Regex limits on ACE

Hello!
We are moving from CSS to ACE and I'm concerned about the number of regular expression rules we will have to implement.
I've read that using double wildcard expressions (.*) in too many class-maps can cause memory problems for the entire ACE. For example .*website.*
If I consolidate my regular expression rules into something like the following:
(www\.)*website(1|2)*\.(mobi|net|org).*
should I still be concerned about using too much memory? Does a statement like (www)* constitue a wildcard expression?
We have more than 100 domains that we need rules like this for.

Hi Jeremy,
I ran into an issue someday where I had exhausted all of the regexp memory in my ACE from using too many wildcards in my URL matching. The symptoms were class-maps not matching regex despite being the correct syntax.
I opened a ticket with Cisco, but they could not reproduce the issue in their labs.
We were stumped until the engineer examined my “show tech-support” output and saw that the regexp memory usage was very high (i.e. maxed out!):
ACE/Staging# show resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Staging
conc-connections 756 2902 0 7999900 0
mgmt-connections 0 17 0 99900 0
proxy-connections 0 267 0 1048574 0
xlates 0 0 0 1048574 0
bandwidth 2104660 124535514 0 622500016 0
throughput 2104406 124522546 0 498750016 0
mgmt-traffic rate 254 12968 0 123750000 0
connections rate 3 389 0 324900 0
ssl-connections rate 0 21 0 1000 0
mac-miss rate 0 5 0 2000 0
inspect-conn rate 0 3 0 6000 0
acl-memory 37688 102608 0 70844416 0
sticky 0 4 41942 0 0
regexp 915387 1047557 0 1048576 63
syslog buffer 0 0 0 4194304 0
syslog rate 0 59 0 100000 0
Wow, that looks ugly in HTML.
Anyway, the line you’re interested in is the regexp line with 915387 bytes currently used, 1047557 bytes used at peak, 1048576 bytes max, and 63 denied requests to access the regexp memory.
Note that the regexp memory usage was consuming 900+ KB of the 1MB for regexp.
Also note the denies in the right-hand column.
I knew something was up because when I added my regex class-maps, my policy-map said that Regex dnld status: FAILED.
ACE/Staging# sh service-policy int530 class-map Secure-Stage-Map
Status : ACTIVE
Interface: vlan 520 530
service-policy: int530
class: Secure-Stage-Map
ssl-proxy server: secure-stage
loadbalance:
L7 loadbalance policy: Secure-Stage-Policy
Regex dnld status : FAILED
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
Parameter-map(s):
HTTP_MAP
The Cisco TAC engineer said that they recommend no more than 10 double wildcard regex statements per ACE.
A double wildcard regex is one where you have a wildcard (.*) before and after a string:
class-map type http loadbalance match-any Website-Class
5 match http url .*Website.*
I had probably 20-something of those.
For whatever reason, double wildcard statements use MUCH more memory than other single wildcard statements.
So I locked my regex down to use only one wildcard per match:
class-map type http loadbalance match-any Website-Class
5 match http url /Website/.*
Once I removed the double wildcards, the memory usage stayed roughly the same.
Hhmm… Another call to my Cisco TAC engineer reveals that if the memory is not immediately freed, I need to remove the class-maps and policy-maps using the regex.
Basically, when I created the VIP class-map and then created the regex class-map to be tied to the policy-map, the VIP requested the regexp memory for the regex class-map. So in order to free that memory, I had to remove the VIP class-maps.
Actually, I had to remove the VIP class-maps, regex class-maps, AND relevant policy-maps.
Good thing I had a backup to paste it all in once I typed “no class-map” a couple hundred times.
About a minute after removing and then re-adding the class-maps, the regexp memory usage was at a much more desirable level:
ACE/Staging# show resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Staging
conc-connections 1008 2902 0 7999900 0
mgmt-connections 0 17 0 99900 0
proxy-connections 0 267 0 1048574 0
xlates 0 0 0 1048574 0
bandwidth 1004219 124535514 0 622500016 0
throughput 1004219 124522546 0 498750016 0
mgmt-traffic rate 0 12968 0 123750000 0
connections rate 4 389 0 324900 0
ssl-connections rate 0 21 0 1000 0
mac-miss rate 0 5 0 2000 0
