Integrate Cisco ACE into AAA TACACS+
Dear Community!
I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
But...
I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
I tried upgrading IOS in a router, but no luck...
Does anybody have any experiance about this "bug"?
Thanks in advance!
Regards,
Belabacsi
@ Budapest, Hungary
Hello Bela
In ACE on every context (including Admin and other) you should have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
server x.x.x.x
server x.x.x.x
aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Regards,
Stas
Similar Messages
-
ACE - Setup AAA TACACS+ using CS Unix ACS
Hi,
I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
I can login but it does not allow me to do any commands.
"show users", under Domain says I am logged in as "
Network-Monitor default-domain".
Any ideas how to get around and making myself as Admin group?
Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
Thanks
SanjayHi,
It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
Oct 16 15:18:29 c1 user = test2 {
Oct 16 15:18:29 c1 service = shell {
Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
Oct 16 13:18:29 c1 }
Oct 16 13:18:29 c1 service = exec {
Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
ACE-Admin/Admin# sh users
User Context Line Login Time (Location) Role Domain(s)
admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
*test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
So I guess my option is to use RADIUS as login method.
I am trying to get it going but the CS ACS Unix does not like :
cisco-avpair = "shell:Admin=Admin default-domain;
Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
Oct 16 15:18:29 c1 check_items = {
Oct 16 15:18:29 c1 200 = 1
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 reply_attributes = {
Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
Oct 16 15:18:29 c1 6 = 6
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 }
Now I get :
[ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
test2 failed
It would be good to see if anyone else has tried this.
sanjay -
ACE and AAA (TACACS+)
Hi there,
i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
Any idea what's wrong ??
Best regards DirkHi Prem,
thanks a lot. it's working now...
FYI i need this attribute for role mapping USER<>ROLE in the ACE.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
Can you give me a link where i found the information you gave me.
Best regards
Dirk -
ACE and AAA (TACACS) part 2
Hi there,
i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
Any idea what's wrong ??
Best regards DirkHi ,
i've got the following info from a user here in the forum :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
[quote]
The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.
[quote end]
In this way i configured the ACS...
Be carefull with the attribute... because if you set it in the way the documentation describes you will not authorized at other devices using tacacs+.
You have to set the attribute in this way :
shell:* it's working for both switches / ACE
shell:= this works only for the ACE
Then the attribute is marked as optional and only the ACE cares about it.
Regards Dirk -
Cisco ace mibs for concurrent connection on real and virtual servers
i have loaded cisco provided mibs for cisco ace into nms but i am not able to fetch the details from ace appliance 4710.where can i find IODs for this.
would really appreciate if anyone can help me regarding thisHi Manohar,
you need two MIBs:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
The current connection you will find in the section:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
slbVServerInfoTableEntry .1.3.6.1.4.1.9.9.161.1.4.2.1
Example:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
slbVServerNumberOfConnections .1.3.6.1.4.1.9.9.161.1.4.2.1.6.1.44
Use a MIB-Browser to find out the OID for each server.
Best Regards,
Achim -
TACACS and Cisco ACE Load Balancers authentication ?
Is there a need to have user accounts locally on the Cisco ACE Load Balancers as well as the User accounts on TACACS where it is being authenticated ?
Many thanks
FlorrieYes.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wpmkr1517596 -
Good day,
Has anyone experienced this before? I am using Cisco ACS 5.2. I have a very simple word (no, not cisco ) for my tacacs-server key. I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied. Using keyboard-interactive authentication."
I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
Any other possible ideas anyone can suggest?
Cliffs:
-tacacs-server key is a simple key and is the same for every switch and within ACS
-AAA config is the same on every switch, so I do not believe it to be a AAA config issue
-Running config on switch that is not working is pretty much the same as the other two working switches
Any advice is greatly appreciated.
Thanks,
YHi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.
-
AAA TACACS with Brocade Switches
We are testing authentication on Brocade switches with our AAA TACACS+ server. It seems that after authenicating to enable mode, you can type "exit" and be dropped back to level 7 mode. From this point you can type "enable" and authenticate to the switch using the local "enable" password, not from TACACS. Has anyone run across this and is there a way to correct it? Is there something that needs to be configured in TACACS on the server to recognise the Brocade switch and make this work?
RayHi Ray,
What ACS version you are using?
On a cisco switch the following command is used:
switch(config)# aaa authentication enable default tacacs+ enable
The above command is used to set the TACACS+ as the default check for the enable password. If TACACS+ is not available it will fall back to the local enable password.
You need to look into such option in the Brocade switch.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP
Hello Dears,
I'm trying to implement Cache loadbalancing through Cisco ACE Module.
I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
I'm afraid that I have a problem in the returned traffic PBR.
can anyone help please.
ThanksHi Ibrahim
I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
msfc---vlan 265---ACE--vlan 264----CE farm
interface vlan 265
description Interface_With_MSFC_SUBS_2_INTERNET
ip address 168.168.1.52 255.255.255.248
access-group input PERMIT_ALL
service-policy input L3L4_PM
no shutdown
ip route 0.0.0.0 0.0.0.0 168.168.1.50
ip access-list extended HSDPA_2_CACHE
permit tcp 168.168.0.0 0.0.255.255 any eq www <<<-- wrong
ip access-list extended Internet_2_CACHE
permit tcp any eq www 168.168.0.0 0.0.255.255 <<<---wrong
interface Vlan 265
description Interface_With_ACE
ip address 168.168.1.50 255.255.255.248
route-map INTERNET_2_HSDPA permit 10
description "PBR for Response HTTP Traffic"
match ip address Internet_2_CACHE
set ip next-hop 168.168.1.52
route-map HSDPA_2_INTERNET permit 10
match ip address HSDPA_2_CACHE
set ip next-hop 168.168.1.52
regards
Andrew -
Does cisco ACS hardware run TACACS+ ?
hi all
I am very new to the security,
my question is , does cisco ACS devices run TACACS+ ?
or TACACS+ has to be installed in windows/linux ?
thank youThe below listed link will help you to configure tacacs authentication/authorization and also help you to integrate ACS with Active directory.
ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
ACS 5.x: TACACS+ Authentication and Command Authorization based on AD group membership Configuration Example
Regards,
Jatin Katyal
*Do rate helpful posts* -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
How to integrate BW Hierarchy into Webi?
Hi Everybody,
I need to create a report based on 0FIGL_V10_Q0001 in Webi and this query has a hierarchy and i have created the hierarchy from the designer itself. In webi, when i tried to pull 1 of the hierarchy dimension with key figure, it shows no data but if i remove the key figure i can view the information. May i know what went wrong with it or do you have a details on how to integrate BW hierarchy into Webi?
Your assistance on this is greatly appreciated.
Thanks
Best Regards,
HizamHi,
use the following link:
https://sapmats-us.sap-ag.de/download/download.cgi?id=SOTBBWVP5VS0BRNUJFQWYL5A6L3GXGPDJ59UKUDZMA1UVE1WOQ
(should work properly in about 10 min)
- merge the regsitry file to your BusinessObjects Server
- Restart the Services via a restart of the Server Intelligence Agent
- re-run the report with keyfigures
You should see 2 logfiles being created on the C:\ root folder
attach the logfiles to this message (do not copy past the content).
I assume the underlying BI query works fine.
Ingo -
Urgent!!! Cisco ACE and asymetric routing assistance needed
I am wondering if someone can give me pointers on the cisco ACE
and asymetric routes. I've attached the diagram:
-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
-Firewall External interface is 192.168.15.1/24,
-Firewall Internal interface is 192.168.192.1/24,
-F5_BigIP External interface is 192.168.192.4/24,
-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
pointing to the F5_BigIP,
-host_y is dual-home to both VLAN_A and VLAN_B with the default
gateway on host_y pointing to VLAN_A which is 192.168.196.1,
-host_x CAN ssh/telnet/http/https to both of host_y IP addresses
of 192.168.196.10 and 192.168.197.10.
In other words, from host_x, when I try to connect to host_y
via IP address of 192.168.197.10, the traffics will go through VLAN_B
but the return traffics will go through VLAN_A. Everything
is working perfectly for me so far.
Now customer just replaces the F5_BigIP with Cisco ACE. Now,
I could not get it to work with Asymetric route with Cisco ACE. In
other words, from host_x, I can no longer ssh or telnet to host_y
via IP address of 192.168.197.10.
Anyone knows how to get asymetric route to work on Cisco ACE?
Thanks in advance.That won't work because ACE uses the vlan id to distinguish between flows.
So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
You would need to force your host to respond on the same vlan the traffic came in.
This could be done with client nat on ACE using different nat pool.
Gilles. -
Integrate web dynpro into WEB UI
Hi,
I have a problem with integrating wd4a application into web ui.
When I set up url of the wd4a application (absolute url) as logical link, everything went ok in dev system.
But after transport to test system, application was not reachable, because absolute url linked to dev.
The second attemp was to set up the logical link to BSP application, which called absolute url to wd4a application using <bsp:call> statement in view. The problem is that this statement didnt work at all and it doesnt matter if there link to my application or to google.com.
do you have any idea how to solve this?
thanks
JurajHi,
I know this method,
but problem is that I used absolute link in WEB UI customizing, tx CRMC_IC_LTX_URLS ... in case I could create my own link, everything is ok
my problem is that I dont know how to define link in this tx with relative url
or I can be solved in way that I somehow integrate web dynpro into BSP application and then set up URL in tx CRMC_IC_LTX_URLS for the BSP.
the only problem is I dont kobw how to do this
thanks
Juraj -
Cisco ACE loadbalancing matching more than one header in L7 class map
Dear All,
This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
So for above configuration, when traffic is coming for abhisar.com, it is working fine.
Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
abhisarindia.com
indiaabhi.com
So new configuration will be
class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
4 match http header Host header-value ".*abhisarindia.com*"
6 match http header Host header-value ".*indiaabhi.com*"
So just want to confirm if this is fine.
Thank You,
Abhisar.Dear Rajesh,
Thank you for reply. I will let you know once I carry out this activity.
Thank You,
Abhisar.
Maybe you are looking for
-
DataGrid ItemRender and font family
i am writing a custom data grid ItemRender that, for every cell, displays a numeric value. Additionally, if the xml data structure defines an attribute for a given row, it is supposed to display a colored arrow in the same cell. Reading the data and
-
How do I rid my monitor of a long red line?
Can this be fixed? It's not cool when trying to view photos.
-
i updated my iphone 4 to iOS5 few days ago then all of a sudden i just found out im not getting all my incoming calls. then when i tried to make outside call, its not working either and it hungs. I turned the phone on/off and hard reset, still im get
-
Document Storage Location and Recipient Access
I understand that the Adobe Document Center does not store the actual text of documents, but instead maintains a privilege log based on the policy selected by the sender. Further, it is clear that the recipient does not possess the document either --
-
Adobe update will no longer allow PDF's to be open from emails
Recently my computer updated Adobe, but since then I can no longer open pdf attachments to my emails. I have to save the document to my computer and then open it from there. I have uninstalled the program and reinstalled hoping that would help but it