SNMP Ace client packets

Similar Messages

• SNMP management client

  We are looking for information on SNMP management client that integrates
  well with Forte. If anybody has done something with SNMP, I would like to
  find out what you are using and how difficult was the process.
  thanks in advance.
  ka
  Kamran Amin
  Framework, Inc.
  303 South Broadway
  Tarrytown, NY 10591
  (914) 631-8953x121
  kamran.aminlendware.com
  http://www.lendware.com/

  Issue resolved.
  If anyone has this problem again, the solution is in two parts:
  (1) SNMPAgents do not respond to incorrectly configured requests so disable the security to permit testing. For the SNMPAgent all useful setting seem to reside in the SimpleAgent.xml file, so find the SNMP "version" and set it to "1". So far I haven't been able to find any documentation for this component.
  File: C:\JavaCAPS51\emanager\server\monitor\snmpagent\config\SnmpAgent.xml
  <properties
  version="3" -- Change to 1, available options (1|2|3)
  />
  All polling requests should work now.
  (2) The "AdventNet SNMP Adaptor 5 MibBrowser" doesn&#8217;t appear to support SNMP v3 security fully, or in a way compatible with the SNMPAgent implementation. The "iReasoning MIB Browser" (Professional Edition only with v3 support) works fine. Judging by the log files the CAPS SNMPAgent uses the iReasoning SNMP API.

• SNMP Traps - Mangled packet issue

  One of our client using EMC SMARTS trap Adapter  to collect SNMP traps from Resource Manager Essentials > Tools > Change Audit > Automated Action. recieves mangled packet every night around midnight from the LMS3.1 server as shown below. I could not find any scheduled process at midnight on the server. Attached is a file capture during that period
  Any idea what is causing this ?
  26-Nov-2010 12:01:29 AM+554ms E. Australia Standard Time] t@2712 SNMP_TrapsHandler [0.0.0.0:162] Processor
  SNM2-E-SNMP_AGENTERRORSTATS-Below message for SNMP agent at
      '10.200.4.57:9033', was suppressed 0 times since The Epoch
  SNMP-EPARSER-Mangled or incorrect packet; parsing aborted and data discarded;
      in file "h:/FOUNDATION-7.2.0.X/137/smarts/snmp/lib/SNMP_Parser.c" at line
      1312
  [26-Nov-2010 12:01:50 AM+272ms E. Australia Standard Time] t@2712 SNMP_TrapsHandler [0.0.0.0:162] Processor
  SNM2-E-SNMP_AGENTERRORSTATS-Below message for SNMP agent at
      '10.200.4.57:9060', was suppressed 0 times since The Epoch
  SNMP-EPARSER-Mangled or incorrect packet; parsing aborted and data discarded;
      in file "h:/FOUNDATION-7.2.0.X/137/smarts/snmp/lib/SNMP_Parser.c" at line

  I looked at the trap PDUs that correspond the timestamps in the log output, and I do not see any problems.  Is there additional debugging you can enable in the Smarts application that will indicate why it thinks these traps are mangled?
  The traps themselves come from RME because it looks like you have enabled Inventory and Config collection failure notification, and RME cannot fetch the config from certain devices.  It appears that perhaps RME is doing periodic config collection or polling around 11:30 pm when these traps start to get generated.

