help on the session question.
  Now, if you are referring to session replciation between two ACE modules?  If so, you can do 'sho sticky database detail' and you will see two lines at the bottom of each entry for
  created-from-HA-peer:        FALSE
  HA-replicated-at-least-once: TRUE
  Now if you wanting to see if sticky sessions are divided evenly between the rservers, I often use
  sh sticky database group | inc | count
  and then run that for both real servers and will show how many sticky entries are on each real server. 

• How can I get ACE demo license in cisco?

  Hi everyone,
  I would like to get ACE demo license..
  minimum 50VC and 16G bandwidth to demo on my customer site.
  But I can't find the demo license in cisco
  Now I use the cisco ACE demo, I can't open service request to get license , due to demo device,
  Thank you

  HI,
  To get the ACE demo licenses, contact your Cisco account representative.
  As per my knowledge there is no link where you can download the demo license. Or the other way is to contact the cisco licensing team providing your device data.
  Regards,
  Inayath.

• How to monitor memory on Cisco ACE Appliance 4710?

  I'm trying to monitor the memory usage in balancers Cisco ACE Appliance 4710 with version A3 (2.2), but the OIDs cpmCPUMemoryUsed (.1.3.6.1.4.1.9.9.109.1.1.1.1.12) and cpmCPUMemoryFree (.1.3.6.1.4.1.9.9. 109.1.1.1.1.13) not work.
  What the right OID to monitor memory usage in balancers Cisco ACE 4710 Appliance?

  HI,
  You need to use  CISCO-ENHANCED-SLB-MIB .
  cpmProcExtMemAllocatedRev .1.3.6.1.4.1.9.9.109.1.2.3.1.1 (this gives the memory allocated to each process)
  You can also read up on the mib
  Hope this helps
  Venky

• How to test a cisco ACE loadbalancer.

  Hello guys, I am new on this site.  I have deployed a Cisco ACE 4710 loadbalancer, and it is loadbalancing 2 real servers. Is there any way or commands I can use to see if it is loadbalancing properly.

  "show serverfarm" will show you the load-balanced connections to each real. Also try "show service-policy <> class-map <> detailed" and check client and server hits counts.
  "show connection" also.

• Urgent!!! Cisco ACE and asymetric routing assistance needed

  I am wondering if someone can give me pointers on the cisco ACE
  and asymetric routes. I've attached the diagram:
  -Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
  -Firewall External interface is 192.168.15.1/24,
  -Firewall Internal interface is 192.168.192.1/24,
  -F5_BigIP External interface is 192.168.192.4/24,
  -F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
  -host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
  -Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
  pointing to the F5_BigIP,
  -host_y is dual-home to both VLAN_A and VLAN_B with the default
  gateway on host_y pointing to VLAN_A which is 192.168.196.1,
  -host_x CAN ssh/telnet/http/https to both of host_y IP addresses
  of 192.168.196.10 and 192.168.197.10.
  In other words, from host_x, when I try to connect to host_y
  via IP address of 192.168.197.10, the traffics will go through VLAN_B
  but the return traffics will go through VLAN_A. Everything
  is working perfectly for me so far.
  Now customer just replaces the F5_BigIP with Cisco ACE. Now,
  I could not get it to work with Asymetric route with Cisco ACE. In
  other words, from host_x, I can no longer ssh or telnet to host_y
  via IP address of 192.168.197.10.
  Anyone knows how to get asymetric route to work on Cisco ACE?
  Thanks in advance.

  That won't work because ACE uses the vlan id to distinguish between flows.
  So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
  Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
  You would need to force your host to respond on the same vlan the traffic came in.
  This could be done with client nat on ACE using different nat pool.
  Gilles.

• How to buy license? for AIP-SSM-10 ?

