OT: Kudos to our Aces

Similar Messages

• Best Practice to use one Key on ACE for new CSR?

  We generate multiple CSR on our ACE....but our previous network admin was only using
  one key for all new CSR requests.
  i.e.......we have samplekey.pem key on our ACE
  we use samplekey.pem to generate CSR's for multiple certs..
  is this best practice or should we be using new keys for each new CSR
  also .is it ok to delete old CSR on the lb..since the limit is only 8?..thx

  We generate multiple CSR on our ACE....but our previous network admin was only using
  one key for all new CSR requests.
  i.e.......we have samplekey.pem key on our ACE
  we use samplekey.pem to generate CSR's for multiple certs..
  is this best practice or should we be using new keys for each new CSR
  also .is it ok to delete old CSR on the lb..since the limit is only 8?..thx

• How to enable ping to VIP on ACE

  I want to be able to ping the VIP address on our ACE. How can i accomplish that ?
  Is it by adding an ICMP match to the VIP class-map ? I have globally enabled ICMP for management purposes.

  loadbalance vip icmp-reply active

• ACE sending malformed requests?

  Hi,
  Our ACE has several contexts, and in one of them we are seeing a single probe fail at random times, to a single particular rserver.
  The logs of the ACE and the affected rserver at the same time are:
  ACE logs:
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, received invalid status code
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, received invalid status code
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, server reply timeout
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, server reply timeout
  rserver log:
  [Mon Oct 13 18:02:12 2008] [error] [client 10.254.20.11] Client sent malformed Host header
  [Mon Oct 13 19:35:37 2008] [error] [client 10.254.20.11] Client sent malformed Host header
  [Mon Oct 13 20:32:30 2008] [error] [client 10.254.20.11] request failed: error reading the headers
  [Mon Oct 13 21:36:22 2008] [error] [client 10.254.20.11] request failed: error reading the headers
  The strange thing is that it is always the same target rserver that reports this error. Naturally, I've asked the server admins to look at this rserver, but they've seen the 'client request' errors in their logs and are suggesting the ACE is at fault.
  This rserver also hosts other IP addresses that are used in the same context in different serverfarms - and it behaves as normal without error....it is just this single destination IP that seems to have a problem. Other IPs in the same serverfarm are ok.
  Are there any more in-depth checks that I can do at the ACE level to verify that all is OK with the ACE?
  The probe is setup like:
  probe http 80-checker
  interval 10
  passdetect interval 3
  request method get url /ping
  expect status 200 200
  Thanks
  Cameron

  I would like you to run sniffer on the Rserver and look into the HTTP Header of Probe request from ACE.
  Check if the parameters expected by the RServer are in line with the http request used by ACE probe.
  For example if RServer is expecting "www.xyz.com" as HOST then is ACE really using
  "HOST:www.xyz.com" in the HTTP request header.
  Thanks
  Syed Iftekhar Ahmed

• Traceroute not happening to ACE from Oracle Server

  Hi,
  Our ACE is configured in One-ARM Mode. I have Oracle Serverfarm been loadbalanced by ACE from where traceroute to ACE is not happening.
  Oracle Server in VLAN 10 with Gateway configured at Core Switch: 10.10.10.21
  VLAN 60: 10.10.60.21 in Core switch & ACE ip: 10.10.60.1
  If from ACE i doa traceroute at one of the Oracle DB servers (10.10.10.5 & 10.10.10.6) it's going nicely. But sitting at Oracle DB servers if i do trace to ACE IP: 10.10.60.1 it gets dropped at Core switch: 10.10.10.21
  This probem is not happening from any other Windows machines....
  Can someone highlight....
  Attached the ACE config...

  some machine use icmp to do traceroute and others use udp.
  Your oracle machine might be using udp and your core switch as a security acl to block this udp traffic.
  G.

• [ACE] What makes a sticky reset?