• ACE Rst Packets

  Hello Everyone,
  I have ACE10 Module in my switch core 6509, my context "Proxy" was criated for balance connections to Forefront TMG Servers, this balance needs original client IP Address connections end to end in the solution.
  My problem is: The clients are complaining of slowness connection to the internet, i captured the traffic in the ace capture feature and i see some RST packets and severals checksum error packets in pcap file.
  The topology is:
  Client -> ACE VIP VLAN 81 -> RSERVERS VLAN 80
  Vlan 80 is in L2 mode(no interface vlan in the switch core 6509, route occurs through the ace appliance).
  The IP address 10.96.200.6 is the gw for rservers.
  system:    Version A2(3.4) [build 3.0(0)A2(3.4)]
  system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_4.bin
  rserver host PANFPRXP301A
    ip address 10.96.200.11
    inservice
  rserver host PANFPRXP301B
    ip address 10.96.200.12
    inservice
  sticky ip-netmask 255.255.255.255 address source STICKY-SF-PANPROXY
    replicate sticky
    serverfarm SF-PAN-PROXY
  interface vlan 80
    ip address 10.96.200.4 255.255.255.0
    alias 10.96.200.6 255.255.255.0
    peer ip address 10.96.200.5 255.255.255.0
    no normalization
    no icmp-guard
    access-group input all-access
    access-group output all-access
    service-policy input ACCESS
    no shutdown
  interface vlan 81
    ip address 10.96.201.4 255.255.255.0
    alias 10.96.201.6 255.255.255.0
    peer ip address 10.96.201.5 255.255.255.0
    no normalization
    no icmp-guard
    access-group input all-access
    access-group output all-access
    service-policy input ACCESS
    service-policy input INTVLAN80
    no shutdown
  policy-map multi-match INTVLAN80
    class VIP-SF-PANPROXY
      loadbalance vip inservice
      loadbalance policy SLB-SF-PANPROXY
      loadbalance vip icmp-reply active primary-inservice
      appl-parameter http advanced-options PARAMETER-HTTP
  Logs
  ====================================================================
  Aug 15 2012 10:24:09 : %ACE-6-302023: Teardown TCP connection 0xb9fec for vlan81
  :10.93.15.69/1439 (10.93.15.69/1439) to vlan80:10.96.201.10/8080 (10.96.200.12/8
  080) duration 0:01:28 bytes 13741 TCP FINs
  Aug 15 2012 10:24:09 : %ACE-6-302022: Built TCP connection 0x1121b8 for vlan81:1
  0.93.15.69/1443 (10.93.15.69/1443) to vlan80:10.96.201.10/8080 (10.96.200.12/808
  0)
  Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc400b for vlan81:10
  .93.7.69/4863 (10.93.7.69/4863) to vlan80:10.96.201.10/8080 (10.96.200.11/8080)
  Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc676f for vlan81:10
  .93.15.29/2173 (10.93.15.29/2173) to vlan80:10.96.201.10/8080 (10.96.200.12/8080
  Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc3621 for vlan81:10
  .93.7.84/54169 (10.93.7.84/54169) to vlan80:10.96.201.10/8080 (10.96.200.11/8080
  Aug 15 2012 10:24:10 : %ACE-6-302025: Teardown UDP connection 0x110764 for vlan8
  0:10.96.200.11/32230 (10.96.200.11/32230) to vlan81:172.17.2.35/53 (172.17.2.35/
  53) duration 0:00:11 bytes 126 Idle Timeout
  Aug 15 2012 10:24:10 : %ACE-6-302023: Teardown TCP connection 0x111c70 for vlan8
  1:10.93.15.69/1441 (10.93.15.69/1441) to vlan80:10.96.201.10/8080 (10.96.200.12/
  8080) duration 0:00:02 bytes 1759 TCP FINs
  Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0x5fc51 for vlan81:10
  .93.7.69/4864 (10.93.7.69/4864) to vlan80:10.96.201.10/8080 (10.96.200.11/8080)
  Aug 15 2012 10:24:11 : %ACE-6-302022: Built TCP connection 0xc5282 for vlan81:10
  .93.5.157/1522 (10.93.5.157/1522) to vlan80:10.96.201.10/8080 (10.96.200.11/8080
  Aug 15 2012 10:24:11 : %ACE-6-302022: Built TCP connection 0x10e7a2 for vlan81:1
  0.93.15.29/2174 (10.93.15.29/2174) to vlan80:10.96.201.10/8080 (10.96.200.12/808
  0)
  Aug 15 2012 10:24:11 : %ACE-6-302023: Teardown TCP connection 0x102c48 for vlan8
  1:10.84.34.23/1130 (10.84.34.23/1130) to vlan80:10.96.201.10/8080 (10.96.200.12/
  ====================================================================
  If needed, i can send the pcap file for analyse.
  Tks a Lot.
  Rafael

