Redundant FWSM Config Question

Hello All,
I'm going to be configuring failover with FWSMs for our 6500 at my job and I have a config question. There is one current 6500 chassis with 2 FWSMs installed. They are both online but currently since failover isn't setup, only one FWSM is actually active. My question is since we are using mutiple contexts where do I setup the failover interface, and do I need to configure failover on every single vlan on the FWSM? We have over 10 contexts each with 2-3 interfaces on them, so do I need a failover IP for every vlan that exists on every context? Also, does the failover config get setup on the admin or system context? Any help would be greatly appreciated, and thank you so much in advance!

Hi John.
Failover config goes in the system context. For the data interfaces in each context, you will need a primary and a standby IP i.e. 2 IP's per VLAN. Once failover happens, the secondary FWSM will assume the active role and the secondary FWSM will take over the Primary IP address thus making the failover process transparent to end users.
HTH.
Regards
Zubair

Similar Messages

A few post config questions on new setup

Hi Group,
Just a few post config questions.
First, how can I confirm my controller is in fact associating properly with an NTP server? On a typically cisco product, I could just do a 'show ntp associations' or a 'show ntp status'. I cannot see a way to confirm this on the gui or command line.
Second, on my guest network with web-auth, if one were to choose to not use https for web-auth and instead use unsecure http, would that be possible and if so where in the gui?
Thanks.

The third field is from a WLC running v7.4 not v7.2. I usually would install a 3rd party certificate, but what eles you can try is issue this command on from the CLI. It had issues working with certain code versions, but you might as well give it a try.
config network web-auth secureweb disable
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Workshop Weblogic config questions

I'm using Oracle Workshop for WebLogic 10.3 and I'm hoping someone can answer some setup/config questions.
When I double click on the server (WebLogic Server v10.3 at localhost) a window opens with various settings that manage how workshop and weblogic work together.
Under "Startup & Deployment" I have the following turned on:
Launch WebLogic server in Eclipse console
Always start WebLogic Server in debug mode
Ignore project compilation errors when publishing (I have this turned on because of errors in a portal project, the errors aren't inmportant, and don't prevent the project form running)
Run stand-alone web module directly from workspace
So, first question, with these settings I was able to quickly switch to debug mode, with out restarting the server, now the server restarts whenever I turn debugging on. What have I done that has stopped this working correctly? How can I get it to start debugging without a full restart?
next question, what happens if I turn on "Start WebLogic Server in Express Mode"? As far as I can tell nothing happens.
Lastly, under "Automatic Publishing" I have it set to "Never publish automatically", if I choose another setting workshop essentially freezes because it's constantly publishing. So whenever I make a change, even in a jsp, I need to remove the project, then re-add it to see my changes in the browser. This is frustrating, not just because it takes 8 or 9 minutes (8 or 9 MINUTES!!!), but because the project doesn't run properly until it is redeployed. You'd think that if it needs to be re-deployed, then none of my changes should matter on the server until it is re-deployed.
So, my question is, Is there any way to get this re-deployment to happen faster?
Thanks for any and all help

Well, in my experience performance is not bad as you experienced. Is it locally connected server or remotely connected server? If it is a remote server, network issue could cause this latency issue.
Is performance better if you run the server without enabling debug mode? If yes, probably you can also review any break points set.
You could also try out the following options
1) Run workshop with -clean option, by opening command prompt and navigating to workshop_home\'workshop.exe -clean'
2) Untick the option 'Launch WebLogic server in Eclipse console' and start server which would enable server to start on command prompt
3) This would enable you to take multiple thread dumps (cutl +Break) on the server console output, while performance is very bad, to see where threads are halt.

Re: PLM4P v6003 Config Question: Any way to configure UGM Notifications?

After reading:
PLM4P v6003 Config Question: Any way to configure UGM Notifications?
This is one of the requirements from me as well. We always wanted to customize emails sent not only for UGM but also for other modules. We wanted to conveysome message to approvers. But it seems this is still not possible. Is this functionality on road-map of AgielP4P product management?