  Hi,
  Our websites are loadbalanced thru our ACE modules and we are using the sticky feature.
  Sticky is needed so that the customers session will retain the content of its shopping basket.
  About 10% of our customers complain that the basket is emptied during a session, forcing them to start over. In our logs we indeed see that some users are balanced to another server during a session. Apparently in these cases the sticky feature is ignored somehow.
  My question is, what are the possible triggers that the ACE uses to dismiss the sticky for a given session and start a new one?
  Could it for example be caused by an html-page containing a link to another vip than the vip the page is originally served from?
  Or could a simple spelling-error in a link be the trigger?
  Looking forward to any answer.
  Kind regards,
  Anthony van Harten

  Hi, I've a similar scenario with a Cisco 4710 in a dmz, running a vip that end users are hitting from behind proxy and nat.
  I enabled Cookie-Insert and its pushing down a cookie to the browser now, just wondering if I need to add persistence-rebalance when you are using cookie-insert. from the command reference it seems like all user sessions would end up on one rserver if i did that. Looking to ensure the round-robin is still used.
  Usage Guidelines
  With persistence rebalance enabled, when successive GET requests result  in load balancing that chooses the same policy, the ACE sends the  request to the real server used for the last GET request. This behavior  prevents the ACE from load balancing every request and recreating the  server-side connection on every GET request, producing less overhead and  better performance.
  Another effect of persistence rebalance is that header insertion and  cookie insertion, if enabled, occur for every request instead of only  the first request.
  thanks
  John W.

• Bizarre ACE module behavior

  Hi,
  I configured a new serverfarm with leastconns predictor for two servers on our ACE module Version A2(2.3). Probes (show probes XX detail) to the servers are successful and both servers are operational (show serverfarm APPLI detail) but connections are directed only to one server.
  When I deactived the server which is receiving the connections (no inservice), the ACE start to direct connection to the second server.
  There are several serverfarm, configured the same way, that are Loadbalancing traffic as correctly.
  Here is a sample of my config
  serverfarm host TEST_443
  predictor leastconns
    probe TEST_443_PROBE01
    rserver TEST_RS01 443
      inservice
    rserver TEST_RS02 443
      inservice
  sticky http-cookie TEST_HTTPS TEST_443_STKY
    cookie insert
    timeout 720
    replicate sticky
    serverfarm TEST_443
  probe http TEST_443_PROBE01
    port 443
    interval 20
    passdetect interval 60
    passdetect count 5
    request method get url /test
    expect status 302 302
    connection term forced
  policy-map type loadbalance first-match TEST_L7PLB_HTTPS
    class class-default
      sticky-serverfarm TEST_443_STKY_SF
      insert-http X-Forwarded-Proto header-value "https"
      insert-http X-Forwarded-For header-value "%is"
  policy-map multi-match SLB-HTTP-POLICY
  class TEST_L4VIP_HTTPS
      loadbalance vip inservice
      loadbalance policy TEST_L7PLB_HTTPS
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      nat dynamic 1 vlan 202
      appl-parameter http advanced-options PERSIST
      ssl-proxy server TEST_SSL_PROXY_SERVER
  PS : ACE uptime is 291days, could that impact ACE behavior ?
  Thanks for any troubleshooting hints

  Looking at this on my phone but it looks like you L7 policy is referencing a sticky server farm that does not exist.
  ie TEST_443_STKY_SF is incorrect name for sticky
  If that's not it. Then check that the first server actually has a number of conns on it when a new connection is established. Sometimes when both servers have 0 conns - new incoming conns will always go to the first server
  Regards
  Stephen
  ===============================
  Free network configuration management software at www.rconfig.com
  Sent from Cisco Technical Support iPhone App

• AVS and ACE

  I am having some trouble getting the difference of the AVS Appliance vs. the ACE Modul for the Cat6K.
  Our ACE Moduls are already about to be shipped so i am looking forward to get my hands on those. Checking the Application Solution Section there is also the "new aquired" AVS Appliance listed.
  A: Is the AVS a Supplement to the ACE Modul in Areas of HTTP,SSL Compression etc. and more granular Payload Inspection?
  B: Is the AVS a "rival" product with different features?
  We have some discussions regarding the enhancement of our Portal-Infrastructure and some guys are always putting Netscaler from Citrix on the Agenda. I am sure it is a nice product but i like to keep my Enviroment as far Cisco as i can.
  That's why it would be nice to get some advice on how to rate, position or compare the ACE,AVS vs. the Netscaler Solution. I have the feeling some of the features which are in the mentioned Netscaler are splitted into two Cisco products.
  Points of interest are...
  +Payload/Packet-Inspection
  +Compression
  Thanks for reading...

