Restart of an ACE context

Similar Messages

• Restarting a single ACE context

  We have an ACE with a number of contexts configured to allow access from our firewalls. One of the contexts seems to be having issues so is it possible to to just restart this one rather than reload the box?

  Good morning,
  This is unfortunately not possible.
  To do a graceful reboot, you will first have to failover all the other contexts to the secondary ACE and then reboot the blade.
  Regards
  Daniel

• Sharing VLAN's on ACE context's

  Hi,
  I am quite a newbie with ACE configurations. I have a VLAN i want to share over three ACE context's. Every context needs to have its own vlan ip address. How can i manage to do this ? I can only define an ip address on the main ACE configuration.
  Regards,
  Sebastian

  You are probably talking about the transfer-network or client-side VLAN.
  If you have already assigned the vlan to the module from the cat6k just create the three contexts and assigned those vlans to each context. That is how i do it. Serve three different context's with three different server networks with one client-side or transfer-network.
  just make sure you use different ip's for the ip,peer ip and alias for each context if you use FT or 2 modules. With this setup i always need 4 IP's including the VIP per context on the client side.
  Then you can configure the shared vlan in each context separate.
  context A
  allocate-interface vlan 10
  allocate-interface vlan 20
  context B
  allocate-interface vlan 10
  allocate-interface vlan 30
  context C
  allocate-interface vlan 10
  allocate-interface vlan 40

• Process for placing files in an ACE context in both devices

  I want to add a crypto file to both ACE web contexts, I have a FT group configured for this context.
  I know I have to stop or shut down the FT group in order to write to the Web context on the secondary ACE.
  What I have been doing is taking the FT group out of service on the primary ACE, writing the files to both contexts and then putting the FT group back in service. My concern is when this FT group comes back on line that some of the configuration of the secondary ACE might get written to the primary.
  What is the best practice to do this?

  Hi Robert,
  Just copy the crytpo files to the device which is missing those files and once files are copied and matched, go to ACTIVE device and do this:
  config# no ft auto-sync running-conifg
  config# ft auto-sync running-config.
  Do the same for startup-config as well and everything should be fine.  There should be no configuration copied from secondary to primary since SYNC always happens from ACTIVE to standby. You don't need to do no inservice and inservice on FT group. Also, you can run the above command from specific contexts or from Admin context(will do bulk sync for all contexts).
  Let me know if you have any questions.
  Regards,
  Kanwal
  NOTE: Please mark answers if they helped.