Currently, the subject and body of emails can be customized to an extent, as they are translations that can be overridden. The translations have some placeholder fields that get populated by the system, but you are limited to those placeholder fields. The upcoming release will give you full control of the email body and subject lines, for GSM and SCRM emails, as well as Supplier Rep emails.

SCCM 2012 application portal: config questions

Hi,
We have setup SCCM 2012 application portal correctly and it's working fine.
However some config questions:
-can we change the name of the configuration portal? Now its servername/CMApplicationCatalog ... what's not userfriendly.
We'd like it to be applicationportal.ourcompany.com. Howto achieve that?
-can we customize layout in a supported way (we could change html pages but after an upgrade of SCCM they would/could be erased)?
-how does flexera (adminstudio?) plugs in into this. I've read this entry
http://helpnet.installshield.com/appportal2014/Content/helplibrary/AP_CreatingCatItemSCCM.htm but what's the big picture here? Anybody using this? What are the advantages?
J.
Jan Hoedt

We want to offer software center for overview of mandatory installs, application catalog for optional software.
On our companies portal, we can then set a link which directs to the application portal. User can then install optional software from there.
My current config works http://applicationportal.ourcompany.com/ goes to the sccm-server but not to the url below.
That would be http://applicationportal.ourcompany.com/CMApplicationCatalog/#/SoftwareLibrary/AppListPageView.xaml
how can I make sure the application portal shows up when this link is opened?
It sounds like you want to perform a URL rewrite?
http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
You should test this to see if it's what you want - I may have misunderstood your question.
Also, I wouldn't host this module on your AppCatalog server, I'd host the rewrite module elsewhere.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

WSA redundancy and WCCP questions

Hello! My customer bought a pair of S370 WSA prior to deployment planning. I need to deploy both of them into existing network and I'd like to ask few questions with somebody who knows how to do it.
1. As I know from manuals, WSA doesn't support any clustering but I'd like to use both of my S370 for redundancy. I'm planning to use WCCP only, no explicit proxy mode will be used. What methods can I use to deploy redundant WCCP cache on pair of WSA? If it possible, I'd prefer to use something like Active\Passive but not load balancing scheme. Does it have Centralized management feature like ESA to share configs between devices?
2. I have fusion router which "mixes" traffic from different vrf. Is it possible to configure router such way that every vrf(which corresponds every interface and different subnets) will be seen with its own ip address in internet or all of them will be using just WSA's address like in explicit proxy mode?
3. When I tried to test my WSA in explicit proxy mode prior to configuring WCCP, I found out that I can use it as a proxy without any authentication, just setting it's address and port in my browser. How can I disable explicit proxy mode or set any authentication(no LDAP or NTLM) to prevent unauthorized access to using my proxy?
I'm newbie with IronPorts so I will appreciate any help including links to manuals

The WCCP protocol allows for automatic detection of all connected devices, both proxies and routers/firewalls/switches. When configuring WCCP with multiple WSAs, they're all in the WCCP cluster, with the router doing the load balancing beween the detected proxies. From what I've seen, you can't configure an active/passive scenario.
As you mentioned , WSAs don't support clustering seen in ESAs. You could use a M-series box to provide central management and reporting for multiple WSAs in your enviromment.
Regarding VRFs: WSAs support IP spoofing, which allows you to send out requests with the client's instead of WSA's external address. You could perform PAT of multiple addresses on the edge router/firewall to send the requests out with a different IP address for each VRF for example.
I don't think you can fully disable the explicit proxy on the WSA. You can set up a firewall rule to prevent direct client access to the proxy ports..
Sent from Cisco Technical Support iPad App

SSL VPN Full and Split Tunnel Config Question

I am Beta testing SSLVPN on an IOS router. The question I have is this:
Is it possiable to have slit and full tunnel configs. It seems that once you create your context and default profile that is all you have either split or full. The books say you can use Radius and assign different profiles but, I would like to give the users a choice (like in the VPN3000 .pcf) of either split or full depending on where they are working from.

