L3 OOB NAC Server loadbalanced by ACE

Similar Messages

• ACE: Server-to-Server loadbalancing

  Dear All,
  I have to provide ACE loadbalancing for a new multitier application which has server-to-server loadbalancing.
  The user communicates with loadbalanced webservers which in turn communicate with loadbalanced application servers. I
  don't have the freedom to change existing IP addresses and I have to use source NAT to prevent asymmetric traffic. Can
  I achieve the loadbalancing in one context or do I need separate contexts for web and app? The diagram illustrates the
  server relationships.
  Thank you
  Cathy

  You could do everything in one context. I have a similar setup and I used multiple contexts in order to keep the individual configs smaller and simpler, large configs on the ACE can get complicated and ugly:) I set up the following:
  APP-PROD and APP-NON-PROD non slb segments off FWSM, APP-LB-PROD and APP-LB-NON-PROD slb segments using ACE contexts. This gives app owners flexibility to use load balancing or not in parallel tiers.

• NAC Server Fallback Feature and OOB Deployment

  Hi,
  I would like to know how the Nac Server fallback feature works in an OOB deployment.
  The documentation says that there three option (ignore, allow all, block all).
  Whe you have the allow all option enable, does the NAC put the user in an access vlan or the user just access to the network through the authentication VLAN?

  Hi,
  Assuming the CAM has failed, the CAS would allow all traffic from the AUTH VLAN to the ACCESS VLAN. Since the CAM has failed, the switchports which are not in the AUTH VLAN would behave per the rules/ACLs on the VLAN they're in and won't get flipped over.
  HTH,
  Faisal

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• NAC server is not available on the network

  I am doing a rollout of ISE 1.1.1. I am using NAC agent 4.9.0.47 for posture checking win7 x86 machines. Occassionly users are getting 'NAC server is not availble.... try disconecting and connecting to the network to start a new connection' When I  try to reproduce the issue it is not happening. It happens randomly here and there. What are the possible reasons fro this issue. Since ISE is not getting posture result, and the machine remain in in posture check 'unknown' stage. I am in half way of rollout and it is stoping me to further rollout. IIf anybody knows, please advise.........

  Hi,
  I had the same issue and upgrading to 1.1.2 made the issue quiet down a bit. I have a few reported issues but havent seen any in the past 2 weeks. Also which supplicant is the client running and do they see these on the laptops or machines that have both wired and wireless connections?
  The reason I ask is that the native windows supplicant tends to connect to both networks (wired and wireless), this can can cause some problems with the NAC agent if the link for the wired or "the lower metric route" flaps.
  the bug cisco provided me is related to "CSCuc70607".
  Hope this helps,
  Tarik Admani
  *Please rate helpful posts*

• Backup server on an ACE

  When creating a backup server on an ACE running A5(2.1), we're using the probe as the trigger. Once the primary real server has failed to the backup,  will it fail back to the primary server when the probe deems the primary server available?
  It's just  as well as the ACE manual documents the backup serverfarm, there's dearth of info on the backup server.
  Thanks.
  _ Greg

  Hi Greg,
  Backup rserver as you know would be configured with standby keyword. When primary server will be Operational (probe passed)
  - Existing connections on backup keep accessing backup.
  - For new connection requests ACE looks up sticky entries, if there's already an entry for backup server, the connection is sent to the standby rserver.
  - If a new client request (connection) doesn't match any sticky entry for backup rserver ACE forwards this request to primary.
  Let me know if you have any questions.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Wireless Guest with NAC Server

  Hi All,
  Anyone knows why Sponsor can't create a guest account with 1 month duration.
  Its a NAC running on 2.1 version in SNS-3415-K9.
  The current setup is WLC connected to NAC Server.
  Is it related to Account type?
  From the Account Type dropdown menu, you can choose one of the predefined options:
  Start End—Allows sponsors to define start and end times for account durations.
  From First Login—Allows sponsors to define a length of time for guest access from their first login.
  From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.

  When you say, "One MAC user" you mean every other client works except for this one MAC device?  If other MAC devices work, then it must be something on the client device that is having issues.  The only issue that I have ran into, is html code that might not be supported in certain browsers if you are runing a custom webauth page.

• What happens when NAC Server License Exceeds ?

  Hi all,
  Got a simple question for which I could not find the explanations ?
  I know that licensing is run by the endpoints which are in Online User (posture assessed) list.
  Lets say I purchased a NAC server with 100 License. What happens if a client connects to the network as the 101th user ? Is there a flexible licensing option as in other security products of Cisco ?
  Also anyone has any info about the roadmap of licensing for Cisco NAC products ? Such as central management of licenses, license pools or etc. ?
  Thanks in advance.
  Any comments appreciated.
  Dumlu

  Thanks a lot.
  You said "BPEL developer should make sure unique value is supplied for correlation..",but I am confused,
  "BPEL developer" means business process developer(process caller) or bpel engine developer(process runtime enviroment developer) ?
  This afternoon,I installed oracle PM and did some tests. The bpel server creates two process instances which have the same correlation data.