  Hi all
  how to buy license? for AIP-SSM-10 ?
  1. CON-SU1-AS1A1PK9 this is Cisco SMARTnet Support for AIP-SSM-10
  2. do I need smartnet for ASA ?
  3. what is part number of license ?
  ASA5510test# session 1
  Opening command session with slot 1.
  Connected to slot 1. Escape character sequence is 'CTRL-^X'.
  login: cisco
  Password:
  ***NOTICE***
  This product contains cryptographic features and is subject to United States
  and local country laws governing import, export, transfer and use. Delivery
  of Cisco cryptographic products does not imply third-party authority to import,
  export, distribute or use encryption. Importers, exporters, distributors and
  users are responsible for compliance with U.S. and local country laws. By using
  this product you agree to comply with applicable laws and regulations. If you
  are unable to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  ***LICENSE NOTICE***
  There is no license key installed on the SSM-IPS10.
  The system will continue to operate with the currently installed
  signature set.  A valid license must be obtained in order to apply
  signature updates.  Please go to http://www.cisco.com/go/license
  to obtain a new license or install a license.
  sensor#
  sensor# sh ver
  Application Partition:
  Cisco Intrusion Prevention System, Version 6.0(6)E3
  Host:
      Realm Keys          key1.0
  Signature Definition:
      Signature Update    S399.0                   2009-05-06
      Virus Update        V1.4                     2007-03-02
  OS Version:             2.4.30-IDS-smp-bigphys
  Platform:               ASA-SSM-10
  Serial Number:          ........
  No license present
  Sensor up-time is 21 min.
  Using 655507456 out of 1032499200 bytes of available memory (63% usage)
  application-data is using 39.7M out of 166.8M bytes of available disk space (25%
  usage)
  boot is using 37.6M out of 68.6M bytes of available disk space (58% usage)
  MainApp          N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  AnalysisEngine   N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500   Running
  CLI              N-NUBRA_2009_JUL_15_01_10_6_0_5_57   (Ipsbuild)   2009-07-15T01
  :15:08-0500
  Upgrade History:
    IPS-K9-6.0-6-E3   17:48:06 UTC Wed Jul 15 2009
  Recovery Partition Version 1.1 - 6.0(6)E3
  sensor#

  Hi,
  CON-SU1-AS2A10K9 contract if for ASA+IPS bundle. If AIP-SSM-10 ws purchased as a spare the contract would be CON-SU1-ASIP10K9.
  I am not sure whether or not this Cisco Service for IPS contract can be  used to cover just the AIP-SSM-10 if it was purchased as part of a  Bundle instead of a Spare.
  I would recommend that you check with your Cisco reseller or Cisco  Sales Representative.
  Sourav

• Monitoring the Cisco ACE module with SNMP

  We use 2 redundant Cisco ACE loadbalancer in our datacenter
  The models are ACE20-MOD-K9 with software A2(2.0)
  Does anybod know how to monitor the environment (cpu, memory) of such a module with snmp?
  We were not able to find an applicable MIB for that module.
  The CISCO-PROCESS-MIB.oid (ftp://ftp.cisco.com/pub/mibs/oid/CISCO-PROCESS-MIB.oid) seems not to reflect the correct oid's.
  What are the correct oid's for cpu and memory?
  Where can I find a detailed documentation for snmp-monitoring the cisco ace module?
  thanks

  Hi Patrik,
  to monitor the ACE I use these two MIB's:
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
  Example for CPU:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  cpmCPUTotalEntry 1.3.6.1.4.1.9.9.109.1.1.1.1
  The resource usage and other interesting things you will find with a MIB browser.
  Achim

• Cisco ACE compatiblity with F5 GTM

  Hi,
  We have cisco ace 30 modules installed in cisco 6500 switches. For application availability purpose from the internet, we need to have some global site selector/3rd party devices with similar feature set that of cisco gss.
  My question is: whether cisco ace is compatible to ge tintegrated with other 3rd party devices like F5 GTM?
  kindly sugegst..

  Good afternoon,
  I'm not familiar with the GTM solution, but, as long as it's DNS-based like the GSS, it should be perfectly compatible. Bear in mind that the ACE is not aware on how clients are getting the IP address, it just replies to whatever connections it gets.
  Regards
  Daniel

• Cisco Ace parser.

  Is there anyone who has an custom parser for Cisco ACE ?.
  Can't understand why it isn't included by default as supported device in Cisco MARS.