The below is an example using the ASA - but the principle remains the same:-
http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080975e83.shtml
HTH>

J2EE Policy agent - login page config questions

Hi,
I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
I am aware of this link:
http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
This describes configuring the custom login for an app. Based on the doc, I have configured the following:
1. I have the agent and my app on one instance on myhost.mydomain.com
2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
3. In my app's web.xml I have the following:
<login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/loginerror.jsp</form-error-page>
        </form-login-config> 4. In AMAgent.properties:
com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
com.sun.identity.agents.config.login.use.internal = false
com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
So my questions are:
1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
-Matt

Changing com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
-Matt

11gR2 em install / config question.

We just loaded 11gR2 onto a virtual server running Win 2008 Server R2. During the installation of the database,
I received 5 or 6 missing file messages and I told the installer to ignore and continue. One of those files was
dbhome_1\...\em.jar.
Will this preclude me from getting em up? Should I deinstall/reinstall the 11gR2?
When I ran emctl start dbconsole I received this message:
can't locate CompEMdbconsole.pm in @inc <@inc contains ..(list of files).......emctlCommon.pm line 598
From this question you'll probably surmise that I'm relatively inexperienced.
Suggested reading info is always appreciated.
Thanks,
Ron
Edited by: RonW on Oct 9, 2012 6:27 AM

Thanks for the reply. I used dbca to create a database which I had thought was done
during the original install. It ran forever and eventually gave me an error message
'Error Instantiating OC4J files'. When I looked in the emconfig.log file, there were
several missing xml files in E:\app\Administrator\product\11.2.0\dbhome_1\oc4j\j2ee\
OC4J_DBConsole\config\
jms.xml
rm1.xml
http-web-site.xml
server.xml
In fact, the 'config' folder was empty. Going back to my original question regarding
those missing files, why would they be missing? Is the oem a separate install
process or is it done when the 11g database is installed?
Thanks, Ron

ACE: design/config question: trans.slb + slb + mngt

Hi,
Could this ACE setup/design work?
I want PROXIED sessions (to VIP proxy 10.0.0.10) to be loadbalanced
All other sessions (eg. Some public ip's) will have to transparent loadbalanced to proxy servers. Thus not destinations NAT
ACE is inline between firewalls and proxy servers.
Vip definitions:
class-map match-all P_PXYVIP_VS_LB
2 match virtual-address 10.0.0.10 255.255.255.255 tcp 8080
class-map match-all P_PXYTRANS_VS_LB
2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
Question in this case: would it still be possible to have management sessions towards proxy servers routed by the ACE ? (physical ip addresses of proxy)
Probably the classmap PXYTRANS is catching those sessies also.
Are there other design/config solutions to solve this one?
Thank you!
Wim

Let me repose the question:
How could one still be able to access the realserver IP (which is directly connected
to the ACE) for manangement.
Knowing that there is 1 VIP which (normal) loadbalance to the realservers
and
there is 1 VIP 0.0.0.0 tcp any which is configure to catch all other traffic to be
transparant loadbalanced.
The VIP 0.0.0.0 is always catching the sessions which need only to be routed
to the real servers ip.

Voice GW Config Question

Hi Everyone
Yesterday I posted a question about redesigning the way our voice network looks, I'm removing 6 CUCM 4.3 boxes and I'm going to have those sites register with our Sub which is 10.5.1 in our data center across the WAN. Jaime answered my question and gave me some good insight on what to do for each site.
1.Create DP,CSS,PT on the Pub
2.Enable SRST on the GW
3.Make necessary changes on GW
4.Create LRG to have the site use their local GW
I've been reading on how to get these task done and I have a question about #3, I'm looking at the config from the GW for the test sight and the VoIP dial peer is referencing the CUCM node currently on site. Would modifying the IPV4 address to reflect the new CUCM node at the data center be the only change that I would have to make to the config?
I also want to say thanks for all the help that everyone has given me with really quick responses to my questions. I just changed jobs and I went from doing primarily MACD to now I'm actually the person who is doing the implementation. I've never done implementation before but I know if I stick with it and help from this board I'll be a super star yet.
Eric

Correct, need to change the IP address on the DP to reflect the new one. Also, need to look at SCCP resources (conference bridge or transcoders if any) and those need to be changed.

