L3 OOB NAC Server loadbalanced by ACE
Hi is there any documentation or information on NAC server loadbalance by cisco ACE? I want to know typically how is the setup like and what is the traffic flow? is there a way to configure NAC clients to talk to the NAC directly after being loadbalanced by the ACE? meaning traffic flow going
users>ACE>NAC Server Untrusted interface>user <---- during authentication
instead of
user>ACE>NAC Server Untrusted interface>ACE>user.
Adrian,
I've seem some internal documents on this. Please ping your account team and they can possibly help you out with the design for this.
HTH,
Faisal
Similar Messages
-
ACE: Server-to-Server loadbalancing
Dear All,
I have to provide ACE loadbalancing for a new multitier application which has server-to-server loadbalancing.
The user communicates with loadbalanced webservers which in turn communicate with loadbalanced application servers. I
don't have the freedom to change existing IP addresses and I have to use source NAT to prevent asymmetric traffic. Can
I achieve the loadbalancing in one context or do I need separate contexts for web and app? The diagram illustrates the
server relationships.
Thank you
CathyYou could do everything in one context. I have a similar setup and I used multiple contexts in order to keep the individual configs smaller and simpler, large configs on the ACE can get complicated and ugly:) I set up the following:
APP-PROD and APP-NON-PROD non slb segments off FWSM, APP-LB-PROD and APP-LB-NON-PROD slb segments using ACE contexts. This gives app owners flexibility to use load balancing or not in parallel tiers. -
NAC Server Fallback Feature and OOB Deployment
Hi,
I would like to know how the Nac Server fallback feature works in an OOB deployment.
The documentation says that there three option (ignore, allow all, block all).
Whe you have the allow all option enable, does the NAC put the user in an access vlan or the user just access to the network through the authentication VLAN?Hi,
Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
HTH,
Faisal -
Hi All Cisco NAC Experts, I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
The CAS server was recovered after manually power cycle the hardware.
After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
That will be great if any one can help me out for the same.
Thanks,
EricHi Bro
This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
If all else fail, then a hardware swap would seem like the next best thing. -
NAC server is not available on the network
I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........
Hi,
I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
the bug cisco provided me is related to "CSCuc70607".
Hope this helps,
Tarik Admani
*Please rate helpful posts* -
When creating a backup server on an ACE running A5(2.1), we're using the probe as the trigger. Once the primary real server has failed to the backup, will it fail back to the primary server when the probe deems the primary server available?
It's just as well as the ACE manual documents the backup serverfarm, there's dearth of info on the backup server.
Thanks.
_ GregHi Greg,
Backup rserver as you know would be configured with standby keyword. When primary server will be Operational (probe passed)
- Existing connections on backup keep accessing backup.
- For new connection requests ACE looks up sticky entries, if there's already an entry for backup server, the connection is sent to the standby rserver.
- If a new client request (connection) doesn't match any sticky entry for backup rserver ACE forwards this request to primary.
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Wireless Guest with NAC Server
Hi All,
Anyone knows why Sponsor can't create a guest account with 1 month duration.
Its a NAC running on 2.1 version in SNS-3415-K9.
The current setup is WLC connected to NAC Server.
Is it related to Account type?
From the Account Type dropdown menu, you can choose one of the predefined options:
Start End—Allows sponsors to define start and end times for account durations.
From First Login—Allows sponsors to define a length of time for guest access from their first login.
From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.When you say, "One MAC user" you mean every other client works except for this one MAC device? If other MAC devices work, then it must be something on the client device that is having issues. The only issue that I have ran into, is html code that might not be supported in certain browsers if you are runing a custom webauth page.
-
What happens when NAC Server License Exceeds ?
Hi all,
Got a simple question for which I could not find the explanations ?
I know that licensing is run by the endpoints which are in Online User (posture assessed) list.
Lets say I purchased a NAC server with 100 License. What happens if a client connects to the network as the 101th user ? Is there a flexible licensing option as in other security products of Cisco ?
Also anyone has any info about the roadmap of licensing for Cisco NAC products ? Such as central management of licenses, license pools or etc. ?
Thanks in advance.
Any comments appreciated.
DumluThanks a lot.
You said "BPEL developer should make sure unique value is supplied for correlation..",but I am confused,
"BPEL developer" means business process developer(process caller) or bpel engine developer(process runtime enviroment developer) ?
This afternoon,I installed oracle PM and did some tests. The bpel server creates two process instances which have the same correlation data. -
NAC Server without NAC manager
Hi,
Would like to know whether NAC server (NAC appliance 3355) is enough to provide NAC functionality without NAC manager in the network for one location say Datacenter.
Regards,
AshokHi Ashok,
You can use a single CAS in the network in a single location in case you have a centralized CAM for multiple locations but you would need atleast one CAM to manage all the CAS servers as all the settings and policies for CAS are stored in CAM.
Moreover, the CAS product licenses are generated based on the eth0 MAC address of the CAM, so atleast one CAS is essential.
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp39625
HTH!
Regards,
Sumir -
NAC Server still in "Fallback: Allow All" state
Hi Guys,
i have a strange behaviour under my NAC Server.
Today I saw that my NAC Server is in Fallback: Allow All state and the CAM is in Manager: DEAD but
in the CAM web administration i can access that CAS.
The CAS can ping the CAM too.
there are two things that were changed in the last month.
The CAM was moved to other city and they are using a 2MB link connection between them.
The IP Address of the CAM was changed.
I've checked my link connection between them because my CAM is in a different city of the CAS but my link is in 50% load.
