Ssh access into virtual context on the ACE module A(2.2)

Similar Messages

• How to Virtual IP configuration in ACE module?

  Hi,
  I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
  I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
  Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
  Regards,
  Rachit.

  Hi Rachit,
  Here is a basic configuration example:
  access-list Allow_Access line 10 extended permit ip any any
  rserver host test
    ip address 10.198.16.98
    inservice
  rserver host test2
    ip address 10.198.16.93
    inservice
  serverfarm host test
    rserver test 80
      inservice
    rserver test2 80
      inservice
  sticky http-cookie test group2
    cookie insert
    serverfarm test
  class-map match-all VIP
    2 match virtual-address 10.198.16.122 tcp eq www
    policy-map type loadbalance first-match test
    class class-default
      sticky-serverfarm group1
  policy-map multi-match clients
    class VIP
      loadbalance vip inservice
      loadbalance policy test
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 112
  interface vlan 112
    ip address 10.198.16.91 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
    service-policy input NSS_MGMT
    service-policy input clients
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.198.16.65
  Here is the configuration guide:
  http://tools.cisco.com/squish/101AD
  Cesar R

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Is the ACE Module support IPV6?

  dear all
  is the ACE module support IPV6?
  best regards

  The ACE does not currently support IPv6 but it is being looked at to be added to the feature set.

• How to create and access a Virtual Host on the J2EE WAS?

  Hello, I have searched through the Forums and help.sap.com and found a lot of information on how to set up a Virtual Host on the J2EE server but am having issues with it working.
  The goal is to provide a simple virtual host on the J2EE Portal server to host some static image and HTML files. Previously I had stored these files in the standard publicly accessible SAP J2EE folder location /usr/sap/<SID>/JCxx/j2ee/cluster/serverx/apps/sap.com/com.sap.engine.docs.examples/servlet_jsp/_default/root/. This location is resolved to when using the URL <host>:50000 for example.
  The main issue here is that during Portal support pack applications this folder gets wiped out and we have to remember to save off any custom files and folders in this location and replace them.
  I would like to create a virtual host to store these static files (i.e., branding-image.jpg, etc...).
  I have run through the process of creating the virtual host both using Visual Administrator and <host>:50000/nwa but am not able to get the virtual host name to resolve properly.
  The following are the steps that I have taken. Let's assume the standard SAP portal (i.e., xSS, etc...) is running properly on <host>:50000.
  1. create virtual host via Visual Administrator/NWA called 'sapwebserver1' by using the Create Host option (takes on the attributes of the 'default' standard virtual host)
  2. change the root directory for this virtual server to a custom folder at E:/tmp/mimes (where E:/usr is where the J2EE files are all installed), no start files were set up and nothing else was changed in the new virtual host record, no permissions were changed on the /tmp/mimes folder from whatever the default Windows user permissions are normally set, I am using a local Windows  administrator account but I have not seen any reference in the help files or the examples that indicate that any specific permissions updates need to be made on the virtual host root folder
  3. restarted the J2EE server as well as the HTTP Provider service
  4. before updating the company DNS, I wanted to test this locally on the server and so have updated the server's local HOSTS file with a <host IP address>   sapwebserver1 entry
  5. from that server I can ping the sapwebserver1 virtual host name and it resolves properly to the machine's physical IP address
  According to all of the documentation and examples I have seen I should now be able to (from that server) launch a browser and access the static files in the virtual host by referring to http://sapwebserver1:50000/branding-image.jpg for example. This is not working and the browser just brings up a Cannot display the web page error in IE. By referring to the virtual host name sapwebserver1:50000 it's supposed to hit the J2EE server and based on the host name sapwebserver1 realize that it should resolve to the root directory E:/tmp/mimes. This is not happening. Just as a test I have created a copy of the 'default' virtual host and called it sapwebserver2, updated the local HOSTS file for this entry, and tried to see if that would work like the 'default' host. My expectation was that http://sapwebserver2:50000 would behave the same was as http://<host>:50000 but it too fails to resolve just like the sapwebserver1 virtual host refernce.
  Would anyone happen to have any pointers on what to do next? I just want a simple virtual host to be able to serve up some static images and files.
  Thanks for any insight or assistance you might be able to provide here.
  Graham

  This defeats the purpose of trying to centralize SAP-related web resources on the SAP server. Typically IIS/Apache or other non-SAP servers are under the control of IT and not the SAP BASIS group.
  We simply would like to have a centralized location to store static web files so that they are not overwritten during Portal support pack applications.

