Integrate Cisco ACE into AAA TACACS+

Similar Messages

• ACE - Setup AAA TACACS+ using CS Unix ACS

  Hi,
  I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
  I can login but it does not allow me to do any commands.
  "show users", under Domain says I am logged in as "
  Network-Monitor default-domain".
  Any ideas how to get around and making myself as Admin group?
  Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
  Thanks
  Sanjay

  Hi,
  It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
  ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
  Oct 16 15:18:29 c1 user = test2 {
  Oct 16 15:18:29 c1 service = shell {
  Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
  Oct 16 13:18:29 c1 }
  Oct 16 13:18:29 c1 service = exec {
  Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
  ACE-Admin/Admin# sh users
  User Context Line Login Time (Location) Role Domain(s)
  admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
  *test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
  When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
  So I guess my option is to use RADIUS as login method.
  I am trying to get it going but the CS ACS Unix does not like :
  cisco-avpair = "shell:Admin=Admin default-domain;
  Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
  Oct 16 15:18:29 c1 check_items = {
  Oct 16 15:18:29 c1 200 = 1
  Oct 16 15:18:29 c1 }
  Oct 16 15:18:29 c1 reply_attributes = {
  Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
  Oct 16 15:18:29 c1 6 = 6
  Oct 16 15:18:29 c1 }
  Oct 16 15:18:29 c1 }
  Now I get :
  [ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
  Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
  test2 failed
  It would be good to see if anyone else has tried this.
  sanjay

• ACE and AAA (TACACS+)

  Hi there,
  i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
  Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
  Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
  Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
  Any idea what's wrong ??
  Best regards Dirk

  Hi Prem,
  thanks a lot. it's working now...
  FYI i need this attribute for role mapping USER<>ROLE in the ACE.
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
  Can you give me a link where i found the information you gave me.
  Best regards
  Dirk

• ACE and AAA (TACACS) part 2

  Hi there,
  i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
  Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
  Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
  Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
  Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
  Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
  Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
  Any idea what's wrong ??
  Best regards Dirk

  Hi ,
  i've got the following info from a user here in the forum :
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
  [quote]
  The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.
  [quote end]
  In this way i configured the ACS...
  Be carefull with the attribute... because if you set it in the way the documentation describes you will not authorized at other devices using tacacs+.
  You have to set the attribute in this way :
  shell:* it's working for both switches / ACE
  shell:= this works only for the ACE
  Then the attribute is marked as optional and only the ACE cares about it.
  Regards Dirk

• Cisco ace mibs for concurrent connection on real and virtual servers

  i have loaded cisco provided mibs for cisco ace into nms but i am not able to fetch the details from ace appliance 4710.where can i find IODs for this.
  would really appreciate if anyone can help me regarding this

  Hi Manohar,
  you need two MIBs:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
  ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
  The current connection you will find in the section:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  slbVServerInfoTableEntry .1.3.6.1.4.1.9.9.161.1.4.2.1
  Example:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  slbVServerNumberOfConnections  .1.3.6.1.4.1.9.9.161.1.4.2.1.6.1.44
  Use a MIB-Browser to find out the OID for each server.
  Best Regards,
  Achim

• TACACS and Cisco ACE Load Balancers authentication ?

  Is there a need to have user accounts locally on the Cisco ACE Load Balancers as well as the User accounts on TACACS where it is being authenticated ?
  Many thanks
  Florrie

  Yes.
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wpmkr1517596

• Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

  Good day,
  Has anyone experienced this before?  I am using Cisco ACS 5.2.  I have a very simple word (no, not cisco ) for my tacacs-server key.  I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied.  Using keyboard-interactive authentication."
  I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
  I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
  Any other possible ideas anyone can suggest? 
  Cliffs:
  -tacacs-server key is a  simple key and is the same for every switch and within ACS
  -AAA config is the same on every switch, so I do not believe it to be a AAA config issue
  -Running config on switch that is not working is pretty much the same as the other two working switches
  Any advice is greatly appreciated.
  Thanks,
  Y

  Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

• AAA TACACS with Brocade Switches

  We are testing authentication on Brocade switches with our AAA TACACS+ server.  It seems that after authenicating to enable mode, you can type "exit" and be dropped back to level 7 mode.  From this point you can type "enable" and authenticate to the switch using the local "enable" password, not from TACACS.  Has anyone run across this and is there a way to correct it?  Is there something that needs to be configured in TACACS on the server to recognise the Brocade switch and make this work?
  Ray

  Hi Ray,
  What ACS version you are using?
  On a cisco switch the following command is used:
  switch(config)# aaa authentication enable default tacacs+ enable
  The above command is used to set the TACACS+ as the default check for the enable password. If TACACS+ is not available it will fall back to the local enable password.
  You need to look into such option in the Brocade switch.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP

  Hello Dears,
  I'm trying to implement Cache loadbalancing through Cisco ACE Module.
  I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
  I'm afraid that I have a problem in the returned traffic PBR.
  can anyone help please.
  Thanks