• Finder.app restart when work with context menu

  After upgrade from Mac OS X 10.6.8 to Mac OS X 10.8.2 Finder.app work with crashes.
  When I try use context menu (for example Git Info on File or Folder) Finder.app restart every time.
  Process:         Finder [439]
  Path:            /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder
  Identifier:      com.apple.finder
  Version:         10.8.1 (10.8.1)
  Build Info:      Finder_FE-808001006000000~2
  Code Type:       X86-64 (Native)
  Parent Process:  launchd [304]
  User ID:         502
  Date/Time:       2013-01-07 03:51:54.679 +0400
  OS Version:      Mac OS X 10.8.2 (12C60)
  Report Version:  10
  Crashed Thread:  0  Dispatch queue: com.apple.main-thread
  Exception Type:  EXC_CRASH (Code Signature Invalid)
  Exception Codes: 0x0000000000000000, 0x0000000000000000
  Application Specific Information:
  Performing @selector(cmdShowStaticInfo:) from sender TContextMenuItem 0x7f9911b4b540
  Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
  0   com.apple.finder                    0x000000010c553121 0x10c4b9000 + 631073
  1   com.apple.finder                    0x000000010c5b60a6 0x10c4b9000 + 1036454
  2   com.apple.finder                    0x000000010c5b5fe2 0x10c4b9000 + 1036258
  3   com.apple.finder                    0x000000010c5afbc8 0x10c4b9000 + 1010632
  4   com.apple.finder                    0x000000010c5ae500 0x10c4b9000 + 1004800
  5   com.apple.finder                    0x000000010c5adc16 0x10c4b9000 + 1002518
  6   com.apple.finder                    0x000000010c5adae2 0x10c4b9000 + 1002210
  7   com.apple.finder                    0x000000010c50d9f4 0x10c4b9000 + 346612
  8   com.apple.AppKit                    0x00007fff90b80a59 -[NSApplication sendAction:to:from:] + 342
  9   com.apple.AppKit                    0x00007fff90cb644c -[NSMenuItem _corePerformAction] + 406
  10  com.apple.AppKit                    0x00007fff90cb613a -[NSCarbonMenuImpl performActionWithHighlightingForItemAtIndex:] + 133
  11  com.apple.AppKit                    0x00007fff909a346f -[NSMenu _internalPerformActionForItemAtIndex:] + 36
  12  com.apple.AppKit                    0x00007fff909a32f7 -[NSCarbonMenuImpl _carbonCommandProcessEvent:handlerCallRef:] + 135
  13  com.apple.AppKit                    0x00007fff90caf245 NSSLMMenuEventHandler + 342
  14  com.apple.HIToolbox                 0x00007fff9a646f0a DispatchEventToHandlers(EventTargetRec*, OpaqueEventRef*, HandlerCallRec*) + 1206
  15  com.apple.HIToolbox                 0x00007fff9a6463d9 SendEventToEventTargetInternal(OpaqueEventRef*, OpaqueEventTargetRef*, HandlerCallRec*) + 410
  16  com.apple.HIToolbox                 0x00007fff9a65c1bd SendEventToEventTarget + 40
  17  com.apple.HIToolbox                 0x00007fff9a692e89 SendHICommandEvent(unsigned int, HICommand const*, unsigned int, unsigned int, unsigned char, void const*, OpaqueEventTargetRef*, OpaqueEventTargetRef*, OpaqueEventRef**) + 443
  18  com.apple.HIToolbox                 0x00007fff9a637c11 SendMenuCommandWithContextAndModifiers + 59
  19  com.apple.HIToolbox                 0x00007fff9a637bc3 SendMenuItemSelectedEvent + 254
  20  com.apple.HIToolbox                 0x00007fff9a637a4f FinishMenuSelection(SelectionData*, MenuResult*, MenuResult*) + 94
  21  com.apple.HIToolbox                 0x00007fff9a7ae009 PopUpMenuSelectCore(MenuData*, Point, double, Point, unsigned short, unsigned int, Rect const*, unsigned short, unsigned int, Rect const*, Rect const*, __CFString const*, OpaqueMenuRef**, unsigned short*) + 1673
  22  com.apple.HIToolbox                 0x00007fff9a7ad924 _HandlePopUpMenuSelection7 + 629
  23  com.apple.AppKit                    0x00007fff90d3261b _NSSLMPopUpCarbonMenu3 + 3916
  24  com.apple.AppKit                    0x00007fff90d316a8 -[NSCarbonMenuImpl _popUpContextMenu:withEvent:forView:withFont:] + 189
  25  com.apple.AppKit                    0x00007fff90e8c063 -[NSMenu _popUpContextMenu:withEvent:forView:withFont:] + 200
  26  com.apple.finder                    0x000000010c6ca616 0x10c4b9000 + 2168342
  27  com.apple.finder                    0x000000010c6c8498 0x10c4b9000 + 2159768
  28  com.apple.finder                    0x000000010c72c054 0x10c4b9000 + 2568276
  29  com.apple.finder                    0x000000010c726dc5 0x10c4b9000 + 2547141
  30  com.apple.AppKit                    0x00007fff90b75c81 -[NSWindow sendEvent:] + 8504
  31  com.apple.AppKit                    0x00007fff90b71744 -[NSApplication sendEvent:] + 5761
  32  com.apple.finder                    0x000000010c64db71 0x10c4b9000 + 1657713
  33  com.apple.AppKit                    0x00007fff90a872fa -[NSApplication run] + 636
  34  com.apple.AppKit                    0x00007fff90a2bcb6 NSApplicationMain + 869
  35  com.apple.finder                    0x000000010c4beb46 0x10c4b9000 + 23366
  36  libdyld.dylib                       0x00007fff988ea7e1 start + 1