• Simple SLB with the ACE Module

  Hello,
  i have some problems with a ACE module i am currently tesing.
  I have a simple Serverfarm with two Servers.
  But there seems to be some Problems with the Loadbalancing i not understand:
  1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
  2) withz the show serverfarm statement the total connects do not increment.
  switch/slb-c1# show serverfarm webfarm
  serverfarm : webfarm, type: HOST
  total rservers : 2
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  rserver: web1
  10.0.33.201:0 8 OPERATIONAL 0 0
  rserver: web2
  10.0.33.200:0 8 OPERATIONAL 0 0
  switch/slb-c1# show service-policy L4_LB_VIP
  Status : ACTIVE
  Interface: vlan 300
  service-policy: L4_LB_VIP
  class: L4_VIP_CLASS
  loadbalance:
  L7 loadbalance policy: L7_SLB_POLICY
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED
  VIP State: INSERVICE
  curr conns : 0 , hit count : 15
  dropped conns : 0
  client pkt count : 10198 , client byte count: 420991
  server pkt count : 23367 , server byte count: 34915173
  I have attatched the Config.
  Any Idea what is going on?

  what version do you have ?
  I would recommend to run the very recent A1.4.
  This is something that really should work.
  Gilles.

• Is the ACE module is hot swapable?

  can anybody confirm the ACE service module is hot swapable and either it can be placed in slot 5 in 6509 switch.

  Hi,
  The 6500 series supports hot-swappable modules and you can hot-swap the ACE blade in theory but you should shut it down prior to removal to avoid loss of data.
  Slot 5 in a 6509 is reserved for the Sup720.
  See http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html
  for more information.
  HTH Cathy

• Can the ACE module or 4700 server up webpage.

  Hello.
  Is it possible for the ACE to serve up a web page to a VIP when the VIP is OUTOFSERVICE?
  Any capability for that at all?

  Hi,
  The ACE can redirect it to the server which hosts the web page stating content is unavailable , under maintenance etc but no option to do it on ACE itself. If you like to use the former, please look at the option of sorry server and serverfarm.
  Regards,
  Kanwal

• Shifting rservers on the ACE module

  hi all
  I wanted to please ask about moving rservers from serverfarm1  -to-  serverfarm2
  Can anyone please list out the order in steps to complete this trivial task?
  I'm asking since it was suggested to me to remove the entire VIP and all associated config, and then redeploy it, and that seemed somewhat excessive.
  many thanks

  serverfarm_A
  rserver1
  rserver2
  rserver3
  rserver4
  serverfarm_B
  rserver11
  rserver12
  rserver13
  rserver14
  the requirement is to shift rserver3  and  rserver4 to serverfarm_B
  Essentially the requirement is quite simple, but I don't know if the VIP wil be same or not and in any event I really don't think that'll matter.

• How the ACE handles rserver failures

  Hello
  I've got a question re: the ACE module.
  Lets say I have 2 web rservers and I have a probe interval for checking them from the ACE of 10 seconds.
  Lets say a probe just passed and it is 10 seconds before the next one. The ACE will think the rserver is ok. Then say the rserver httpd service is stopped at 3 seconds after the last successful probe, therefore leaving 7 seconds before the ACE is going to send another probe. The ACE will think it is still 'up' before the next probe is sent.
  Given the above, what happens to a) existing connections to the newly failed rserver and b) new connections if the failure occurs between probes?
  How does the ACE handle this situation?
  Are there any differences between how the ACE handles this between A1 and A2 versions of software?
  Thanks
  Cameron