  Can anyone Comment on my impressions listed below and also on my problems in the above Posting?
  AVS: Security, TCP Multiplexing, Compression and NO Loadblancing.
  ACE: Security, Loadbalancing, Virtualization and TCP Multiplexing but NO Compression? Could Compression be added in future SW Releases?
  vs.
  Netscaler: Security, TCP Multiplexing, Compression and Loadbalancing
  C: If you would combine the ACE and AVS are you supposed to put the AVS behind the ACE for the use of its security features or in Front of a Cat6K with ACE Modul?
  D: If you put it behind the ACE is the Idea of running it transparent as more less IDS with App-Accelration and Caching an approach?
  E: If you use the Security features of both devices you have more or less a double inspection of the Payload with the AVS going into more depth than the ACE?
  Would be great if someone had any experience or advice.
  Roble

• ACE ACS TACACS+ Key Mismatch issue

  Goodday,
  I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
  We have confirmed that the key we are using is the same on the ACE and on the ACS.
  The question I have is as follows:
  Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
  So config entered something like this:
  tacacs-server host 10.10.10.10 key mysharedkey
  aaa group server tacacs+ acs_pri
  server 10.10.10.10
  aaa authentication login default group acs_pri local none
  BTW, we are running version 2.1.4(a).
  Thanks for any assitance with this.
  Paul

  Hi Kevin,
  Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
  On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
  This is my concern.
  We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
  The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
  See my problem...
  Thanks again for the assistance and any further guidance would be appreciated.
  Paul.

• ACE MIBs Issue

  Hi,
  I have identified a number of MIBs that I want our OSS systems to use to collect performance data relating to our ACE (ACE20-MOD-K9 running 30.(0)A2(1.6a)).  I have identified the MIBS from the CISCO-SLB-MIB and the CISCO-ENHANCED-SLB-MIB but when our OSS Systems try to do an SNMP Walk on the ACE for these MIBs nearly all of them come back with the following message -
  "no MIB objects contained under subtree"
  The MIBs I have tried are the following -
  1.3.6.1.4.1.9.9.470.1.1.1.1.17
  1.3.6.1.4.1.9.9.470.1.1.1.1.18
  1.3.6.1.4.1.9.9.470.1.1.1.1.19
  1.3.6.1.4.1.9.9.470.1.1.3.1.11
  1.3.6.1.4.1.9.9.470.1.1.3.1.12
  1.3.6.1.4.1.9.9.470.1.1.3.1.13
  1.3.6.1.4.1.9.9.161.1.3.1.1.5
  1.3.6.1.4.1.9.9.161.1.3.1.1.13
  1.3.6.1.4.1.9.9.161.1.4.1.1.17
  The only one that comes back with a value is shown below -
  1.3.6.1.4.1.9.9.161.1.4.2.1.7
  cisco.ciscoMgmt.161.1.4.2.1.7.2.48 : Counter: 1091236
  Has anyone experienced something like this or have any ideas on where we are going wrong.  We have multiple Virtual Contexts configured and are trying to get the values from a specific context.
  Thanks
  Stuart

  Good morning Stuart,
  I do not know all the detail sof the configuration but what I can tell you is that in newer versions than A2(1.6a) there were some enhancement about the OIDs you report.
  Please have a look at this document
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_2_x/release/note/RACEA2_2X.html
  paragraph "Enhancements to the CISCO-ENHANCED-SLB-MIB".
  You many need to replace cesRealServerStateUpwith cesRealServerStateUpRev1.
  This translates into moving from 1.3.6.1.4.1.9.9.470.0.1 to 1.3.6.1.4.1.9.9.470.0.7.
  You can use the Cisco "SNMP Object Navigator" available here:
  http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en
  to translate all the options.
  I would try a newer version and see if the situation improves.
  Hope this helps,
  Alessandro
  If  this helps you and/or answers your question please mark  the question as  "answered" and/or rate it, so other users can easily  find it.

• Upgrade steps for ACE 4710

  Hi Everyone
  We will be upgrading our ACE 4710s from A3(2.2) to A4(1.0). We have a pair in high availability mode. Has anyone here got any tips on how we can get a smooth upgrade without downtime? Is this even possible?
  Thanks
  A

  Of course it is possible to upgrade with no downtime!
  However it is always recommended to schedule the upgrade in a maintenance window to minimize the impact in case of any issues.
  You can normally find the documented procedure here for the upgrade:
  http://cco/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/upgrade.html#wp1012243
  I find in fact the best would be the following:
  1. Upgrade the stand by module first.
  2. Once reloaded, switchover to the standby and verify all services working correctly.
  3.Upgrade the new stand by module.
  4. Eventually switch over again to restore the active box as per the original configuration.
  By doing this, if for some reason the first switchover at point 2. would not work, you can switch back to a safe scenario which you are sure to work.
  Cheers,
  Domenico.