  I solve problem - CMD + R -> Reinstall Mac OS X (but reason of crashes not found)

• Simple question - ACE Context Running Config

  How do I erase the running config of a context ? wr erase only gets rid of the the start up. I can go through it with no commands but was hoping there is a better way.

  If you could reload per context erasing the startup config would work. Unfortunately you can only reload the whole ace blade.
  Fastest way to get rid of a config within a context is to delete the context in the admin context and then re-create it.
  changeto Admin
  conf t
  no context
  context
  If you had checkpoints already created those are gone as well once you issue the "no context " command.
  To make it easier in the future i would suggest you create an empty checkpoint at the very beginning or at the point of your configuration where you want to start to experiment with the settings.
  conf t
  checkpoint create
  or
  checkpoint create
  To get the settings back u issue.
  conf t
  checkpoint rollback
  The checkpoints are per context btw.
  Hope that helps.
  Roble

• ANM 2.0: one of three ACE contexts couldn't "sync to CLI"

  Hello,
  We are using ANM 2.0 Update A to manage an ACE module running A2(1.2). About a week ago, one of our 3 contexts started showing "Out of sync" in the "CLI sync status" column. I tried to sync the context numerous times; no errors were reported but this particular context was always "out of sync".
  Then this morning I tried a "sync to CLI" operation once more and this time it finally worked! The status is now "in sync".
  I was wondering why this happened, and if anything can be done to prevent it in the future.
  Regards,
  Marc.

  Synchronizing configuration files for the standby ACE requires:
  1. Auditing the standby ACE to confirm that its configuration does not agree with the ANM-maintained configuration data for the ACE. See Synchronizing Virtual Context Configurations, page 3-64.
  2. Uploading the configuration from the standby ACE to the ANM server. See Synchronizing Virtual Context Configurations in the below URL:
  http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/1.2/user/guide/UG_virtual_contexts.html#wpxref74705
  3. For an Admin context, uploading configurations on any newly imported user contexts. If new user contexts are not updated, they cannot be managed using ANM.

• ACE context management per user

  Dear All,
  Can per user get management access in per context on ACE module?
  For instance, user A can manage just context A, user B can manage just context B on attachment file.
  Thanks.

  If you use an ACS for TACACS you can (for ACE you have to) set custom attributes for your group. The attributes look like this:
  shell:= ...
  If you want to restrict the user from changing into another context, you should change the Shell Command Authorization Set settings.

• Throughput of an ACE context

  We're running an ACE SM with the 8GB throughput license. We also have 4 contexts on that ACE. Would the max througput per context be 8GB/4 = 2 GB or the 8GB would be drawn by different contexts depending on their requirements?
  Thanks  Greg...

  Thanks - that would make sense. Below is the sh resources usage taken on one of the contexts. We have 8Gbps license and 7 active contexts (including the Admin context). So, I would have expected to see the max bandwidth as 8G as opposed to 1G if that was indeed the max theoretical bandwidth...Any idea on this?   Thnx again...
  Resource                 Current       Peak            Min             Max    
  bandwidth                149720    210620645    1997500   1100527532          0
      throughput             144644   210602113    1997500    976777532          0
      mgmt-traffic rate        5076      18532          0             123750000          0