ACE/FWSM design question

Hi - I'm designing the network topology for a multi tiered application using a 6509 with ACE and FWSM. Each tier will be in it's own VLAN and IP subnet and communications between tiers needs to be firewalled and in some cases loadbalanced.
I propose to do this by using a different context on both the ACE and the FWSM and using bridging mode within each context on both the FWSM and ACE as per Cisco's verified design for ACE/FWSM. It's perfectly feasable that a connection could be made for example to a server in the web tier, which would then need to make a connection to a server in the Application tier, which would in turn need to make a connection to a server in the database tier.
As far as I can see, the design I've proposed should work. Is anyone in a position to comment on whether there is anything wrong with this design, or a better way to do it?
There is no NAT to consider within this network
I've attached a JPG showing an example of the sort of connectivity that could be expected.
Many Thanks in advance

Thanks for your responses. I'm half way through implemeting this and there have been no problems so far.
With regards design & config notes for this, this document has most of what you need - http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmigration_09186a008078de90.pdf

Etherchannel - Config Question

First time configuring etherchannel. I have followed the documentation, watched videos, etc. The channel is up, but wanted to verify I did it right - and have not missed something.
Scenario:
Connecting a brand new 3650X into a 3750. The 3750 is the "Core" and does the layer 3 routing, etc. The 3650 is going to become a new Server Backbone - should participate on VLAN 10 only. All servers in our data farm will connect into it (eventually).
Normally we just create one trunk port on each switch and call it done (we do not have a big data farm/and or IT team) but I wanted to start looking at Etherchannel, etc.
Config - Core:
interface GigabitEthernet2/0/12
description ***Trunk to 203 - Server Backbone***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10
switchport mode trunk
switchport nonegotiate
Server Backbone:
interface GigabitEthernet1/0/1
description ***Server Backbone - Switch 3 - Trunk***
switchport trunk allowed vlan 10
switchport mode trunk
switchport nonegotiate
channel-group 1 mode on
interface Port-channel1
switchport trunk allowed vlan 10
switchport mode trunk
switchport nonegotiate
(Does not have the encapsulation command, as not available in that IOS - assuming it is automatic?).
Basically I am looking to improve throughput and redundancy. Is there anything else I should add and/or change about what was configured?
(NOTE: I know these may or may not be the best switches to use - but they are what we can afford on our budget).

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Well, of course, you want more than one link in your port-channel, both for additional aggregate bandwidth and additional redundancy.
You may want to review whether you're using the optimal hashing algorithm for your port-channel.

About:config Question

about:config -->
pref.privacy.disable_button.view_passwords;true
DOESENT WORK in FF 3.6.3
How do i make it work? (don't want to use master passw..)
thanks

config synch works with redundant-vip.
Just be aware that there are 2 type of redundancy available on the CSS
- box-to-box
- vip/interface redundancy
Each solution comes with its own synch script/command.
Make sure to use the appropriate one for your setup.
Gilles.

SSPR config question

Hi,
Assume we have 2 different user types: staff and students.
Student accounts reside in their own forest
Staff accounts reside in 2 different and separate forests
FIM resides in another separate forest (a resource forest)
We are about to deploy SSPR in the resource forest, and need the following functionality:
When resetting the password, Staff will type in "domain\username"; Staff will use the question & answer SSPR approach
however Students will use the OTP approach and only type in their "username" since many won't know the domain name (we will set the 'defaultdomainName' attribute in the config file)
My question is this:
Because we need 2 different SSPR approaches and for Students we need the 'defaultdomainName' prepopulated - will we need 2 separate instances of the SSPR Portal deployed on 2 separate servers?
Thanks,
dw

Going strictly by the book, you would need two separate instances of the SSPR Portal if it's critical to vary the behavior of the default domain name. If folks in the non-default domain will always enter DOMAIN\user or UPN, then one instance of the
portal should suffice.
That aside, Sameera_man's links are relevant for creating the necessary resources to support more than one Password Reset Authn workflow.
Steve Kradel, Zetetic LLC

Redundant FWSM Config Question

Similar Messages

Maybe you are looking for