  Hi Rafael,
  Are RST's coming from ACE? What if you access the server directly? If you could raise a TAC case we would do in-depth analysis of the problem.
  Regards,
  Siva

• ACE client authentication performance degredation

  Hi,
  If possible is anybody able to provide any advice & guidance WRT the below:
  According to; http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/sslproxy.html “When you enable client authentication, a significant performance decrease may occur in the ACE module.”
  The statement raises a lot of questions;
  1. Presumably the degradation can only happen as a result of an SSL client performing a handshake with the ACE (SSL server), the ACE requesting a client certificate and the client responding with a certificate at which stage the ACE has to verify the Client certificate?
  2. Some metrics are needed from Cisco around the degradation – for example how many certificate verifications per second can the ACE support (1,10,100,1000)? If this is dependent on RSA key size then metrics are needed  for 1024 and 2048 keys.
  3. The Cisco ACE supports partitioning of resources (http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_Managing_Resources_ and therefore I assume that the ACE can be protected from degradation by setting a limit on SSL handshakes per second which is well below the limit from 2?
  4. Any references to some relevant documentation ?

  Hello Preck-
  As a first point, we don't generally document ever possible aspect of performance numbers on products because there are many factors that play into the numbers.  This is one of the grey areas where we cannot pin down any hard numbers due to too many outside factors.
  Here is the full story on SSL client authentication:
  Under a normal SSL handshake, the SSL server exchanges the public key and certificate file to the client, and a cipher is chosen to encrypt the communication between the two entities.  Past that communication, there are a few things that could result in extra packets, or a new SSL handshake i.e. SSL version negotiation and/or cipher related issues.  Some things can shorten the handshake time like SSL session ID's and using specific SSL protocols (i.e. if the client and server only ever used TLS v1.1 and never had to negotiate from SSL v3.0 to TLS).
  Once the handshake is done, the performance only depends on network latency and the amount of time it takes to encrypt/decypt the traffic which is dependent on the SSL version, cipher, and SSL strength (key bits).  This is important to your questions because the only thing that effects performance is the initial handshake process.
  When you enable client authentication, before the handshake is complete, the server requests the client to send a certificate.  The client may send multiple certificates, or just 1. When the server recieves the certificate, it checks that it matches the certificate that it has installed for client authentication. As well, the server may do an extra check against the CRL to see if the certificate has been revoked (this is an external call to the CA via TCP or LDAP generally)  The amount of certs, size of the certs, and size of the CRL are not known to the server, hence, it has to work with what it recieves.  The larger the files, the longer the handshake takes to complete.
  Specific to ACE:
  The degredation you are going to see is exactly what I stated in the last paragraph - it will be related to how many certs the ACE has to parse, how long it takes to get the CRL and check it all the way through.  Because every client could give the ACE a different amount of certificates and the CRL could be any size/take any amount of time to retrieve and scan, there is no such thing as a common metric we can state about the difference in performance.
  We can tell you that the performance degredation is limited to the VIP that you have this enabled on and should not effect any other vips/context/the whole ACE in general.  It also only relates to the amount of possible transactions per second, and not to total SSL concurrent connections or throughput.  Throughput is not effected because the SSL Nitrox and Cadvium engines are not used to scan the client certificate - the XScale Microengine is, so the throughput of the SSL daughter cards are not effected here.
  The bit count within the keypair is non-effecting to the performance when enabling client authentication if you are comparing the same as without client authentication.  Certainly, you will see a drop in performance when moving from 1024 to 2048 bit keys due to the extra complexity involved in encrypting/decrypting - but no additional loss with client authentication.  On a side note, keep in mind that doubling you key bit strength means your performance will take an exponential drop - not a linear drop.  If you are planning on deploying 2048bit keys, make sure you test your environment prior to production release so that you know exactly what kind of performance to expect.
  About your question on partitioning resources, because this only effects the vip you have the authentication on, you don't need to worry about sandboxing off a context to handle this.
  Regards,
  Chris Higgins

• ACE - Client Reset Connections to VIP

  When the client initiates a http connection to the VIP address, the connection fails because the client sends a RST back to the real server.
  My real servers have the default gateway of the 6513 vlan interface.
  Attached I have provided the Admin and test contexts, packet capture, and 6513 partical config.
  Can someone please assist me on resolving this issue?

