Logging user commands in Cisco ACE appliance

Similar Messages

• How to monitor memory on Cisco ACE Appliance 4710?

  I'm trying to monitor the memory usage in balancers Cisco ACE Appliance 4710 with version A3 (2.2), but the OIDs cpmCPUMemoryUsed (.1.3.6.1.4.1.9.9.109.1.1.1.1.12) and cpmCPUMemoryFree (.1.3.6.1.4.1.9.9. 109.1.1.1.1.13) not work.
  What the right OID to monitor memory usage in balancers Cisco ACE 4710 Appliance?

  HI,
  You need to use  CISCO-ENHANCED-SLB-MIB .
  cpmProcExtMemAllocatedRev .1.3.6.1.4.1.9.9.109.1.2.3.1.1 (this gives the memory allocated to each process)
  You can also read up on the mib
  Hope this helps
  Venky

• Cisco ACE Appliance Redundant configuration

  How cisco ACE appliance changes its Ip address and MAC address after failover???

  Hi Birendra,
  Could you please elaborate more on your question?
  FT mac's depend upon FT group that you have configured and they remain same. They will not change after failover.
  Here's a document at the link which explains in details about different MAC addresses in ACE:
  https://supportforums.cisco.com/docs/DOC-8723
  Let me know if you have any questions.
  Regards,
  Kanwal

• Cisco ACE Appliance showing error while boot

  Hello Everyone,
  I intend to Configure two ACE appliance in one arm mode, Post configuration I have tried to test the functionalities of the same.
  Below are the queries which I am having now.
  >Post reboot of the appliance it popped with the error ,pls clarify .
       Starting sysmgr processes.. Please wait...tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
  tg3: tg3_reset_hw timed out for eth1, firmware will not restart magic=4b657654
  Done!!!
  > Please confirm whether SNAT is compusory for one-arm mode setup . as our requirement is to loadbalance only the requests from the clients .
       the reply from server should go back to the client directly .
  > How can I achieve the HA config with out dedicated port . as I have configured port channel for all the 4 ports . I am not interested to provide the seperate port for HA.
  Thanks in advance

  Hi,
  > Please confirm whether SNAT is compusory for one-arm mode setup .  as our requirement is to loadbalance only the requests from the clients  .
       the reply from server should go back to the client directly .
  **Mos of the times SNAT is require but is not must.  For example, you can have the servers connected to a L2 Switch, using the ACE as DG and you probably don't need SNAT.
  The important is to have the response of the server going back to the ACE with or without NAT
  > How can I achieve the HA config with out dedicated port . as I have  configured port channel for all the 4 ports . I am not interested to  provide the seperate port for HA.
  ***Configure in the portchannel the ft-port vlan command.  Remember that the FT vlan should be L2, no L3 devices in between the ACEs
  Cesar R
  ANS Team

• Cisco ACE appliance backend Requests

  Hi,
  I have a question about the Cisco ACE 4700x  appliances.
  I hope that someone can help me out with the next question please, which is:
  does the appliance support backend server selection based on URL, hostnames or IP?
  if yes, where can i find more details about it ?
  Thank you

  Here it is.
  class-map type http loadbalance match-all DOMAIN-ONLY-CM  2 match http header Host header-value "xxx[.]domain[.]com"class-map type http loadbalance match-all DOMAIN-AND-PATH-CM  2 match http header Host header-value "www[.]domain[.]com"  3 match http url /very-long-path/.*

• Cisco ACE - "show conn" command queries

  Hi all,
  i have some queries regarding the "show conn" command in Cisco ACE.
  Working Scenario:
  VIP : 10.10.10.1
  Server 1 : 10.10.20.1
  Server 2 : 10.10.20.2
  Client: 30.30.30.1
  When a client 30.30.30.1 initiates a connection to the VIP on 10.10.10.1, the ACE load balances it to Server 1, 10.10.20.1. Looking at the "show conn" table, it shows that Server 1 is replying back to the Client 30.30.30.1 through the ACE.
  Now, my question is when the ACE returns the traffic to the Client, should the Client be seeing the source IP coming from the VIP or Server 1? My understanding is that the Client should be seeing traffic returning from the VIP. But the show conn table does not seem to suggest so.
  show conn table
  conn-id    np dir proto vlan source                destination           state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  1768       1  in  TCP   10   30.30.30.1:9221   10.10.10.1:80       ESTAB
  41         1  out TCP   52    10.10.20.1:80    30.30.30.1:9221   CLOSED