inspect-conn rate 0 3 0 6000 0
acl-memory 37688 102608 0 70844416 0
sticky 0 4 41942 0 0
regexp 2198 1047557 0 1048576 63
syslog buffer 0 0 0 4194304 0
syslog rate 0 59 0 100000 0
Note that the regexp line is now consuming only 2198 bytes of the 1MB of regexp memory. Success!
Sure enough, once I checked to make sure my regex was matching URLs in my class-maps, it was working like a champ.
Would’ve rather spent the day implementing more ACE config than finding this problem, but meh.
Hope you get your answer in this scenario.
And when I am seeing your examle you are using triple wildcard expression.
(www\.)*website(1|2)*\.(mobi|net|org).*
I don't know how much memory it would use to process your triple wildcard regular expressions , but all the time always with your configuration you can estimate how much memory is getting consumed by your regular expressions , using the above mentioned resource usage commands and then modify your regular expressions accordingly so as to best otimized usage of your memory for inculcating more regular expressions using wildcards but probably no more then 10 double wildcard regular expresion or take consultation from your Cisco TAC engineer according to the model of your ace device/card.
Also remember that header-map also consumes regexp.
As I said the limit is 10 regular expression.
Each header-map consume 1 regexp.
Each sticky cookie consume also 1 regexp.
So, check your whole configuration for counting the total number of regular expression this way may be if you have hit the limit.
For that sake try to combine header-maps.
In regard to ACE,
You can allocate all resources or individual resources to all member contexts of a resource class. For example, you can allocate only concurrent connections or sticky table memory or management traffic. To allocate system resources to all members (contexts) of a resource class, use the limit-resource command in resource-class configuration mode.
The syntax of this command is as follows:
limit-resource {acl-memory | all | buffer {syslog} | conc-connections | mgmt-connections | proxy-connections | rate {bandwidth | connections | inspect-conn | mac-miss | mgmt-traffic | ssl-bandwidth | syslog} | regexp | sticky | xlates} {minimum number} {maximum {equal-to-min | unlimited}}
Note:      The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.
If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.
Following is the limit for 4 GBps bandwidth ACE device
Regular Expression Memory     1,048,576 bytes( approx 1MB)
You can upgrade the ACE maximum bandwidth to 8 Gbps or 16 Gbps by purchasing a separate license from Cisco.
Displaying the ACE Resource Allocation and Usage
To view the current resource allocation in your ACE, enter the following command:
ACE_mdule5/Admin# show resource allocation
Parameter                 Min      Max         Class
acl-memory                0.00%    100.00%    default
syslog buffer             0.00%    100.00%    default
conc-connections          0.00%    100.00%    default
mgmt-connections          0.00%    100.00%    default
proxy-connections         0.00%    100.00%    default
bandwidth                 0.00%    100.00%    default
connection rate           0.00%    100.00%    default
inspect-conn rate         0.00%    100.00%    default
syslog rate               0.00%    100.00%    default
regexp                    0.00%    100.00%    default
sticky                    0.00%    100.00%    default
xlates                    0.00%    100.00%    default
ssl-connections rate      0.00%    100.00%    default
mgmt-traffic rate         0.00%    100.00%    default
mac-miss rate             0.00%    100.00%    default
throughput                0.00%    100.00%    default
To view the current resource usage, enter the following command:
ACE_mdule5/Admin# show resource usage
Allocation
Resource         Current       Peak        Min        Max       Denied
Context: Admin
conc-connections              0          0          0    8000000          0
mgmt-connections              2          8          0     100000          0
proxy-connections             0          0          0    1048574          0
xlates                        0          0          0    1048574          0
bandwidth                  1094      80192          0 625000000          0