  Hi Ibrahim
  I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
  msfc---vlan 265---ACE--vlan 264----CE farm
  interface vlan 265
    description Interface_With_MSFC_SUBS_2_INTERNET
    ip address 168.168.1.52 255.255.255.248
    access-group input PERMIT_ALL
    service-policy input L3L4_PM
    no shutdown
  ip route 0.0.0.0 0.0.0.0 168.168.1.50
  ip access-list extended HSDPA_2_CACHE
  permit tcp 168.168.0.0 0.0.255.255 any eq www   <<<-- wrong
  ip access-list extended Internet_2_CACHE
  permit tcp any eq www 168.168.0.0 0.0.255.255   <<<---wrong
  interface Vlan 265
  description Interface_With_ACE
  ip address 168.168.1.50 255.255.255.248
  route-map INTERNET_2_HSDPA permit 10
  description "PBR for Response HTTP Traffic"
  match ip address Internet_2_CACHE
  set ip next-hop 168.168.1.52
  route-map HSDPA_2_INTERNET permit 10
  match ip address HSDPA_2_CACHE
  set ip next-hop 168.168.1.52
  regards
  Andrew

• Does cisco ACS hardware run TACACS+ ?

  hi all
  I am very new to the security,
  my question is , does cisco ACS devices run TACACS+ ?
  or TACACS+ has to be installed in windows/linux ?
  thank you

  The below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
  ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
  ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
  Regards,
  Jatin Katyal
  *Do rate helpful posts*

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• How to integrate BW Hierarchy into Webi?

  Hi Everybody,
  I need to create a report based on 0FIGL_V10_Q0001 in Webi and this query has a hierarchy and i have created the hierarchy from the designer itself. In webi, when i tried to pull 1 of the hierarchy dimension with key figure, it shows no data but if i remove the key figure i can view the information. May i know what went wrong with it or do you have a details on how to integrate BW hierarchy into Webi?
  Your assistance on this is greatly appreciated.
  Thanks
  Best Regards,
  Hizam

  Hi,
  use the following link:
  https://sapmats-us.sap-ag.de/download/download.cgi?id=SOTBBWVP5VS0BRNUJFQWYL5A6L3GXGPDJ59UKUDZMA1UVE1WOQ
  (should work properly in about 10 min)
  - merge the regsitry file to your BusinessObjects Server
  - Restart the Services via a restart of the Server Intelligence Agent
  - re-run the report with keyfigures
  You should see 2 logfiles being created on the C:\ root folder
  attach the logfiles to this message (do not copy past the content).
  I assume the underlying BI query works fine.
  Ingo

• Urgent!!! Cisco ACE and asymetric routing assistance needed

  I am wondering if someone can give me pointers on the cisco ACE
  and asymetric routes. I've attached the diagram:
  -Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
  -Firewall External interface is 192.168.15.1/24,
  -Firewall Internal interface is 192.168.192.1/24,
  -F5_BigIP External interface is 192.168.192.4/24,
  -F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
  -host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
  -Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
  pointing to the F5_BigIP,
  -host_y is dual-home to both VLAN_A and VLAN_B with the default
  gateway on host_y pointing to VLAN_A which is 192.168.196.1,
  -host_x CAN ssh/telnet/http/https to both of host_y IP addresses
  of 192.168.196.10 and 192.168.197.10.
  In other words, from host_x, when I try to connect to host_y
  via IP address of 192.168.197.10, the traffics will go through VLAN_B
  but the return traffics will go through VLAN_A. Everything
  is working perfectly for me so far.
  Now customer just replaces the F5_BigIP with Cisco ACE. Now,
  I could not get it to work with Asymetric route with Cisco ACE. In
  other words, from host_x, I can no longer ssh or telnet to host_y
  via IP address of 192.168.197.10.
  Anyone knows how to get asymetric route to work on Cisco ACE?
  Thanks in advance.

  That won't work because ACE uses the vlan id to distinguish between flows.
  So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
  Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
  You would need to force your host to respond on the same vlan the traffic came in.
  This could be done with client nat on ACE using different nat pool.
  Gilles.

• Integrate web dynpro into WEB UI

  Hi,
  I have a problem with integrating wd4a application into web ui.
  When I set up url of the wd4a application (absolute url) as logical link, everything went ok in dev system.
  But after transport to test system, application was not reachable, because absolute url linked to dev.
  The second attemp was to set up the logical link to BSP application, which called absolute url to wd4a application using <bsp:call> statement in view. The problem is that this statement didnt work at all and it doesnt matter if there link to my application or to google.com.
  do you have any idea how to solve this?
  thanks
  Juraj

  Hi,
  I know this method,
  but problem is that I used absolute link in WEB UI customizing, tx CRMC_IC_LTX_URLS ... in case I could create my own link, everything is ok
  my problem is that I dont know how to define link in this tx with relative url
  or I can be solved in way that I somehow integrate web dynpro into BSP application and then set up URL in tx CRMC_IC_LTX_URLS for the BSP.
  the only problem is I dont kobw how to do this
  thanks
  Juraj

• Cisco ACE loadbalancing matching more than one header in L7 class map

  Dear All,
  This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
  class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  So for above configuration, when traffic is coming for abhisar.com, it is working fine.
  Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
  abhisarindia.com
  indiaabhi.com
  So new configuration will be
  class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
  description MATCH THE HOST HEADER OF HTTP REQUEST
  2 match http header Host header-value ".*abhisar.com*"
  4 match http header Host header-value ".*abhisarindia.com*"
  6 match http header Host header-value ".*indiaabhi.com*"
  So just want to confirm if this is fine.
  Thank You,
  Abhisar.

  Dear Rajesh,
  Thank you for reply. I will let you know once I carry out this activity.
  Thank You,
  Abhisar.