SSL initiation for SMPP on ACE module

Similar Messages

• SSL Termination not working in ACE

  Hi,
  The context was configured for Load Balancing Port 80 and 443 traffic before the SSL Configs was Applied.
  The SSL Termination is configured on ACE module running the software version  A2(1.6a) [build 3.0(0)A2(1.6a)
  The load balacing is working without no issues, But when i do a https://abc.www.abc.qa/wps/portal/login
  the browser reconganizes the certificate from ACE, but does not show up any thing, just shows  this symbol € 
  in a blank page.
  Plese let me know if you have any suggestions.
  Thanks in Advance.
  Here is the relevant config.
  ===================
  crypto csr-params ABC-II-PRAMS
    country XX
    state XXXX
    locality XXXX
    organization-name abc council
    common-name abc.www.abc.qa
    serial-number 1
    email [email protected]
  rserver host abcserver1
    ip address 10.14.1.165
    inservice
  rserver host abcserver2
    ip address 10.14.1.177
    inservice
  ssl-proxy service abc.www.proxy
    key abc-II-key.pem
    cert abc-II-cert.pem
  serverfarm host abc.www.abc.qa-443
    failaction purge
    rserver abcserver1
      probe abcicmp
      inservice
    rserver abcserver2
      probe abcicmp
      inservice
  serverfarm host abc.www.abc.qa-80
    failaction purge
    rserver abcserver1
      probe abcicmp
      inservice
    rserver abcserver2
      probe abcicmp
      inservice
  sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-80
  timeout 120
  serverfarm abc.www.abc.qa-80
  sticky ip-netmask 255.255.255.255 address source abc.www.abc.qa-sticky-443
  timeout 120
  serverfarm abc.www.abc.qa-443
  class-map match-all abc.www.abc.qa-443
  match virtual-address 10.14.1.203 tcp eq https
  class-map match-all abc.www.abc.qa-80
  match virtual-address 10.14.1.203 tcp eq www
  policy-map type loadbalance first-match abc.www.abc.qa-VIP-443
  class class-default
  sticky-serverfarm abc.www.abc.qa-sticky-443
  policy-map type loadbalance first-match abc.www.abc.qa-VIP-80
  class class-default
  sticky-serverfarm abc.www.abc.qa-sticky-80
  policy-map multi-match abc-POLICY
  class abc.www.abc.qa-80
      loadbalance vip inservice
      loadbalance policy abc.www.abc.qa-VIP-80
      loadbalance vip icmp-reply
    class abc.www.abc.qa-443
      loadbalance vip inservice
      loadbalance policy abc.www.abc.qa-VIP-443
      loadbalance vip icmp-reply
      ssl-proxy server abc.www.proxy
  =============================

  Hi,
  You may want to check this thread I think it would be very helpful.
  https://supportforums.cisco.com/thread/2027253
  HTH
  Pablo
  Cisco TAC

• Want to know about ACE module in 6509 : load-balancing concept

  Hi,
  I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
  In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
  I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
  I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
  1) what is difference between CSM or any other product load-balancer and ACE module :
  Gone through site as well , but not getting proper answer or comparison.
  1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
  2) If suppose i go for configuring different IP address with all server IP :
  How do i achieve it ?
  3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
  4) will the load-balancing happens based on destination based or session based ?
  Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?

  Hello,
  1) what is  difference between CSM or any other product load-balancer and ACE  module :
  There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
  One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
  ACE serise has specific hardware chip for supporting SSL termination but some others do not.
  For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
  The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
  Let me try clarifying your other questions.
  3)  what is Virtual IP concept in ACE because i do not have and other ACE  module then why do i need virtual IP ?
  4) will the load-balancing happens  based on destination based or session based ?
  I think I'd better to put 3) and 4) first.
  Virtual ip  address (VIP) is the address to which client accesses.
  VIP is tied with a  serverfarm or serverfarms, in a serverfarm one or multiple rservers can  be configured.
  "serverfarm" is a group of "rservers".
  "rserver" means  real-server that has an ip address and processes transactions.
  When a client  accesses to the VIP, ACE picks up a rserver according to algorithm.
  If you configure a  VIP that is tied with a serverfarm where only one rsever is  configured, client accesses to the virtual ip address are
  all forwarded to  the rserver.
  If you configure a  VIP that is tied with a serverfarm where multiple rsevers are  configured,  client accesses to the virtual ip address are
  balanced among  those rservers.
  If you configure  multiple VIPs, client accesses to those VIPs are forwareded to  corresponding rservers according to configuration.
  1)  I have some of the server configured with clustering and getting one  virtual IP, In this case , will ACE work ?
  ACE load-balances connections to configured rservers.
  If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
  sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
  2) If suppose i go for  configuring different IP address with all server IP :
  How do i  achieve it ?
  You can configure those ip addresses as rserver ip address.
  Multiple rservers are tied into a group, "serverfarm".
  I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
  Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
  This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
  Above is just an overveiw. ACE gives you granular control not mentioned above.
  I can provide more specific information if you tell me details of what you are trying to archive with ACE.
  Regards,
  Kimihito.