throughput                938      75902          0 500000000          0
mgmt-traffic rate         156       4290          0 125000000          0
connection rate               1         28          0    1000000          0
mac-miss rate                 0          0          0       2000          0
inspect-conn rate             0          0          0       6000          0
acl-memory                23776      28616          0   78610432          0
sticky                        0          0          0          0          0
regexp                        0          0          0    1048576          0
syslog buffer                 0          0          0    4194304          0
syslog rate                   0          0          0     100000          0     Note:      All bandwidth values are in bytes per second. To convert to bits per second (bps), multiply the values by eight. The ACE guarantees 1 Gbps of bandwidth for management traffic. So, the total bandwidth for a 4-Gbps ACE license is actually 5 Gbps. Throughput is still 4 Gbps.
To display the data plane resource allocation and usage and to cross-check the output of the above two commands, enter the following command:
ACE_module5/Admin# show np 1 me-stats -L0
Resource limts for context : 0
Rate                  Configured     Counters
Policer Name          Min      Max   min-toks max-toks   peak-toks    deny
bandwidth:       0   ee6b280        0 ee6b0fa     d8a4        0
throughput:       0   ee6b280        0 ee6b280     d8a4        0
mgmt-traffic rate:      0   3b9aca0        0 3b9aca0      a0e        0
connection rate:       0     7a120        0    7a120       11        0
ssl-connections rate:   0       9c4        0      9c4        0        0
mac-miss rate:       0       3e8        0      3e8        0        0
inspect-conn rate:      0       bb8        0      bb8        0        0
Resource              Configured        Counters
Policer Name          Min      Max      Min      Max     peak     deny
conc-connections:       0   3d0900        0        0        0        0
mgmt-connections:       0     c350        0        0        4        0
proxy-connections:      0    7ffff        0        0        0        0
ip-reassemble buffer:   0        0        0        0        0        0
tcp-ooo buffer:       0        0        0        0        0        0
regexp:       0        0        0        0        0        0
xlates:       0    7ffff        0        0        0        0
ACE/Admin# show resource usage virtual partition eng
Allocation
Resource Current Peak Min Max Denied
Virtual partition: eng
conc-connections 1076261 2852238 4000000 4000000 0
mgmt-connections 8 24 2500 2500 0
proxy-connections 136152 201376 524288 524288 0
xlates 170226 293546 524288 524288 0
bandwidth 62946459 156087362 250000000 250000000 0
connection rate 117652 283887 500000 500000 0
ssl-connections rate 124 397 500 500 0
mgmt-traffic rate 16754661 313562819 62500000 62500000 0
mac-miss rate 0 0 1000 1000 0
inspect-conn rate 824 1782 3000 3000 0
acl-memory 9806253 20248853 39305216 39305216 0
regexp 148878 524288 524288 524288 3
syslog buffer 577166 1199438 2097152 2097152 0
syslog rate 234 786 1500 1500 0
The Admin context has a context ID of 0. To display the resource allocation and and usage statistics for another context, change the "0" in the "-L" parameter to the context ID of another context.
Use the below mentione dsite to get few more similar details for the same:
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/White_Paper_Cisco_Application_Control_Engine_A_Technical_Overview_of_Virtual_Partitioning_ps7027_Products_White_Paper.html
For more details on limit of different resources of ACE kindly refer the following URL:
Cisco Application Control Engine (ACE) Troubleshooting Guide -- ACE Resource Limits
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_ACE_Resource_Limits
Cisco Application Control Engine (ACE) Troubleshooting Guide -- Managing Resources
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Managing_Resources
Also use the following site to know more about using regular expressions and their impact:
http://www.cisco.com/web/about/security/intelligence/preventing_activex_ace.html
HTH
Please rate if you find the above mentioned information useful to you.
Sachin