  You only need the VLAN 32 configured on the MSFC because the "real server" VLAN 39 is routed through the ACE.
  MSFC <---VLAN 32---> ACE <--- VLAN 39 ---> Real Servers. So the default gateway should be the ip of the ACE context.
  EDIT: Also noticed you have no access-list on you're ACE interfaces. No access-list means no traffic.
  Roble

• ACE CLIENT CERTIFIATE INSERTION IN HEADER

  Hy guys.
  I have a doubt regarding the client cert insertion in the https header.
  The exact problem is that in the old SSL module we had an option like this:
  policy http-header cert_pass
       client-cert pem
  As you can see, we configure the option to pass the complete certificate in pem format in one header.
  I'm unable to find this optiono in ace 5.1(3) version.
  Any idea?
  Thanks!

  Hi David,
  May be i didn't understand. Is this what are you looking for?  You can find it in the same link.
  Configuring HTTP Header Insertion of SSL Client Certificate Information
  When you configure the ACE for client authentication, you can instruct the ACE to provide the server with information about the client certificate that the ACE receives from the client. This SSL session information enables the server to properly manage the client request and can include certificate information such as the certificate serial number or the public key algorithm used to create the public key in the certificate. To forward the SSL session information to the server, the ACE inserts HTTP headers containing the client certificate fields that you specify into the HTTP requests that it receives over the client connection. The ACE then forwards the HTTP requests to the server.
  Note To prevent HTTP header spoofing, the ACE deletes any incoming HTTP headers that match one of the headers that it is going to insert into the HTTP request.
  When you instruct the ACE to insert SSL client certificate information, by default, the ACE inserts the HTTP header information into every HTTP request that it receives over the client connection because persistence rebalance is enabled by default. If you do not want the ACE to insert the information into every HTTP request that it receives over the connection, disable persistence rebalance in an HTTP parameter map. You can also instruct the ACE to insert the information into every HTTP request that it receives over the connection by creating an HTTP parameter map with the header modify per-request command enabled. You then reference the parameter map in the policy map that the ACE applies to the traffic. For information about creating an HTTP parameter map, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.
  Note You must have the ACE configured for client authentication to insert an HTTP header with SSL client certificate field information (see the "Enabling Client Authentication" section). If you configure header insertion but do not configure the ACE for client authentication, no header information is inserted and the counters that track the header insertion operation do not increment (see Chapter 6, "Displaying SSL Information and Statistics").
  Regards,
  Kanwal

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• ACE - Connection Reset

  Hello All,
  I have a strange issue but I'm not sure it is content switch related in any way.
  A group of hosts talk to two servers connected behind a content switch via a VIP.
  Some dev are complaining about a high level of discarded / reset connections.
  From the trace we ran you can see some RST,ACK packets in Wireshark but no RST packet prior to that last RST,ACK packet sent by the ACE module to the clients.
  Did anybody come across the same kind of situation?
  Regards,
  Thibault.

  Is there a chance that you are running code A2 (3.2)?  You may be hitting a bug that I have found within my environment as well.  CSCti88248.
  CSCti88248—When the ACE is waiting to reassemble client packets, it may reset TCP-based client connections if all the following conditions exist:
  –ACE is configured with a Layer 7 load-balancing policy where the ACE proxies the client-side TCP connection before making a load-balancing decision
  –Client-side connection experiences packet loss
  –The TCP TX racing messages (data) counter in the output of the show np n me-stats -stcp is incrementing
  This problem can also occur with secure (SSL) terminated connections. Workaround: Configure an empty connection parameter map and add it to a multi-match policy map under the class map that is configured for the VIP experiencing the problem. For example:
  parameter-map type connection TCPReassembly
  policy-map multi-match MultiMatch_PolicyMap
     class HTTP_VIP_80
        loadbalance vip inservice
        loadbalance policy L7_HTTP_PolicyMap
        loadbalance vip icmp-reply active
        connection advanced-options TCPReassembly
  Regards