• ACE Context - Error: Resources in use

  Hi All,
  I am trying to associate a resource to a newly created context to enable configuration of sticky sessions within the context. When I assigne the context to the Resource Member it comes back as errored Resources in Use. Any idea's how I can get this configured as my deadlines are tight (thanks to our web developers bringing forward a go-live date to Monday).
  The Key configurations are here:
  resource-class BRONZE
    limit-resource all minimum 0.01 maximum unlimited
    limit-resource sticky minimum 0.01 maximum unlimited
  resource-class GOLD
    limit-resource all minimum 5.00 maximum unlimited
    limit-resource sticky minimum 5.00 maximum unlimited
  resource-class RESERVE
    limit-resource all minimum 18.10 maximum equal-to-min
    limit-resource sticky minimum 18.11 maximum equal-to-min
  context ACCTX_SPT_FRN
    description SPT Context
    allocate-interface vlan 1204
    allocate-interface vlan 1310
    allocate-interface vlan 1410
  context ACCTX_SSM_FRN
    description SSM Context
    allocate-interface vlan 1213
    allocate-interface vlan 1313
    allocate-interface vlan 1413
    member GOLD
  context reserve
    member RESERVE
  Obviously not all contexts shown - there are 14 in Total - 1 reserve, 2 Bronze, 9 Gold and 2 unassigned (of which 1 needs to be Gold).
  I saw in previous posts the resource usage was key to identifying where issue could be. As I am learning this beast, I couldn't fully make sense of the previous posts so apologies for this:
                                                       Allocation
          Resource         Current       Peak        Min        Max     Denied
  Context: Summary
    conc-connections         115391     217571    3601600   65976000          0
    mgmt-connections             69        326       2250      41250          0
    proxy-connections         27736      49687     472060    8647590          0
    xlates                        0          0     472060    8647590          0
    bandwidth              15037110 1503203965  450200000 3952032704       3915
    connection rate              76      11281     450200    8247000          0
    ssl-connections rate         10       1495       6754     123720          0
    mgmt-traffic rate           618     277886   56275000 1030875000          0
    mac-miss rate                 0        868        900      16500     100033
    inspect-conn rate             0          0       2700      49470          0
    acl-memory               102912     109392    3930522   43220012          0
    regexp                      104        104      52429     576507          0
    syslog buffer           4194304    4196352     209715    2306028          0
    syslog rate                   4        923        150       1649          0
  Help is very much appreciated. There are no reported issues with current loads so the Denieds I take as a misnomer.
  Regards
  Adrian

  From my first idea I would think you use more then 100% of your sticky resource. maybe you should provide the whole context config.

• ACE - context administration

  Hello
  I've created two contexts, allocated administrative vlan to each context, in each context created management class map and policy map (allow all icmp,ssh) and binded it to this vlan. I can ping each context but i can not telnet to port 22 (ssh not listening).
  I've done the same in Admin context and i can login using ssh. Why another contexts do not have sshd listening ?
  Thanx

  I've found that in new wersion i do not have "ssh" command under context-config:
  host1/Admin(config-context)# ssh key rsa1 1024
  but anyway i tried to login and had to wait about 5 minutes - then context let me in.
  it seems that context drugging first ssh login (first TCP SYN on port 22) generates appriopriate keys ? (and it can not be done by any command anymore)?
  Thanx

• ACE bridge and routed interface in the same context

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello
  I am wondering if it is possible to configure one ACE context to support both routed and bridge interface?
  I would like to have a bridge-mode context but in the same time I would like to have a separated OOB interface for management.
  If it is possible how they could interact to each other?
  Thank you in advance for any answer
  Regards
  Lukasz

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello
  We've just tried to configure bridged and routed interfaces at the same time in the lab and we've had a problem.
  When we added the def gw for the bridged config we noticed that we had an issue with the traffic src by the rservers in the routed config.
  When we deleted the new def gw, the problem disappeared.
  I am attaching the lab config.
  When we added to it the following line
  ip route 0.0.0.0 0.0.0.0 10.1.1.163
  reals B1-B10 could not communicate to the outside world.
  Do you know why it does not worked and what could we do to fix it ?
  Thank you in advance.
  Regards
  Lukas