Similar Messages

Keepalive limitations on ACE 4710 & module

I wanted to find out how many times can I apply a healthcheck in a single context. I have 50 farms that are using the same port and instead of creating 50 different healthchecks, I want to just create 1 healthcheck for the 50 farms and apply it to each farm. I also need to know if the same limitations (whatever they may be) is the same for the 4710, ACE20 and ACE30.

It's doncumented in the "Configuring Health Monitoring" of the configuration guide "server load balancing".
For ACE4710 running A3 :
The ACE supports 1000 unique probe configurations, which includes ICMP, TCP, HTTP, and other predefined health probes. The ACE can execute only up to 200 concurrent script probes at a time. The ACE also allows the opening of 2048 sockets simultaneously.
You can associate the same probe with multiple real servers or server farms. Each time that you use the same probe again, the ACE counts it as another probe instance. You can allocate a maximum of 4000 probe instances.

ACE health monitoring queries

Hi,
I need some detailed information regarding ACE health monitoring. According to the documentation, ACE support 4096 Unique probe configurations.
My questions are as follows:
1) Are these uniques configs means uniques instances or unique probes. For ex: If I have created 2 probes(say http and icmp probe) and have applied each of it to 5 rservers, does that mean I have 2 unique configs or 10.
2) How did this number(4096) came in. What is the logic behind it. Is it based on the memory allocated by ACE to health monitoring. Please provide a detailed answer to this question.
Any inputs will be highly valuable for me.
Thanks,
Nitesh

There are three different types of probe limits in ACE
1.Probe definitions (4K)
These are the actual number of probe objects that you can define.
You can define maximum of 4K unique probes.
2.probe Instances (16K)
Each time that you use the same probe again in a different serverfarm/Real
the ACE counts it as another probe instance. You can allocate a maximum of 16k probe instances.
3.Simultaneous Probe Sockets (2500)
With ACE 2.x code Probes can open 2500 simultaneous connections from the control
plane. In Older ACE module codes and on ACE appliance this limit i 1000.
Reason for these probe definitions & Probe instances are the Control plane capacity.
These limitations exist to make sure that Probes do'nt starve the other process
Hope this helps
Syed Iftekhar Ahmed

ACE HTTP Probe with regex

ACE HTTP Probe with regex
Hi,
I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
probe http HTTP-PROBE
port 43050
interval 30
passdetect interval 30
passdetect count 1
request method get url /action=help
open 43050
expect regex action=help
Q. Is there anything wrong with this configuration and what I'm trying to achive?
Thanks,
Pritesh

Use "expect status" under probe config. expect regex doesnt work if expect status is not configured.
expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
Specially if "content-length" header is missing from Server response.
Hope it helps
Syed Iftekhar Ahmed

Ace HTTP Probe expect regex

Hi,
I have a question about the config of the ACe probe.
I have the following probe defined :
probe http P_HTTP_TEST
interval 5
passdetect interval 2
passdetect count 2
request method get url /test
expect status 200 200
expect regex trululu
I would like to use the regex just like the expect string on the csm probe...
The regex doesn't seem to work as the strin trululu is not on the page tested.
I guess the expect status override the regex but without the expect status it doesn't work either.
Anyone know how exactly the probe expect works for http ?
Another question, on the CSM module, the tcp probe by default use the real port for the probe, not the default port of the probe type, is it possible to change that so it mimmicks the CSM way of working ?
Thanks a lot ;-)

This seems to be bug related to some version of ACE software as HTTP return code overrides missing regexp. For sure this bug is present in:
system:    Version A2(2.0) [build 3.0(0)A2(2.0)]
Notice the difference between 192.168.1.1 (is missing regex in HTTP response) and 192.168.1.2 (sends regexp in HTTP response). Both are successful and as addition 192.168.1.1 (missing regexp) is showing last status code 200 which seems to be sufficient for probe to pass. 192.168.1.2 (which sends expected regexp) doesn't show last status code.
probe       : tw2_http_81
type        : HTTP
state       : ACTIVE
description :
   port      : 81      address     : 0.0.0.0         addr type : -
   interval : 30      pass intvl : 30              pass count : 1
   fail count: 1       recv timeout: 10
   http method      : GET
   http url         : /knowtw2-f/livelink.exe?func=ll&objtype=142&bypass
   conn termination : GRACEFUL
   expect offset    : 0         , open timeout     : 10
   expect regex     : lbmonitor
   send data        : -
                       --------------------- probe results --------------------
   probe association   probed-address probes     failed     passed     health
   ------------------- ---------------+----------+----------+----------+-------
     real      : 192.168.1.1[81]
                       192.168.1.1    2          0          2          SUCCESS
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 0
   No. Probes skipped : 0         Last status code : 200
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : -
   Last probe time     : Mon Nov 7 12:38:42 2011
   Last fail time      : Never
   Last active time    : Mon Nov 7 12:38:22 2011
     real      : 192.168.1.2[81]
                       192.168.1.2    2          0          2          SUCCESS
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 0
   No. Probes skipped : 0         Last status code : 0
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : -
   Last probe time     : Mon Nov 7 12:38:27 2011
   Last fail time      : Never
   Last active time    : Mon Nov 7 12:37:58 2011

ACE Module and Limiting Connections

We currently use the ACE module to Load-balancing IPSEC connection into SPA's. Since the SPA's only support 60 new connections per second. I was looking for a way to limit the amount of connecitons from the ACE to the SPA's.

Hello,
Have a look at the Configuring Real Server Rate Limiting section of the ACE documentation. I think this will meet your needs.
Hope this helps,
Sean

ACE Probe regex and escaping Parenthesis

I'm trying to setup a ACE probe that expects a return of
(server.domain.com) EXISTS=TRUE,AVAILABLE=TRUE,ACTIVE=TRUE
But it doesn't appear that I can use Parenthesis inside a regex. I've tried escaping as well.
expect $server\.domain\.com$ EXISTS=TRUE,AVAILABLE=TRUE,ACTIVE=TRUE
% invalid command detected at '^' marker. Pointing at the (
But this doesn't work either. Any ideas?