• Connections through ACE module

  when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies  - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?
  how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?
  vlan 195 is teh client side
  vlan 719 is the server side
  access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0
  class-map match-any NAT_CLASS_VIP
    2 match access-list acl_NAT_VIP
  policy-map multi-match NAT_POLICY
    class NAT_CLASS_VIP
      nat dynamic 5 vlan 719
  interface vlan 195
    ip address 172.19.192.19 255.255.252.0
    alias 172.19.192.18 255.255.252.0
    peer ip address 172.19.192.20 255.255.252.0
    access-group input allowall
    access-group output allowall
    nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
    nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
    nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
    nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
    nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
    service-policy input LB_POLICY
    no shutdown
  interface vlan 719
    ip address 10.1.9.66 255.255.255.240
    alias 10.1.9.65 255.255.255.240
    peer ip address 10.1.9.67 255.255.255.240
    access-group input allowall
    access-group output allowall
    nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat
    service-policy input LB_POLICY
    service-policy input NAT_POLICY
    no shutdown

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• ACE Serverform Error

  I have ACE 4710 with c4710ace-mz.A3_2_2 Image.
  Everything is working fine but I am getting followin failure Error for the severform related to my Proxy Server.
  ACE02/Rack2# show serverfarm SF_BCPR
  serverfarm     : SF_BCPR, type: HOST
  total rservers : 2
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: RS_BCPR01
         192.168.0.103:0       8      OPERATIONAL  2661       5599360    4207
     rserver: RS_BCPR02
         192.168.0.104:0       8      OPERATIONAL  986        9991646    5324
  I have checked the CPU and Memory load on the ACE there is no high load. I am concern about this failure what is the reason for this failure.

  In general, the counter is incremented the following reason.
  1) SYN timeout
  2) RST received
  3) Internal exception
  Please monitor the following output. If Drop counter is incremented
  when failures counter is incremented, ACE drops packets due to
  internal exception.
  show np 1 me-stats -sicm
  show np 1 me-stats -socm
  show np 1 me-stats -shttp
  If Drop counter is not incremented, failures counter maybe incremented
  by syn timeout or rst received. In that case, to isolate the source of the
  problem, you will have to get capture trace on both client and server side.
  Regards,
  Yuji

• NAC Server + Clients ssue

  Hello Guys,
  I have been in very trouble with this NAC since last week, it started when there was power outage in datacenter and both of my NAC Servers went down.
  After restart, now clients (Nac agents) are not switching to Normal VLAN from Authentication VLAN. they remain in Authentication VLAN.
  There are some cilents connected to same switch , same vlan are working fine but 90% got in trouble.
  Any one please any advice ? any tip etc. there is no problem troubleshooting tech in NAC either... All i can see in log is NAC client Joined. NAC Cilent Removed. Thats. it....
  Please help!!!

  Hi Syed,
  Can you please provide me following information:
  1. Setup information (i.e RIP/VG, L2/L3, IB/OOB)
  2. Version on CAM and CAS.
  3. Do you have HA configured for CAM and CAS.
  4. Logs from CAM and CAS.
  5. Debug snmp error and packet from the switch.
  6. IP address of client
  I want to verify if SNMP trap is correctly sent and received.
  Anubhav Swami (Anna)

• ACE Module throughput

  Hi
  In the Datashhet of the ACE-Module (ACE20-MOD-K9) there is the following promise:
  Throughput
  16 Gbps*, 8 Gbps*, and 4 Gbps
  We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).
  Are these 4Gbps bidirectional or unidirectional?
  Is it 2Gbps in one direction and 2Gbps in the other direction?
  Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
  How can I measure the effective used bandwith on the ACE module?
  What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
  How do I know that the ACE runs at it's bandwith limitation?
  Any Ideas?
  Thanks
  Patrik