Does anyone know any possibilitie to solve this?Hi,
Are you using ip based certs or domain name? Also make sure when you do an nslookup that the CAS is able to resolve the ip address of the CAM. Also check your firewall and make sure that you are allowing all ip traffic between the CAS and the CAM.
Also check yoru certs on the CAM and make sure that they havent expired. Are you using a standalone CAM and CAS setup are are they in failover configuration?
Thanks,
Tarik -
Two server Vlans behind ACE needs to communicate
Hi all,
We have a setup as follows:-
MSFC-->FWSM--->ACE--->2 Server Vlans.
The gateways for all the servers are the respective alias IP addresses. the clients can initiate inbound sessions to all servers and the servers can initiate outbound sessions to selected outside devices. Now we have a new requirement wherein the servers need to communicate with each other. How do we accomplish this? Now when server (behind the ACE) initiates a session a to the devices in outside world a source NAT to the VIP is required. In this case the for server to server communication is a VIP required. What we require is just something like "inter vlan routing" on the MSFC. the sample config is like this:-
interface vlan 410
desc "SERVERS-B"
ip address 192.168.20.50 255.255.255.0
alias 192.168.20.1 255.255.255.0
peer ip address 192.168.20.51 255.255.255.0
access-group input ALL
service-policy input SMTP-LOG
service-policy input ICMP_PROD
no shutdown
interface vlan 411
desc SERVERS-A
ip address 192.168.10.50 255.255.255.0
alias 192.168.10.1 255.255.255.0
peer ip address 192.168.10.51 255.255.255.0
access-group input ALL
service-policy input ICMP_TEST
no shutdown
interface vlan 423
desc "FWSM DMZ"
ip address 172.23.0.2 255.255.255.0
peer ip address 172.23.0.3 255.255.255.0
access-group input ALL
service-policy input TEST
service-policy input PRODUCTION
no shutdown
We require 192.168.10.X network to communicate with 192.168.20.X network.
I hope i have explained the scenario.
Thanks in advance.
Regards
Sonu.there is nothing special to do.
ACE will route the traffic if it is permitted by an access-group and if it does not match a policy.
Gilles. -
When I connect to our new guest wireless network and then open my IE browser the page redirects to our NAC server authorisation login page which fails due to DNS.
(doesn't work)
https:///internal.nac-srv.com/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=https%3A%2F%2F
(works when I use the internal IP of the NAC server)
https://10.1.1.1/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=https%3A%2F%2F
The trusted setup DNS servers are public hosted DNS servers (guest user access is only for the Internet), reason being internal.nac-srv.com is not resolvable.
Is there anyway I can make internal.nac-srv.com resolvable to the guest wireless user, is there a config parameter for this to change the redirection to the IP automatically?
ThanksI understand that. They gave me a patch but they had to modify it on the fly so I don’t have the correct patch to share. But yes we would lose all connectivity with the server, luckily we had a terminal server where we kept the server that kept going out of sync we would just have to console into the server and hit enter a few times to get the prompt and it would go back in sync for a time.
Adam -
Access Server through VIP (ACE 4710) but very slow
Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
inservice
rserver web2
inservice
rserver web3
inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
permit
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
inspect http policy slb-vip-http
connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
PremHi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem -
NAC Server and NAC Manager installation
Hi experts,
When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
Is there anything I can do for solving this?
I'm new for NAC Manager and Server installation.
The version using is 4.8.2
BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
Thanks in advance!
Regards,
DanielHi Daniel,
this is related to the certificate issue.
just generate temp certificate in NAM and NAS.
Export the certificate along with key and store it in different location.
then in SSL option there is trusted certificate authority
load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
it will work. -
Question concerning NAC server
Does the NAC server have the ability to provide bandwidth usage limiting on a per user or per device basis. The feature list I have seen doesn't seem to list this option.
Thank youIt can do that yes.
On the clean access server configuration page (through the manager), go to "filter" , "Roles", "bandwidth"
You can set bandwidth restriction per role (so a kind of group of users). You can also chose to share the limitation between all the clients currently connected in that group, or to give that limitation to each client.
Example if you restrict to 100Kb/s the user role "marketing", then you can either have the whole marketing department limited to 100kb/s regardless of the number of marketing users connected or say that each marketing employee is restricted to 100kb/s.
I hope this answers.
Nicolas
Maybe you are looking for
-
How to resolve formatting issue when eprint from an iPad to Officejet 4500
Just activated the eprint app on my IPad. It found my HP Officejet 4500 Wireless printer but the formatting is wrong when printing an email. Is there a solution?
-
sir, is there any std report available wherein i can get total purchase order value inclusive of all taxes(excise,vat,octroi). pl tell me any possible source to get the same.
-
FM : AC_DOCUMENT_RECORD for vendor invoices
Hi friends, I am working on to get the accounting document from the vendor invoice which was created in tcode MIR4. For this requirement, i am trying to use the FM AC_DOCUEMNT_RECORD. I am passing the AWTYP = RMRP and the vendor invoice number. But i
-
Hi , I am facing error while creating BPM Scenario ,..., This is first BPM scenario in Current landscape Synch-async Bridge File - ECC(Sync) - File But I am Getting following error .... What could be possible reasons.... <?xml version="1.0" encodin
-
Portal "Maintain JCO Destionations" Error
Dear Gurus, Java System : NW7.31 EHP1 Backend : ERP6 EHP6 When i try to "maintain" or "create" JCO destionations in Content Administrator i am taking error like this , My SLD Test Connection is successfull and SLD is running, I have configured JCO (S