Hi,
Hi,
If it has taken it, it should match the response from server. Is it still not matching?
If you look at the regex builder below, the regex matches the response which is expected from the server. So ACE should be able to match it.
Also, you can try and put \ before dots but not sure. In my opinion it should work fine with what we have put in already. If it doesn't we will have to use hit and trial. Let me know if you need this regex builder. You can download it from google though. In any case i just attached it.

PAT Limits and monitoring - ACE-20

Hi Guys,
Is anyone able to confirm the PAT limit on the ACE-20s please. I initially read it as 1 million (the NAT limit), however I have since read that for PAT, its 4 million as it uses the connection record information and not xlate.
I've always wondered why the xlate line under 'show resource usage' is zero. If PAT does use the connection record then this would explain why, however its confusing as when running a 'show xlate' command you do see all the current PAT entries.
Thanks for any assistance.

Hi Adnan,
If it helps this is where I first found reference to the 4million PAT entries
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_ACE_Resource_Limits
Its in the table under the 'Security-Related Limits' heading
HTH
Steve

Limiting connections from specific host to vips Ace 4710

Hello,
Do you guys know if its possible in the ace to limit connections from a specific host?
For example. if host X does Y connections to one of the vips on the ace, it will be blocked.

Hi Stefan,
That is not possible on ACE. You can define the limits on servers in serverfarm itself but for a particular HOST there is no such provision.
Regards,
Kanwal

Issue with regexes in http health probes on ACE 4710

Folks,
We're currently experiencing fairly bizarre behavior when attempting to set up http probes that expect a regexp. Namely, if we specify a regexp, the probe *always* passes, regardless of status code and regardless of whether or not the message actually matches the pattern. Doing 'no expect regexp' fixes this behavior (by which I mean that the 'expect status' rules work again).
We haven't noticed until now because this is the first time we've tried to set up a probe that does this. Are we missing something? Is this a known issue with our current firmware version?
Sincerely,
Patrick T. Ramsey
# show run probe | begin HTTP-nfscheck | end regex
Generating configuration....
probe http HTTP-nfscheck
description Simple HTTP probe to check nfs mount health
port 80
interval 15
passdetect interval 20
request method head url /nfs-health-check/
open 1
expect regex "^ureytgraeuikghfdjg$"
# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader:    Version 0.95.1
system:    Version A3(2.4) [build 3.0(0)A3(2.4) adbuild_11:46:02-2009/09/27_/auto/adbu-rel2/rel_a3_2_3_throttle/REL_3_0_0_A3_2
_4]
system image file: (hd0,1)/c4710ace-mz.A3_2_4.bin
Device Manager version 1.2 (0) 20090925:1550
installed license: no feature license is installed
Hardware
cpu info:
    Motherboard:
        number of cpu(s): 2
    Daughtercard:
        number of cpu(s): 16
memory info:
    total: 6226388 kB, free: 3972668 kB
    shared: 0 kB, buffers: 22020 kB, cached 0 kB
cf info:
    filesystem: /dev/hdb2
    total: 861668 kB, used: 728656 kB, available: 89240 kB
last boot reason: Unknown
configuration register: 0x1
ldbottom kernel uptime is 325 days 3 hours 46 minute(s) 43 second(s)