• NAC Server without NAC manager

  Hi,
  Would like to know whether NAC server (NAC appliance 3355) is enough to provide NAC functionality without NAC manager in the network for one location say Datacenter.
  Regards,
  Ashok

  Hi Ashok,
  You can use a single CAS in the network in a single location in case you have a centralized CAM for multiple locations but you would need atleast one CAM to manage all the CAS servers as all the settings and policies for CAS are stored in CAM.
  Moreover, the CAS product licenses are generated based on the eth0 MAC address of the CAM, so atleast one CAS is essential.
  http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/48rn.html#wp39625
  HTH!
  Regards,
  Sumir

• NAC Server still in "Fallback: Allow All" state

  Hi Guys,
  i have a strange behaviour under my NAC Server.
  Today I saw that my NAC Server is in Fallback: Allow All state and the CAM is in Manager: DEAD but
  in the CAM web administration i can access that CAS.
  The CAS can ping the CAM too.
  there are two things that were changed in the last month.
  The CAM was moved to other city and they are using a 2MB link connection between them.
  The IP Address of the CAM was changed.
  I've checked my link connection between them because my CAM is in a different city  of the CAS but my link is in 50% load.
  Does anyone know any possibilitie to solve this?

  Hi,
  Are you using ip based certs or domain name? Also make sure when you do an nslookup that the CAS is able to resolve the ip address of the CAM. Also check your firewall and make sure that you are allowing all ip traffic between the CAS and the CAM.
  Also check yoru certs on the CAM and make sure that they havent expired. Are you using a standalone CAM and CAS setup are are they in failover configuration?
  Thanks,
  Tarik

• Two server Vlans behind ACE needs to communicate

  Hi all,
  We have a setup as follows:-
  MSFC-->FWSM--->ACE--->2 Server Vlans.
  The gateways for all the servers are the respective alias IP addresses. the clients can initiate inbound sessions to all servers and the servers can initiate outbound sessions to selected outside devices. Now we have a new requirement wherein the servers need to communicate with each other. How do we accomplish this? Now when server (behind the ACE) initiates a session a to the devices in outside world a source NAT to the VIP is required. In this case the for server to server communication is a VIP required. What we require is just something like "inter vlan routing" on the MSFC. the sample config is like this:-
  interface vlan 410
  desc "SERVERS-B"
  ip address 192.168.20.50 255.255.255.0
  alias 192.168.20.1 255.255.255.0
  peer ip address 192.168.20.51 255.255.255.0
  access-group input ALL
  service-policy input SMTP-LOG
  service-policy input ICMP_PROD
  no shutdown
  interface vlan 411
  desc SERVERS-A
  ip address 192.168.10.50 255.255.255.0
  alias 192.168.10.1 255.255.255.0
  peer ip address 192.168.10.51 255.255.255.0
  access-group input ALL
  service-policy input ICMP_TEST
  no shutdown
  interface vlan 423
  desc "FWSM DMZ"
  ip address 172.23.0.2 255.255.255.0
  peer ip address 172.23.0.3 255.255.255.0
  access-group input ALL
  service-policy input TEST
  service-policy input PRODUCTION
  no shutdown
  We require 192.168.10.X network to communicate with 192.168.20.X network.
  I hope i have explained the scenario.
  Thanks in advance.
  Regards
  Sonu.

  there is nothing special to do.
  ACE will route the traffic if it is permitted by an access-group and if it does not match a policy.
  Gilles.

• NAC Server

  When I connect to our new guest wireless network and then open my IE browser the page redirects to our NAC server authorisation login page which fails due to DNS.
  (doesn't work)
  https:///internal.nac-srv.com/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=https%3A%2F%2F
  (works when I use the internal IP of the NAC server)
  https://10.1.1.1/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=https%3A%2F%2F
  The trusted setup DNS servers are public hosted DNS servers (guest user access is only for the Internet), reason being internal.nac-srv.com is not resolvable.
  Is there anyway I can make internal.nac-srv.com resolvable to the guest wireless user, is there a config parameter for this to change the redirection to the IP automatically?
  Thanks

  I understand that. They gave me a patch but they had to modify it on the fly so I don’t have the correct patch to share. But yes we would lose all connectivity with the server, luckily we had a terminal server where we kept the server that kept going out of sync we would just have to console into the server and hit enter a few times to get the prompt and it would go back in sync for a time.
  Adam