• HOWTO: Poll Server farm stats on ACE module

  Hi All,
  We are currently working on providing network monitoring information of our server farms programmed on our ACE modules, what is the best OID's to use?

  Hi Rob,
  Unless there's something already out with the release of code 4.X and ACE 30 then I'd say the MIB that can help you here would be the .CISCO-ENHANCED-SLB-MIB
  Here is the info from the SNMP object navigator
  http://xrl.us/bk2vmo
  Here is the list of supported MIBs by the ACE module just for reference and download
  ftp://ftp.cisco.com/pub/mibs/supportlists/ace/ace-supportlist.html
  HTH
  Pablo

• Routing RTSP though Ace but keeping source address information

  Hello
  I am trying to set up load balancing for a Wowza streaming media server.  The problem I have is that some of the media that we will be on the server is not allowed to be watched from other countries.  The server has a modification that can sort this based on the IP address, our ACE is in Routed Mode, so the source address is replaced with a internal one which means that they will be allowed to watch whatever they like. 
  I have tried to look into injecting the original source address in to RTSP but as far as I can see you cant.
  Can anyone help with making the connections from other countries readable thought the ACE?

  Ricardo,
  What is this route ??
  ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
  You can't have 0.0.0.0/24.
  You must be missing something ?
  Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
  It should normally be directly connected to your router.
  With the static route, do you see traffic coming to the ACE module ?
  Does it loadbalance to the server ?
  'show service-policy detail' check the packet counters
  Gilles.

• ACE - Traceroute showing same IP for each hop

  I'm having problems with traceroute on my servers sitting behind our ACE module. The module is in routed mode and is performing all NAT to the Internet.
  When I try to traceroute to any external IP, each hops answer has the same IP address (final destination IP).
  Servers not behind the ACE do not have this problem.
  I've turned ICMP-Guard off and opened ICMP up on every interface with an permit icmp any any ACL.
  Any help would be appreciated.

  You have to configure...
  !-ACL defining ICMP-
  access-list ICMP line 10 extended permit icmp any any
  !-Class Map referencing ACL-
  class-map match-all ICMP-INSPECT-L4CLASS
  description ICMP fixup - L4 Class
  2 match access-list ICMP
  !-LB Policy which is applied on your client side vlan.
  !-Add the class statement and switch on imcp inspection
  policy-map multi-match L4-SLB-POLICY
  class ICMP-INSPECT-L4CLASS
  inspect icmp error
  !-Client Side VLAN-
  !-Apply the service police otherwise use your existing policy-
  interface vlan 3104
  service-policy input L4-SLB-POLICY
  Hope it helps
  Roble

• SNMP Ace client packets

  Hi All,
  I am doing an snmpwalk on our ACE using the following oid:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.3.6.1.4.1.9.9.161.1.4.2.1.9
  The problem is that on some vips after doing an snmp walk I am receiving  0 for bandwidth utilisation.
  When I scan the device I see there is bandwidth usage.
  Below is output form snmpwalk and the device itself.
  SNMP-Walk
  1.3.6.1.4.1.9.9.161.1.4.2.1.2.2.222 : Counter: 0
  sh service policy CM-Rebranding-888-http
  class: CM-Rebranding-888-http
       VIP Address:    Protocol:  Port:
       10.x.x.x      tcp        eq    80
        loadbalance:
          L7 loadbalance policy: PM-Rebranding-888-http
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP State: INSERVICE
          curr conns       : 3374      , hit count        : 8113708
          dropped conns    : 82195
          client pkt count : 186343165 , client byte count: 17308888870
         server pkt count : 292836401 , server byte count: 362759465286
          conn-rate-limit      : -         , drop-count : -
          bandwidth-rate-limit : -         , drop-count : -
          L7 Loadbalance policy : PM-Rebranding-888-http
            class/match : class-default
               LB action: :
                 sticky group: Rebranding-888-http
                    primary serverfarm: SF-Rebranding-888-http
                      state: UP
                    backup serverfarm : -
              hit count        : 8113703
              dropped conns    : 0
          Parameter-map(s):
            Rebranding-888-http-Idle
  It looks like a bug to me.
  Any help would be appreciated in understanding this issue.
  If anyone has encounterd this issue and overcome it please let me know.
  Thanks.
  Jack.

  Jack
  Probably easiest if we can set it up in the lab and test it. Would you be willing to share your config ? Or maybe open a tac case and I can take a look at it. Which version of s/w ?
  Matthew