I also went through a similar issue in which we need to probe the real server PESERVER01 and if the real server replies with the keyword "PE Server" in the HTTP content then the probe should be passed successful.
In my case the real server was listening on port 32776 for HTTP service so we configured the serverfarm as below,
serverfarm host SF-TEST-32776
description SF-TEST-32776
failaction purge
probe PE-SERVER-STRING
rserver PESERVER01 32776
    inservice
And the TCP probe as below,
probe tcp PE-SERVER-STRING
port 32776
send-data GET /IOR/ping HTTP/1.1      <<== command should not be in inverted commas
expect regex "PE Server"
The above probe worked really well and when we checked the probe status it was marking as success. I also tried changing the regex from "PE Server" to "Vishal12345" and it was failing as expected because there was no such keyword in the HTTP content.
==================================================================================
T2-LB02# sh probe PE-SERVER-STRING
probe       : PE-SERVER-STRING
type        : TCP
state       : ACTIVE
   port      : 32776   address     : 0.0.0.0         addr type : -
   interval : 15      pass intvl : 60              pass count : 3
   fail count: 3       recv timeout: 10
                ------------------ probe results ------------------
   associations ip-address      port porttype probes   failed   passed   health
   ------------ ---------------+-----+--------+--------+--------+--------+------
   serverfarm : SF-TEST-32776
     real      : PESERVER01[32776]
                10.10.10.1    32776 PROBE    105      0        105      SUCCESS
==================================================================================
I was struggling with this issue from long time. Even raised couple of Cisco TAC cases with no luck. The most important thing here is to identify the exact command to be send to real server like GET /IOR/ping HTTP/1.1 that we used here.
To collect this command I did packet capture on one of the client machine and then tried to open the URL from real server which can return the string "PE Server". Then analyzed the captures in Wireshark and checked the HTTP data with follow the TCP stream option in which I seen the below data, which gives the command to be send in probe as well as the string we should expect.
==================================================================================
GET /IOR/ping HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
Host: 10.144.70.85:32776
Accept: */*
HTTP/1.0 200 OK
Content-type: text/html
Ping
PE Server
WRVFKO11 [Win32 Server Production (3 silos) (Oracle Blob 512 MB) -- {dap451.007.028 dap451.004.002 pe451.003.010x pui451.003.010 pui451.001.004} Mar 9 2012 15:07:53 en ]
===================================================================================
Please try this and see if it helps you.
Thanks,
Vishal Babrekar

ACE Module SNMP limits

I am monitoring an ACE module using snmp. The values returned from certain OIDs are graphed using Cacti. I found the 64 bit counters on interfaces for the ACE wrap at 10,000,000,000 instead of 2^64. Now that I have configured cacti to expect the wrap at 10 billion, I am concerned about the 32 bit counters. I am querying this snmp oid to get L7 connection counter
cslbxStatsL7PolicyConns
1.3.6.1.4.1.9.9.254.1.1.1.1.8
Should I expect this counter to wrap at 2^32 or a lower value?

The maximum value for a 32bit OID should be 4294967296, I do have a value in my lab that is above 1 billion for that counter, so I wouldn't think there is an issue immediately. One common issue - when you clear stats manually, the counter will reset to 0. As well, I found an internal bug that that suggested some pocket case within the code could have cleared stats incorrectly, but it has never been seen since. There is a guess that someone logged into the test bed and cleared it without permission, but it was not able to be verified. Hence the bug was created to investigate the code, turned up nothing, and was junked accordingly.
What you might want to do is keep a sharp eye on the counter. When it looks like it rolls, login to the context you are polling and take a look at the accounting log. If you find that someone cleared the logging, that answers the question. If not - log a TAC case and we can replicate your exact configuration/code version in our lab to see if there what the deviation is that causes it to clear. A bug would be logged and fixed.
Regards,
Chris Higgins

ACE - Inspection per VIP and other Questions

I have my ACE up and running with SLB for HTTP, terminating SSL and inspection for the traffic flowing through the ACE.
One thing i haven't figured out yet is how to let the ACE distinguish between inspecting only the VIP traffic versus inspecting the whole traffic flowing through the routed VLAN.
My service-policy is currently bound on the xfer net VLAN which also services the VIP.
I made a "match url" rule with action reset for the regex "admin". If try to access the link "slb.foo.local/admin" via the VIP it works but it unfortunatly also works if i access the real servers in the VLAN behind the ACE directly.
A: Any idea how to solve that with best practice?
B: I haven't found a way to create a self signed certificate so far. Is it not implemented or did i just miss it?
C: Is an ACL mandatory to get traffic flowing via the VIP to the real servers? I have the feeling that without an ACL permitting the traffic explicitly there won't be a flow at all.
D: The commands "loadbalance vip icmp-reply active" and "loadbalance vip advertise active" for RHI are now two times in my config. Do i only need them once in my policy or does it make sense to keep them per HTTP and HTTPS Class?
The corresponding config:
class-map match-all HTTP-INSPECT-L4CLASS
description HTTP protcol deep packet inspection
2 match port tcp eq www
class-map type http inspect match-any HTTP-INSPECT-L7CLASS
description HTTP - Deep packet Inspection - Definition
2 match content length range 0 256
3 match url [/]admin
4 match url .asp
class-map match-all L4-VIP-CLASS
2 match virtual-address 10.10.10.85 tcp eq www
class-map match-all L4-VIP-CLASS-SSL
2 match virtual-address 10.10.10.85 tcp eq https
class-map type http loadbalance match-any L7-SLB-CLASS-1
3 match http header Host header-value "10.10.10.85*"
4 match http header Host header-value "slb.foo.local*"
class-map type management match-any REMOTE_ACCESS
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGM_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7-SLB-Policy
class L7-SLB-CLASS-1
serverfarm LB-Testfarm
policy-map type inspect http all-match HTTP-INSPECT-L7POLICY
class HTTP-INSPECT-L7CLASS
reset
policy-map multi-match L4-SLB-POLICY
class L4-VIP-CLASS
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAMETER_MAP
class L4-VIP-CLASS-SSL
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SSL-PSERVICE-Server
class HTTP-INSPECT-L4CLASS
inspect http policy HTTP-INSPECT-L7POLICY
interface vlan 444
description XFER-ACE
ip address 10.10.10.83 255.255.255.240
access-group input All
access-group output All
service-policy input L4-SLB-POLICY
service-policy input REMOTE_MGM_ALLOW_POLICY
no shutdown
interface vlan 555
description ACE-Server
ip address 10.10.10.97 255.255.255.240
access-group input All
access-group output All
no shutdown
Thanks for reading...
Roble