• ACE 4710 eHealth monitoring of context

  Hi,
  Our eHeath people tell me they cannot stat anything in any of the contexts (excluding Admin) on the ACE, i can snmpwalk the various contexts using the '@context' suffix.
  e.g. snmpwalk -c community@context2 10.1.1.1 .1.3.6.1.4.1.9.9.161
  eHealth can only route to the Admin context.
  Does anybody know if eHealth can access the ACE contexts in this fashion?
  Thanks
  Chris

  Hi,
  Here is the expected operation for each of those cases:
  A real server.
  If the server is not associated with any serverfarm, the status will not be probed (the rserver will be marked as INACTIVE)
  A real server and then associate the real server with a  server farm. You can associate a single probe or multiple probes with  real servers within a server farm.
  The probe will only be applied to that specific server
  A server farm. All servers in the server farm receive probes of the associated probe types.
  The probe will be applied to all the servers in the serverfarm.
  Another thing to take into account is that (by default) if more than one probe is associated to a server (either directly or through a serverfarm), all the probes need to succeed to consider the server operational. You can also add the command "fail on all" to a serverfarm or rserver to change this behavior and only consider the server as down when all the probe fail
  I hope this answers your question
  Regards
  Daniel

• ACE keep probing real servers using "https get 302"

  Hi all,
  I got one problem with cisco ACE in my company. Currently, two ACE appliances are working as HA redundancy. Previously I enabled some https and http probing using get 302 for some servers and services. But then I was told to remove all https or http probing, and instead use tcp port 443 and 80. After that, one of the serverfarm (server groups) is receiving https get 302 and I already checked in the monitoring and see whether there's any https probing regarding the respected real servers. But I could not find any. Even I disable all probing to that serverfarm, all the server members still receiving https get 302. Is this behavior a bug?
  The ACE version is A3(2.1). And the HA status is on standby cold. Can standby cold cause this kind of trouble?

  Hi Daniel,
  I just corrected the cert problem and made the state peer into standby hot. But still it still keep probing the get 302. And then I tried to restart both ACEs. The first step is to restart the second ACE (standby) and then switched over all context to the second one. The problem is that when I made the second one to be active, some services were not working, especially the ones with ssl terminated in ACE. I'm pretty sure that both ACEs were in sync.
  Any idea what is the problem?

• How can I use multiple client side vlans in ACE?

  In CSM we have a default-gateway per Client VLAN, in ACE there is no equivalent command! How does the ACE handles routing in this situation?

  Hi,
  Talk about a deja-vu. I was faced with the exact same challenge about a year ago.
  Basically, I think you're looking at two options:
  1) Firewall-consolidation - Consolidate your four firewalls into one, having one dedicated interface towards the ace and route all your vips using the ace as
      next-hop. It looks like your firewalls are virtual (but I don't know), so it's duable. But I don't know if this is even an option for you.
  2) Per. clientvlan context - Context A for vlan1001, Context B for vlan1002 and so on. Each context handles clienttraffic for the respective vlan and since
      each context handles it's own routingtable, simply use the firewall-address as your default route. But from your drawing, it looks like your server-vlans
      are all connected to the same ace, so you will need to split that up. Assign each servervlan to an ace-context as you do with the clientside-vlans.
  Well, a third option would be NAT in your firewall. Unless you have a specific need for the original client-ip the reach the ace, you could nat incoming clientsessions in each of the firewalls to an interface-address on that firewall, hence the ace will see the clientrequest as originating from the firewall and since ace has connected routes to each of the firewall, it wall return traffic to respective firewall and leave it to him to return the traffic to the client.
  Since each firewall will present the packets with a unique NAT'ed address, you can apply different policies, parameters etc. for that NAT-address, if this is required.
  hth
  /Ulrich