  URL rewrite only comes into play when REAL Server (Rserver )sends a clear text redirect. Such as 302 for http://investor.nice360.com. If client recieves this 302 it will attempt the next request using HTTP.With Url rewrite feature we configure ACE to change these redirects from Http tp HTTPS.
  What you are looking for is a simple redirection of client request from port 80 to port 443. This can be achieved using redirect server farm and redirect rserver.
  You will need to create two sets of configs (class-maps, rserver, sfarm,policy map) for port 80 & port 443 traffic. Port 80 policy will simply redirect the port 80 request to port 443.
  Following example will give you some idea
  rserver redirect HTTP2HTTPS
  webhost-redirection https://%h%p 301
  inservice
  serverfarm redirect HTTP2HTTP-SF
  rserver HTTP2HTTPS
  inservice
  class-map match-all WEB-HTTP
  2 match virtual-address 172.25.250.245 tcp eq http
  class-map match-all WEB-HTTPS
  2 match virtual-address 172.25.250.245 tcp eq 443
  policy-map type loadbalance first-match HTTP2HTTPS-POLICY
  class class-default
  serverfarm HTTP2HTTPS-SF
  policy-map type loadbalance first-match L7-POLICY
  class class-default
  sticky-serverfarm STICKY_IP
  policy-map multi-match L4-POLICY
  class WEB-HTTP
  loadbalance vip inservice
  loadbalance policy HTTP2HTTPS-POLICY
  loadbalance vip icmp-reply
  class WEB-HTTPS
  loadbalance vip inservice
  loadbalance policy L7-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server INVESTOR-CLIENT
  Syed

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• Management traffic to the ACE

  Do i need to explicitly define management traffic coming to the ace module, i see in a lot of configurations that they allow managerment traffic in a special class to the ace?
  also it is necessary to apply an access-list to the ace module to accept traffic for the vip, what if i do not use any access-list on the ace, will the traffic go through?

  Yes you need to define allowed traffic to the ace. The ace acts as an implicit deny. It will block everything until you allow it. The first policy/class match that you should define is the management traffic class.
  access-list ALL line 8 extended permit ip any any
  class-map type management match-any remote_access
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
  permit
  interface vlan 121
  ip address
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

• ACE Module Context Up to 8 Chain Groups

  Hi
  I have and ACE with 8 chain groups, each with 8 certificates, what I need to do if I need another certificate?
  This because the information in the document
  The ACE supports the following certificate chain group capabilities:
  •A chain group can contain up to eight certificate chains.
  •Each context on the ACE can contain up to eight chain groups.
  •The maximum size of a chain group is 16 KB.
  thanks for your help.

  I do not need to match a specific URL. The application on the server does however. The server admin reports that connection is being refused as there is no URL included to match.
  When setting this up as a one-arm config with source NAT everything works fine. Unfortunately, it is a requirement of the application that the client IP remain intact.

• Error on sessioning into ACE module

  Hi,
  I am getting the below error on sessioning into ACE module in CAT 6500.
  6509A#session sl 2 pr 1
  The default escape character is Ctrl-^, then x.
  You can also type 'exit' at the remote prompt to end the session
  Trying 127.0.0.21 ...
  % Connection timed out; remote host not responding
  Slot 2 is the ACE module. Please assist.

  Ok. It is working now. The processor should be '0'. Could anyone please explain the significance of the processor # in session slot command.
  Regards.

• A few questions on the ACE

  I am getting up to speed on the ACE and was wondering if someone could please clarify a couple of things for me as the docs I am using are pretty confusing.
  We have the ACE module in a Cisco 65XX switch, along with FWSM.
  1) Do I need to create a Layer 3 int on the switch for the Vlan's that I have assigned to the ACE?
  2) I have created a Layer 3 Client side and a Server side Vlans on the ACE. Do I need to create a default gateway for each of these Vlan's or create just one DG and point it to the switch?
  3)Do I need to create a class map, a policy map and a service policy for the Client and Server Vlan L3 interfaces on the ACE?
  Thanks much.

  Have you had a chance to read through the config guide?
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/rtbrgdgd.html
  In general,
  1) yes for client-side vlans
  no for server-side vlans
  2) just one default route to an SVI on MSFC
  3) yes