• Access Server through VIP (ACE 4710) but very slow

  Re:  Access Server through VIP (ACE 4710) but very slow
  Hi Shiva
  Kindly  Help .....Accessing the server very slow.., Plz check my real  configuration... this configuration is for application server and after  this i have to configure more serverfarm for different server like  webmail etc. in this ACE 4710. I have only one ACE 4710 .
  ACE Version A4(2.0) = is there supports Probe with this version.???  without probe server will work but very slow. And plz guide Nat-pool is required
  VIP :-- 172.16.15.8
  LB/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging host 172.29.91.112 udp/514
  resource-class RC1
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname LB
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description clientside
    switchport access vlan 30
    no shutdown
  interface gigabitEthernet 1/3
    description serverside
    switchport access vlan 31
    no shutdown
  interface gigabitEthernet 1/4
    no shutdown
  context Admin
    description Management
    member RC1
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe http probe1
    description health check
    interval 5
    passdetect interval 10
    request method head
    expect status 200 200
    open 1
  rserver redirect https_redirect
    description redirect traffic to https
    webhost-redirection / 302
    inservice
  rserver redirect maintenance_page
    description maintenance page displayed
    webhost-redirection /sry.html 301
    inservice
  rserver host web1
    ip address 192.168.10.3
    inservice
  rserver host web2
    ip address 192.168.10.4
    inservice
  rserver host web3
    ip address 192.168.10.5
    inservice
  serverfarm host http
    rserver web1
      inservice
    rserver web2
      inservice
    rserver web3
      inservice
  serverfarm redirect https_redirect_farm
    description Redirect traffic to https
  serverfarm redirect maintenance_farm
    description send user to maintenance page
  parameter-map type connection paramap_http
    description parameter connection tcp
    exceed-mss allow
  sticky ip-netmask 255.255.255.0 address source Sticky_http
    timeout activeconns
    serverfarm http
  class-map match-all REMOTE-ACCESS
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  class-map match-all slb-vip
    2 match virtual-address 172.16.15.8 tcp eq www
  policy-map type management first-match remote_access
    class class-default
      permit
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match slb
    class class-default
      serverfarm http
  policy-map type inspect http all-match slb-vip-http
    class class-default
      permit
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply active
      inspect http policy slb-vip-http
      connection advanced-options paramap_http
  interface vlan 30
    description "Client Side"
    ip address 172.16.15.24 255.255.255.0
    access-group input everyone
    service-policy input client-vips
    no shutdown
  interface vlan 31
    description "Server Side"
    ip address 192.168.10.1 255.255.255.0
    service-policy input remote_access
    no shutdown
  interface vlan 1000
    description managment
    ip address 172.29.91.110 255.255.255.0
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.15.1
  snmp-server contact "PHQ"
  snmp-server community phq group Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/  role Admin domain
  default-domain
  username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR.  role Admin domain de
  fault-domain
  username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0  role Admin domain d
  efault-domain
  ssh key rsa 1024 force
  banner motd # "ro" #
  Regards,
  Prem

  Hi Shiva,
  plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
  Regards,
  Prem

• NAC Server and NAC Manager installation

  Hi experts,
  When I've tried adding NAC Server to NAC Manager in CAM web management, it prompts: Failed to add server: Could not connect to 10.130.80.81
  Is there anything I can do for solving this?
  I'm new for NAC Manager and Server installation.
  The version using is 4.8.2
  BTW, I don't know how to generate SSL certificates (not temporarily) for installation, can anyone help also?
  Thanks in advance!
  Regards,
  Daniel

  Hi Daniel,
  this is related to the certificate issue.
  just generate temp certificate in NAM and NAS.
  Export the certificate along with key and store it in different location.
  then in SSL option there is trusted certificate authority
  load NAS certificate in NAM and NAM certificate in NAS. then try to configure or add NAS to NAM.
  it will work.

• Question concerning NAC server

  Does the NAC server have the ability to provide bandwidth usage limiting on a per user or per device basis.  The feature list I have seen doesn't seem to list this option.
  Thank you

  It can do that yes.
  On the clean access server configuration page (through the manager), go to "filter" , "Roles", "bandwidth"
  You can set bandwidth restriction per role (so a kind of group of users). You can also chose to share the limitation between all the clients currently connected in that group, or to give that limitation to each client.
  Example if you restrict to 100Kb/s the user role "marketing", then you can either have the whole marketing department limited to 100kb/s regardless of the number of marketing users connected or say that each marketing employee is restricted to 100kb/s.
  I hope this answers.
  Nicolas