Gilles hope you still read this thread :)
In another Post you mentioned that the ACE features URL rewriting. I am desperate looking for this feature but can't find it anywhere in the docs.
Since i am terminating ssl on the front and speaking plain http on the back end i have some problems with the portal application and links to non-secure documents.
I don't think i can make the appl. admins fix the problem or make the company for the portal
rewrite the code. (3 letters NOT starting with an I)
From the SCA Docs i found following description which matches my problem.
[quote]
When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS
[/quote]
EDIT:
Another thing...
I currently redirect all my http traffic to a certain https url with a redirect rserver. Works fine.
I am still thinking about how to solve the same problem with ssl/https portion of my vip.
vip:443 -> redirect to vip:443/url/foo/bar/
I tried something like...
vip:443 -> redirect to vip:444/url/foo/bar/
But somehow that didn't work out. You have a valid "conceptional" approach to this issue?
Roble

ACE Load Balancing Problem

Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65   Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.

I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
    inservice
rserver RT_fax2
    inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
    serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
    loadbalance vip inservice
    loadbalance policy PM_LB_RT_FAX
    loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out.

Can VIP and Rservers be in the same subnet in ACE Routed Mode

Good Day,
Sorry for the lengthy post.
Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
Unfortunately I don't have a spare ACE to test scenario.
As always any help would greatly be appreciated.
Regards,
Raman

Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

Warning message on ACE

Hello expert,
I'm just wondering whether we can set a maximum number of incoming connections on ACE?
In such a way, if the limit is reached, users who still trying to access the website will be prompted with some kind of warning message. like
"system is busy, try again later"
please let me know. Thanks.
Sincerely,
Andrew

Hello Andrew,
Mmm, maybe you can take a look of this link:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/rsrce.html
Perhaps you can assign some specific resources for connections but it will be good to check this your Cisco SE.
On the rserver level, we have the following:
Configuring Real Server Connection Limits
To prevent a real server from being overburdened, you can limit the maximum number of active connections to the server. You can set the maximum and minimum connection thresholds by using the conn-limit command in either real server host or real server redirect configuration mode. The syntax of this command is as follows:
conn-limit max maxconns min minconns
The keywords and arguments are as follows:
•max maxconns—Specifies the maximum allowable number of active connections to a real server. When the number of connections exceeds the maxconns threshold value, the ACE stops sending connections to the real server and assigns the real server a state of OUTOFSERVICE until the number of connections falls below the configured minconns value. Enter an integer from 2 to 4294967295. The default is 4294967295.
•min minconns—Specifies the minimum number of connections that the number of connections must fall below before sending more connections to a server after it has exceeded the maximum connections threshold. Enter an integer from 2 to 429496729. The default is 4294967295. The minconns value must be less than or equal to the maxconns value.
Obviously the ACE cannot send messages like that, you can combine perhaps the configuration above with a backup serverfarm or something like that.
Do not hesitate to let us know your feedback and mark it if it is useful for you
Hope these details help.
Jorge

Regex limits on ACE

Similar Messages

Maybe you are looking for