  Hi Patrik,
  See my answers inline:
  We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).Are these 4Gbps bidirectional or unidirectional?Is it 2Gbps in one direction and 2Gbps in the other direction?
  It measures the total throughput going through the box. It includes both directions. Also take into account that, for any traffic through the ACE, the packets are seen twice (client to ACE and ACE to server), so the effective throughput is half of the licensed one.
  Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
  You could get up to 2Gbps unidirectional. This traffic will go through the ACE twice, adding to the 4Gbps license
  How can I measure the effective used bandwith on the ACE module?
  With the "show resource usage" command
  What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
  It will drop packets that go over the bandwidth without taking into account to which connection they belong
  How do I know that the ACE runs at it's bandwith limitation?
  Again, "show resource usage"
  Regards
  Daniel

• ACE- From one real server to another VIP

  Hi,
  I have a problem with ACE;
  We have multiple serverfarms configured in the ACE module based on the application and different VIPs related to it. We are running the ACE in bridging mode. Now the requirement is from one serverfarm real server wants communicate to the VIP of the second serverfarm...Is this possible..???? Wil some NATing help in this situation. Below is the configuration.
  ======================
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  access-list LAN_Traffic remark For all IP Traffic
  access-list LAN_Traffic line 10 extended permit ip any any
  access-list LAN_Traffic line 20 extended permit icmp any any
  probe http PORTAL_HTTP
    passdetect interval 20
    passdetect count 2
    request method get url http://portal
    expect status 0 600
  probe http RMS_HTTP
    request method get url /_wmcs
    expect status 0 600
  rserver host PORTAL1
    ip address 172.22.11.241
    inservice
  rserver host PORTAL2
    ip address 172.22.11.243
  rserver host QGLRSPW1
    inservice
  rserver host RMS01
    ip address 172.22.10.12
    inservice
  rserver host RMS02
    ip address 172.22.10.8
    inservice
  serverfarm host PORTAL
    failaction purge
    probe PORTAL_HTTP
    rserver PORTAL1
      inservice
    rserver PORTAL2
      inservice
  serverfarm host RMS
    failaction purge
    probe RMS_HTTP
    rserver RMS01
      inservice
    rserver RMS02
      inservice
  class-map match-any PORTAL
    2 match virtual-address 172.22.10.166 tcp any
  class-map match-any RMS
    2 match virtual-address 172.22.10.52 tcp eq www
    3 match virtual-address 172.22.10.52 tcp eq https
  policy-map type loadbalance first-match RMS-POLICY
    class class-default
      serverfarm RMS
  policy-map type loadbalance first-match PORTAL-POLICY
    class class-default
      serverfarm PORTAL
  policy-map multi-match SFARM-LB-POLICY
    class RMS
      loadbalance vip inservice
      loadbalance policy RMS-POLICY
      loadbalance vip icmp-reply active
  class PORTAL
      loadbalance vip inservice
      loadbalance policy PORTAL-POLICY
      loadbalance vip icmp-reply active
  interface vlan 800
    description ACE Client Interface
    bridge-group 1
    mac-sticky enable
    service-policy input SFARM-LB-POLICY
    no shutdown
  interface vlan 898
    description ACE Server Interface
    bridge-group 1
    mac-sticky enable
    no shutdown
  interface bvi 1
    ip address 172.22.11.151 255.255.252.0
    alias 172.22.11.153 255.255.252.0
    peer ip address 172.22.11.152 255.255.252.0
    description Bridge Group for 800 and 898 Interfaces
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.22.8.17
  ===================================
  Pleae help..Thanks in advance

  Hello!
  Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE.

• ACE 4710 HTTPS load balance configuration

  Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later.
  I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
  Any configuration examples would be helpful.
  Thanks.

  IF you terminate SSL on the ACE you need certificates and key on ace in the context in which you are doing the termination. The certs and keys need to be installed on the active and standby (manually unless using anm to manage).
  when speaking of SSL
  SSL termination refers to ace terminating SSL and sending to server as clear text
  end to end - ACE terminates SSL (to look into payload to make a loadbalance decision or sticky decision) and then re-encrypts to the server, so to the client ACE is an ssl server and to the server the ace is an ssl client.
  You can find some config examples at
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples