Sample Config ACE20-MOD-K9

Similar Messages

• HA - ACE20-MOD-K9 - FT Group Config Will Not Synch (SSL)

  Hi,
  We have a pair of ACE20-MOD-K9 in Fault Tolerant mode. They are running multiple contexts and we have a problem with one particular context which is running SSL off-loading. Despite the config being identical on both (accept for the peer addresses obviously) and both having the same SSL Key and Cert files loaded on both, the configuration will not sync between them.
  Here is the outputs from both:
  XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group brief
  FT Group ID: 8  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_COLD
                  Context Name: XXXXX-CISCO-QUAD-SERVICES        Context Id: 2   Running Cfg Sync Status: Successful
  XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group brief
  FT Group ID: 8  My State:FSM_FT_STATE_STANDBY_COLD      Peer State:FSM_FT_STATE_ACTIVE
                  Context Name: XXXXX-CISCO-QUAD-SERVICES        Context Id: 11  Running Cfg Sync Status: Successful
  XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group stat
  FT Group                     : 8
  Configured Status            : in-service
  Maintenance mode             : MAINT_MODE_OFF
  My State                     : FSM_FT_STATE_ACTIVE
  Peer State                   : FSM_FT_STATE_STANDBY_COLD
  Peer Id                      : 1
  No. of Contexts              : 1
  Running cfg sync status      : Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist
  Startup cfg sync status      : Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist
  XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group stat
  FT Group                     : 8
  Configured Status            : in-service
  Maintenance mode             : MAINT_MODE_OFF
  My State                     : FSM_FT_STATE_STANDBY_COLD
  Peer State                   : FSM_FT_STATE_ACTIVE
  Peer Id                      : 1
  No. of Contexts              : 1
  Running cfg sync status      : Incremental Sync Failure: SSL Keyfile does not exist
  Startup cfg sync status      : Incremental Sync Failure: SSL Keyfile does not exist
  XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh crypto file
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  fn42604_cert.pem                         1850  PEM     Yes        CERT
  fn42604_privatekey.pem                   1679  PEM     Yes         KEY
  quad2.pem                                1675  PEM     Yes         KEY
  quad2_cer.pem                            2582  PEM     Yes        CERT
  quad_prod_abbrv                          1675  PEM     Yes         KEY
  quad_prod_abbrv_cer.pem                  2556  PEM     Yes        CERT
  quad_prod_fqdn                           1675  PEM     Yes         KEY
  quad_prod_fqdn_cer.pem                   2578  PEM     Yes        CERT
  XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh crypto file
  Filename                                 File  File    Expor      Key/
                                           Size  Type    table      Cert
  fn42604_cert.pem                         1850  PEM     Yes        CERT
  fn42604_privatekey.pem                   1679  PEM     Yes         KEY
  quad2.pem                                1675  PEM     Yes         KEY
  quad2_cer.pem                            2582  PEM     Yes        CERT
  quad_prod_abbrv                          1675  PEM     Yes         KEY
  quad_prod_abbrv_cer.pem                  2556  PEM     Yes        CERT
  quad_prod_fqdn                           1675  PEM     Yes         KEY
  quad_prod_fqdn_cer.pem                   2578  PEM     Yes        CERT
  All the Crypto files are identical as I copied them from one ACE to the other.
  Can anyone shed any light on why this context is not syncing its configuration?
  Thanks,
  Dom Wilkinson

  Hi,
  Can you restart autosync and see if it fixes the issue,
  no ft auto-sync startup-config
  no ft auto-sync running-config
  ft auto-sync startup-config
  ft auto-sync running-config
  Regards,
  Siva

• Sample config for wireless

  Hi
  Does anyone have a sample config for standalone Cisco AP1252 (Cisco IOS)  for AD Authentication for wireless ?
  Appreciated your kind reply.

  The short version :
  in config terminal mode :
  -radius-server host auth-port 1812 acct-port 1813 key 0
  -aaa authentication dot1x eap_methods group radiusThen you need to configure your ssid for dot1x :-dot11 ssid -authentication open eap eap_methods-authentication network-eap eap_methodsThis is only the part needed for radius interaction. This assumes that you already configured your SSID with according WPA settings.that's about it I think.If you want info about more commands or so, just check out this link :http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap11-authtypes.html#wp1002608

• Sample Config - IDSM-2

  I'm looking for a sample config for a IPS IDSM-2. I've been reviewing the configuration manual and love the excruciating detail, but would like to work from a sample config. Maybe just the basics to get started and then I can add stuff in later.
  Any samples would be most appreciated.
  Thanks,
  Mike

  You need to decide the mode you want to run your IPS in? Promiscuous, Inline (VLAN/Interface pair) ?
  Here are two examples from CCO:
  https://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
  http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
  Regards
  Farrukh

• ACE20-MOD-K9 - how to discover a server?

  Hi there!
  First foray into Cisco load balancing for me.  Looking to discover how to find a server instance on a Cisco ACE20-MOD-K9.  What I need to do is remove 5 servers (1 at a time) using the 'no inservice' command.  Just need to locate their instances on the load balancer.
  I have:
  Server Names
  Server internal IP addresses
  Since the commands aren't revealing themselves to me naturally like they seem to on Nexus for example, asking for help from the community again :)
  Please advise if possible, many thanks!

  Hi,
  So if you are looking for a server named LYNC, you will do below:
  switch/Admin# sh running-config rserver LYNC
  Generating configuration....
  rserver host LYNC
    ip address 10.x.x.x
    inservice
  You can do the same for serverfarms, class-maps, policy maps etc. You can also filter using "show run | inc <name>"
  Show serverfarms, show rservers, show service-policy summary are few commands which can come in handy to find out configured items and names.
  Pasting a link for your reference which is useful for TS and basic commands.
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_ACE_Health_Monitoring
  Let me know if you have any questions.
  Regards,
  Kanwal

• [svn:bz-trunk] 13477: Bug: BLZ-455 - Document client-load-balancing property in the sample config

  Revision: 13477
  Revision: 13477
  Author:   [email protected]
  Date:     2010-01-13 05:17:10 -0800 (Wed, 13 Jan 2010)
  Log Message:
  Bug: BLZ-455 - Document client-load-balancing property in the sample config
  QA: No
  Doc: No
  Ticket Links:
      http://bugs.adobe.com/jira/browse/BLZ-455
  Modified Paths:
      blazeds/trunk/resources/config/services-config.xml

• Sample config

  So I have been trying to setup trunking (got that done and tested) on a pair of CSS 11503's and now i would like to setup ASR, vr and vip redudnacy to failover between them. Does anyone have any samples of how to do this with all public ips, all the cisco docs are for nat'd configuration which we do not run, everything would be public.
  right now management of the css is done over vlan100 but the servers are in vlan150, different subnet's obviously however what is messing me up is the docs are all saying to use outside public ips and inside for the servers. I only have public ips and don't have time to change anything to a nat...any help would be great

  actually let me append my previous comment with a question..
  since I am trunking up (to my 6509s) and down (to various switches)...what should my default route be on the CSS's
  i have 2 vlan's right now
  vlan 10
  ip address 192.168.10.10 255.255.255.240
  vlan 20
  ip address 192.168.11.11 255.255.255.224
  in my global however I am using
  ip route 0.0.0.0 0.0.0.0 192.168.10.1 1
  10.1 btw is a virtual (HSRP address) on my 6509's
  11.1 would be the virtual (HSRP address) on my 6509's for vlan20 etc..
  so yes my previous statement about the gateways for my web servers pointing to the CSS is true (redudant int), however if I have other servers on my switches that are not in the lb's groups and I point it those servers to my HSRP virtual for vlan20's 11.1 i cannot ping it... so what are my options cause I would rather not change gateways on some of the other machines that won't be load balancing.
  I noticed in the trunking sample config the global had no route, but when i removed it, i couldn't get to anything (of course).
  thanks again

• ACE20-MOD-K9 module facing NP crash/restart

  Hi,
  Facing isue with ACE module Part#ACE20-MOD-K9 having NP failed error message and module got restarted.
  Module software currently# c6ace-t1k9-mz.A2_1_6a.bin
  We have studied the Support Community document and got the BUG id's information having impact on this module,
  BUG id's: CSCsv92321, CSCsx25981, CSCsq38638
  Now we need help regarding software version to upgrade for the ACE module having no impact on this ACE module by these BUG id's having parity error symptoms.
  Also attaching the respective logs for the module restart issue.
  Regards,
  Ashutosh

  Hi,
  This looks like a parity error. If this is a first time occurrence I would recommend you to upgrade to a latest software and keep monitoring.
  CSCsq38638           
  Symptom:The ACE blade cores indicating a SRAM Parity Error. Occasionally  another type of process (such as IFMGR, etc.) core may accompany the  SRAM error crash.
  Conditions:This is a rare condition where the ACE blade is running and performs an SRAM operation that detects an SRAM parity error.
  Workaround:Reboot of the ACE will clear the state.  This reboot is accomplished automatically when the corefile is created.

• ACE20-MOD-K9 and ACE10-6500-K9 in redundant mode

  Can ACE20-MOD-K9 and ACE10-6500-K9 be configured to work togeather as redundant pair?

  ACE10-6500-K9 and ACE20-MOD-K9 modules can occupy the same chassis.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html

• Decommissioning ACE20-MOD-K9 - how to verify ALL traffic is migrated off?

  Hello there community,
  I'm going to be shutting down a couple ACE20-MOD-K9 modules soon, but want to verify for 100% that there is ZERO traffic flowing on them.
  What are commands I can use to ensure there is no traffic on them at all any more so it's safe to shut them down?
  Thank You in advance.

  Hi James,
  "Sh conn" shall show you any connections established. If you don't see anything in source and destination except ACE IP's (including standby) and your own IP(because of telnet or ssh), then this indicates that there is no traffic coming on to these ACE's. Even the pass through traffic is part of " show conn" and that should tell you if you have any traffic. Run this command in each context.
  Show resource usage all--->Can be run in Admin and shall give you an idea about all contexts.
  show serverfarm summary
  show service-policy summary
  All these commands shall also show you any connections coming on to the ACE. You can clear all counters to have a good idea.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful

• Sample config requested: IOS AP with WPAv2 with PEAPv0 aka EAP-MSCHAPv2

  Would someone be kind enough to share a sanitized config with me for the following:
  AIR-LAP1131AG-A-K9 LWAP converted to autonomous mode running IOS v12.3(8)JEA
  WPAv2 with PEAPv0 aka EAP-MSCHAPv2.
  Thanks,
  Richard

  Hello,
  Here's what I would use. The AP is actually unaware of the EAP type:
  aaa group server radius rad_eap
  server RADIUS_IP auth-port 1812 acct-port 1813
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa session-id common
  dot11 ssid SSID_PRIVATE
  VLAN X
  authentication open eap eap_methods
  authentication key-management wpa
  guest-mode
  username cisco password 0 cisco
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan x mode ciphers aes-ccm
  broadcast-key vlan x change 360
  ssid SSID_PRIVATE
  interface Dot11Radio0.x
  encapsulation dot1Q x
  interface FastEthernet0.x
  encapsulation dot1Q x
  radius-server attribute 32 include-in-access-req format %h
  radius-server host RADIUS_IP auth-port 1812 acct-port 1813 key 0 RADIUS_KEY
  radius-server timeout 30
  radius-server vsa send accounting
  Serge

• CSM nat client sample config

  Hi
  We have one pair of CSM confiugred in bridge mode.
  The user wants the servers to be able to access the VIP also.
  Understand one solution is to use NAT client.
  Anyone got a working config on NAT client for bridge mode?
  Thanks!

  natpool ....
  serverfarm from-server2server
  nat server
  nat client
  real x.x.x.x
  ins
  real x.x.x.x
  ins
  vserver from-server2server
  vip x.x.x.x tcp
  vlan
  serverfarm from-server2server
  ins
  That's it.
  Any question, let me know.
  Regards,
  Gilles.
  Thanks for rating this answer.

• MPLS over GRE sample config....

  can any body paste a working of MPLS over GRE....
  i am looking for tunnel config and any related global config...
  thanks
  Umar

  You can try this link for GRE configuration
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml

• Sample config for TACCAS+ on ASA 8.22

  I am looking for a sample configuration for doing TACCAS+ on ACS 5.2 with an ASA 8.2.2.
  Any help would be appreciated.

  I think the following should just about do it - However it is MUCH simpler to do this in the GUI
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (management) host x.x.x.x key ****
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication serial console TACACS LOCAL
  aaa authentication enable console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa accounting ssh console TACACS
  aaa accounting telnet console TACACS
  aaa accounting serial console TACACS
  aaa accounting enable console TACACS
  aaa accounting command TACACS
  Remember you need to create the network device in ACS with the same shared key.
  Paul

• Looking for sample config.xml

  After some changes config.xml is corrupted. Need a config.xml with following descriptors -
  <admin-server-name>
  <app-deployment>
  <jms-server>
  <mail-session>
  <jms-system-resource>
  <jdbc-system-resource>

  If you had configuration auditing enabled, you'd have backup copies in a configArchive folder. You should enable this; by default it is not.
  You can create a configuration quickly by just using the configuration builder script in linux ( common/bin/config.sh ) or the configuration wizard in windows.