• ACE module, TLS and smtp

  Hello,
  On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.
  If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.
  So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.
  There are absolutely no lines in the log that could help me find out what's happening.
  I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...
  So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?
  Thanks a lot for any help you can give me!
  Regards,
  Marc.

  SMTP over TLS is not supported in ACE currently.
  SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.
  In case of SMTP client needs to open a new conn.
  So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.
  You can get more details at
  http://tools.ietf.org/html/rfc2487
  Syed

• ACE module support for IPv6 ?

  what is the latest on IPv6 support for ACE module? I saw something saying 2HCY10, but that's where we are now. Any documentation pointers to current compatability and or roadmap are greatly appreciated.
  thanks
  Bob O.

  As mklemovitch described in the following thread, IPv6 will be
  supported on ACE30 module but not in the initial release.
  There is no plan for ACE20 module.
  https://supportforums.cisco.com/message/3192517#3192517
  I'm not sure but maybe around Q3 CY11 or later.
  I cannot see the documentation regarding this feature on CCO.
  I would suggest to contact your account team for details.
  Regards,
  Yuji

• Configuring ACE Module for Redundancy

  Hi Sir,
  I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
  Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
  ft group 1
  peer 1
  priority 110
  peer priority 105
  associate-context Admin
  inservice
  ft group 2
  peer 1
  priority 110
  peer priority 105
  associate-context ace-context1
  inservice
  ft group 3
  peer 1
  priority 105
  peer priority 110
  associate-context ace-context2
  inservice
  ft group 4
  peer 1
  priority 105
  peer priority 110
  associate-context ace-context3
  inservice
  Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
  Thank you.
  B.Rgds,
  Lim TS

  Hi Gilles,
  I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
  I noticed a few things:
  (1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
  (2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
  (3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
  One issue I encountered in one of the user contexts is as follows:
  ace1/ace-context-1# sh run int
  Generating configuration....
  interface vlan 950
  description *** Client-Facing VLAN ***
  ip address 10.1.35.5 255.255.255.0
  alias 10.1.35.4 255.255.255.0
  peer ip address 10.1.35.6 255.255.255.0
  access-group input ACL_VL950_IN
  service-policy input REMOTE_MGMT
  service-policy input MY_LB
  no shutdown
  interface vlan 951
  description *** Connection to Real Servers ***
  ip address 10.1.36.2 255.255.255.0
  alias 10.1.36.1 255.255.255.0
  peer ip address 10.1.36.3 255.255.255.0
  access-group input ACL_VL951_IN
  service-policy input NAT_REAL
  no shutdown
  This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
  Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

• ACE SSL initiation via Proxy server (squid)

  Hi,
  is it possible to configure ACE with SSL initiation if the connection goes via http/https proxy (squid) ?
  I mean local host is requesting http://xyz.com, ACE doing SSL and requesting https://xyz.com, not directly but via http/https proxy server (squid).
  Thanks

  Hi Ryszard,
  Yes, ACE can initiate SSL traffic and maintain SSL connection. So in SSL initiation ACE will act as a CLIENT receiving clear text HTTP traffic at the front end and sending traffic encrypted over the backend.
  For more details please visit the below link and let me know if you have any questions.
  http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/sslgd/initiate.html#wp1010343
  Regards,
  Kanwal

• ACE ssl initiation

  Have done ssl init on the CSS before.
  It can be easily configured to present a client cert to the remote end like a browser would.
  I can't see how this is done on the ACE.
  Do I just apply an authgroup referring to the client cert in the ssl proxy configuration ?