  Hi.
  I'm trying to make an custom parser for ACE logs.
  And it works fine except denied icmp traffic, The problem is the event-id is the same in ACE (%ACE-4-106023).
  The parser check for protocol type and src ip,src port and so on. Icmp however is logged without src port (pretty obvius) but the parser breaks if it dosn't get an src port.
  %ACE-4-106023: Deny icmp src  vlanx:x.x.x.x dst undetermined:y.y.y.y (type 11, code 0) by access-group "access-list" [0x20c017d8, 0x0]
  %ACE-4-106023: Deny udp src vlanx:x.x.x.x/6155 dst undetermined:y.y.y.y/6155 by access-group "access-list" [0xffffffff, 0x0]
  So what i am missing in my parser is an "IF proto=ICMP don't match src&dst ports".
  Any ideas how i can make this work.

• Cisco ACE SSL termination

  Hello Friends,
  Need ur help on cisco ACE SSL termination.
  If i import the certificate and key (.PEM), where this files will be saved ?
  can we able to download the .PEM file any time as we need(back-up)?
  suppose if my .PEM is got hacked, hacker is sniffing the data packet which going through the web server, can it be possiable to deencrypt the packet and see the exact packet ?
  Regards,
  Naren

  Naren,
  1. In order to import certs and keys, please see the following link to the command reference.  To summarize, any time you import/export/delete keys/certs, you are doing so via commands in exec mode.  Regarding how and where the ACE actually saves this information, I do not know this answer.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/execmds.html#wp1616651
  2. You can import a key as non-exportable if you do not want it to be able to be exported. If you import it as exportable, you can always export it later for backups or what not.
  3. You can decrypt captured HTTPS traffic if you have the private key.  It is important to limit access to it.  Please see this link for more info on using Wireshark to view decrypted HTTPS traffic: http://wiki.wireshark.org/SSL
  Hope this helps!
  Regards,
  Matt

• Cisco ACE & MARS

  Can Cisco ACE be added to CSMARS.
  MARS version is 5.3.2

  If a device not supported by MARS can send syslog in clear text format, then it can be parsed by MARS using a custom parser.
  The customer parser allows you to define new devices and applications in order that they can report to MARS.
  The reason why you need the syslog servers to work with MARS is that the more devices you can have reporting to MARS the greater the accuracy of the analysis it provides.
  In a nutshell this is how MARS works (with a tip of the cap to Dale Tesch):
  The logging data from devices is used in parallel by MARS with the information gleaned from querying network device routing tables, configurations, ARP tables, CAM tables, system probes, and other processes to determine the topology of the network and the location of devices.
  After log data is collected and the alert information is analyzed, it is cross-referenced with this topology information to determine its validity and to calculate attack paths.
  MARS was built to enhance the common data provided by syslog and SNMP. Once the data from multiple devies is summarized it can be used both as an early warning alert system and as a forensics tool to analyze successful attacks.
  Hope this helps.
  Paul

• Cisco ACE Appliance Redundant configuration

  How cisco ACE appliance changes its Ip address and MAC address after failover???

  Hi Birendra,
  Could you please elaborate more on your question?
  FT mac's depend upon FT group that you have configured and they remain same. They will not change after failover.
  Here's a document at the link which explains in details about different MAC addresses in ACE:
  https://supportforums.cisco.com/docs/DOC-8723
  Let me know if you have any questions.
  Regards,
  Kanwal

• ACE: which features are enabled by - ACE-SEC-LIC-K9

  Our latest ACE Pair is missing the  ACE-SEC-LIC-K9 license.
  Inquiry at our Distributor and Cisco resulted in the fact that this license is EOL/EOS.
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/end_of_life_notice_c51-480367.html
  Since i have that license installed in 4 other Datacenter Pairs running A2(1.3)i am not sure which feature will be missing now.
  Or is that license a relict which actually does not activate any feature?
  Anyone a clue or a doc which explains the features behind this license?
  Thanks for reading
  Roble

  Hi,
  Kindly refer the URL:
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/end_of_life_notice_c51-480367.html
  Customers of the Cisco ACE Application Control Engine are encouraged to migrate to Software Version ACE A2(1)
  Sachinga