  Daniel,
  The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.
  The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs"  the reply so now the source of the packet is the VIP and destination is 30.30.30.1.
  This is a expected behavior as you're not using S-NAT on your network.
  HTH.
  Pablo

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Cisco ACE Issue accessing SAP applications through ACE appliance

  Hi,
  I have website whose VIP resides on my ACE appliance. That site has many links on it which are SAP applications.
  For one link, when i click it first time, user is asked for authentication which is not  actually required and get blank page.
  When I click back (go to main site again) and again click the same link, it opens normally without any authentication prompt.
  Rest all links on the site have no issues and open normally.
  I had same issue with acceptance for same application and below parameter map resolved the issue
  parameter-map type http case_param
    case-insensitive
    persistence-rebalance
    set header-maxparse-length 65535
    set content-maxparse-length 65535
    length-exceed continue
  I tried using same parameter map with persistance rebalance disbaled but still it does not work.
  What could be the issue in this case?

  Hi,
  The SAP has front end server to which ACE is sending traffic dstined to particular VIP. front end server then communicates with backend server for all date related to all applications. When client is using different applications, url in browser remains the same. All applications are working fine except this single application.
  same setup is working fine with cisco CSS and even the accepatnce is working fine for same set of applications.
  I am getting bad tcp checksum messges in capture output.
  10.38.199.196 is client IP....10.36.64.40 is VIP and , 10.36.64.86 is nat ip  and 10.36.32.55 is front end server which is user interface to various applications

• Cisco ISE log configuration commands enetered on routers

  Hello,
  I am trying to migrate from Cisco ACS to ISE.
  I want to log configuration commands entered on routers.
  I have configured the routers to send accounting radius to ISE but ISE sees the messages as:
  "22003  Missing attribute for authentication
  11014  RADIUS packet contains invalid attribute(s)"
  Can I configure ISE to receive radius accounting messages ?
  Is there another way to configure ISE to log configuration commands ?
  Another way would be to send syslog messages using the archive configuration on routers, but I cannot find the syslog mesages on ISE.
  Regards,
  Bogdan

  You should post your question on the AAA forum
  https://supportforums.cisco.com/community/netpro/security/aaa
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Logging of commands on syslog server (Cisco Nexus 7010)

  Please help.
  How to set up logging of commands on syslog server ? (cisco nexus 7010)

  Hi Igor
  Nexus has internal accounting log: sh accouting log
  But it can be sent only to the accounting server, not to a syslog server.
  If you want - you man manually export it to some log.
  HTH,
  Alex

• Tacacs authentication with ACE appliance not working

  Hi All,
  I'm having trouble with a Cisco ACE 4710 appliance using tacacs to authenticate ssh/telnet remote users. Following the CCO documentation we have configured the backend tacacs server (Cisco Secure ACS) and setup the ACE with the required configuration.
  tacacs-server key 7 "letmein"
  tacacs-server host 192.168.1.1 timeout 5
  aaa group server tacacs+ ACStac
    server 192.168.1.1
  aaa authentication login default group ACStac local
  So far no luck in successfully authenticating any users. I can see in the log on the ACS a key mismatch error however I have 100% verified the keys are identical, im thinking this may be a bug?
  Furthermore when I paste in the tacacs-server key it gets converted to a type 7 in the running configuration even though I use the no encryption option. Anyone have any ideas? The ACE is running version A3(2.3)
  Thanks in advance

  Hi Matt,
  Please remove the shared secret of teh NDG and test.
  Regards,
  Anisha
  P.S.: please rate this post if ypou feel your query is answered

• Cisco ACE with ACS5.0

  Guys,
  Is there a way that I can configure authentication using ACS 5.0 to access a certain server farm group only for a specific user?
  Sent from Cisco Technical Support iPad App

  Yes you could using roles & domains. you would initially have to configure a domain on the ACE and add the relevant serverfarm to it.
  Then in ACS configure the policy for authentication & authorization and under the Shell Profile / Custom Attributes section add an attribute of shell: with Value of , similar to what I have below for my environment (I just have a role of Admin and the default domain in mine).  Then you can test by logging in and issuing the 'show users' command to verify (or check ACS Tacacs/Radius logs)

• Integrate Cisco ACE into AAA TACACS+

  Dear Community!
  I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
  But...
  I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
  Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
  I tried upgrading IOS in a router, but no luck...
  Does anybody have any experiance about this "bug"?
  Thanks in advance!
  Regards,
  Belabacsi
  @ Budapest, Hungary

  Hello Bela
  In ACE on every context (including Admin and other) you should have following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+ MYTACACS
    server x.x.x.x
    server x.x.x.x
  aaa authentication login default group MYTACACS local
  aaa authentication login console group MYTACACS local
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network Administrators" you should configure in TACACS settting:
  1. Shell (exec) enable
  2. Privilege level 15
  3. Custom attributes:
            shell:Admin*Admin default-domain
      if you have additional context add next line
            shell:mycontext*Admin default-domain
  After loging to ACE and issuing sh users command you should see following
  User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x       Admin                                                                   pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Regards,
  Stas

• Does Cisco NAC Appliance deployment require CS-ACS?

  I've gone through all the partner training on the Cisco NAC appliance and mgmt station, and CiscoSecure ACS 4.0+ is mentioned just about everywhere in the user verification steps.
  If a customer does not have CSACS, or AAA for that matter (say in just a MS Exchange environment), the NAC appliances can still be used, correct?
  I'm assuming they can, but that leads to if any functionality/checks would be lost in that case, and if so, what?
  Anybody have any ideas on that?
  Thanks!

  Yes, you could use NAC with the local database for a client demonstration. This is actually my preferred method.
  Of course, you would lose the central management functionality which comes with ACS or a hook to Active Directory via KTPass (This command-line tool enables an administrator to configure a non-Windows Server 2003 Kerberos service as a security principal in the Windows Server 2003 Active Directory).
  Though by all means deploy NAC, even if you are simply want to demonstrate its functionality. Configure the authentication portion last, after your customer is happy with the demonstrated results.
  Hope this helps.

• ACE Module vs ACE Appliance

  Hello,
  What is the difference between ACE Module and ACE Appliance? why the ACE Module is better? or ACE Appliance, what is the advantage between Module and Appliance.
  anyone can explain me?
  Best Regards

  In the past Cisco has been shipping two line of Loadbalancing products
  First line ( modules dedicated for 6500/7600 chassis ) includes CSM & CSM-S & SSLSM (for ssl offloading)
  The other line comprises of appliance based CSS series products.
  ACE module is a next generation module replacing CSM modules that fits into 6500/7600 chassis.
  It gives you upto 16Gbps throughput (versus CSM's 4Gbps throughput).
  ACE appliance is a next gen replacement of CSS line of appliance based products.
  CSS appliances were used to come in different Hardware models with varied
  performance capacities. ACE appliance is a single hardware with various licenses
  used to scale the performance/features.Ace appliance supports upto 4Gbps of throughput.
  Previously CSS & CSM code terminologies & command set was different. For example a real server
  was termed as "service" in CSS & was called "real" in CSM . Similarly "probe" in CSM was "keepalive"
  in CSS.
  With ACE line of products you get the same terminologies & command sets for both
  modules & Appliances.
  ACE Appliance & ACE modules are functionality vise coming closer with every new release but
  still there are some differences.
  For example following ACE appliance features are not available in ACE module:
  Appl optimization (flash forward, Delta Encoding)
  Embedded Device manager
  Http compression
  Which one is better than the other really depends on your requirement
  From Performance perspective Module give you much higher performance then Appliance.
  SO if performance is your criteria the ACE module is better than ACE appliance.(Some performance metrics at the end of the post).
  If you are looking for Application optimization & HTTP compression along with Loadbalancing
  then it can only be achieved with ACE appliance.
  If you are not using 6500/7600 series chassis in your environment then you can only use ACE appliance
  (unless you are open to buy module+chassis due to performance requirement).
  Some performance metrics
  Ace Appliance supports 1 Million concurrent connections where as Ace Module supports 4 Million.
  Ace Appliance supports 120K L4 conn/sec where as Ace Module supports 380K L4 conn/sec.
  Ace Appliance supports 40K L7 conn/sec where as Ace Module supports 133K L7 conn/sec.
  Ace Appliance supports upto 4Gbps throughput where as Ace Module supports 16Gbps throughput .
  HTH
  Syed Iftekhar Ahmed