  Hi,
  For SSL intiation ACE shall act as a client. So you will define a SSL-Proxy and just bind it with the policy map.
  Below config is for end-to-end SSL but look at bold part that is for SSL initiation and here is the link for your reference.
  access-list allow_all line 10 extended permit ip any any
  probe http KEEPALIVE-WEBS
    description Test for Webs Servers
    interval 15
    passdetect interval 30
    request method head url /ping.jsp
    expect status 200 200
  parameter-map type ssl ssl_ciphers
    cipher RSA_WITH_RC4_128_MD5
    cipher RSA_WITH_RC4_128_SHA
    cipher RSA_WITH_DES_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA
    cipher RSA_WITH_AES_256_CBC_SHA
  rserver host WEB001
    description Web Servers
    ip address 10.0.130.253
    probe KEEPALIVE-WEBS
    inservice
  rserver host WEB002
    description Web Servers
    ip address 10.0.130.252
    probe KEEPALIVE-WEBS
    inservice
  rserver host WEB003
    description Web Servers
    ip address 10.0.130.254
    probe KEEPALIVE-WEBS
    inservice
  rserver redirect OLD_SITE_REDIR
    webhost-redirection
  https://www.newsite.com 301
    inservice
  ssl-proxy service SERVER_SSL
    key www-server.key
    cert www-server.crt
    ssl advanced-options ssl_ciphers
  ssl-proxy service CLIENT_SSL
     ssl advanced-options ssl_ciphers
  serverfarm redirect REDIRECT
    rserver OLD_SITE_REDIR
      inservice
  serverfarm host VIP-WWW-443
    description servers-for-https
    rserver WEB001 443
      inservice
    rserver WEB002 443
      inservice
    rserver WEB003 443
      inservice
  serverfarm host VIP-WWW-80
    description servers-for-www
    rserver WEB001 80
      inservice
    rserver WEB002 80
      inservice
    rserver WEB003 80
      inservice
  sticky http-cookie wwwservers WWW-P80
    cookie insert
    timeout 720
    replicate sticky
    serverfarm VIP-WWW-80
  sticky http-cookie wwwservers WWW-P443
    cookie insert
    timeout 720
    replicate sticky
    serverfarm VIP-WWW-443
  class-map type http loadbalance match-all CLA7REDIR
    2 match http url http://www.oldsite.com/.*
  class-map type http loadbalance match-all CLA7WWW
    2 match http url http://www.newsite.com/.*
  class-map match-any VIP-P443
    2 match virtual-address 10.0.128.211 tcp eq https
  class-map match-any VIP-P80
    2 match virtual-address 10.0.128.211 tcp eq www
  policy-map type loadbalance first-match VIP_SERVER_P443
    class CLA7REDIR
      serverfarm REDIRECT
    class CLA7WWW
      sticky-serverfarm WWW-P443
      ssl-proxy client CLIENT_SSL
  policy-map type loadbalance first-match VIP_SERVER_P80
    class class-default
      sticky-serverfarm WWW-P80
  policy-map multi-match WWW_LB
    class VIP-P80
      loadbalance vip inservice
      loadbalance policy VIP_SERVER_P80
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
    class VIP-P443
      loadbalance vip inservice
      loadbalance policy VIP_SERVER_P443
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      ssl-proxy server SERVER_SSL
  interface vlan 128
    ip address 10.0.128.15 255.255.255.0
    access-group input allow_all
    service-policy input WWW_LB
    no shutdown
  interface vlan 130
    ip address 10.0.130.15 255.255.255.0
    access-group input allow_all
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.128.1
  Regards,
  Kanwal

• ACE module SSL url rewrite and path rewrite

  Hi all,
  I'm hoping some of you helpful people on this forum can guide me or suggest a solution to a problem I'm faced with.
  I am currently load balancing exchange 2010 traffic via an ACE module.  Software version is A2(3.3).  I have most parts of it working fine however I am having an issue when it comes to SSL termination for Outlook Web Access (OWA).
  The problem comes down to a HTTP header (field is location).  I have configured an action list to re-write the SSL pure URL as per page 96 of the "Cisco Application Control Engine Module SSL Configuration Guide".  example:
  ssl url rewrite location bnecas\.mycompany\.com sslport 443
  That part works, the http header location field that comes back from the GET request is changed to https://cas.mycompany.com which is great.  However, in addition to that url, there is also a path or something following that part.  The actual string that is returned is:
  https://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
  The first bit of it, (https://cas.mycompany.com) is changed by the ssl url rewrite command, however the last part (http://cas.mycompany.com/owa/&reason=0) isn't changed.
  This is where I've been trying to get the http Header Rewrite command to do something.  I don't know if it can work in conjunction with the ssl url rewrite function however with the ssl rewrite function it seems it can't change bits of the string that aren't the pure URL at the front.
  The end result is that while I have an SSL connection to the OWA login page, when I do login to OWA it reverts back to HTTP.  I'm fairly sure it is because of the last part of the location string above.  Is there a way to change that location string to do the following:
  1.  change the first part of the string to be https://cas.mycompany.com (like the ssl url rewrite function)
  2.  change the last part of the location string to put https in there instead of http
  Ideally I would love to have this string
  http://cas.mycompany.com/owa/auth/logon.aspx?url=http://cas.mycompany.com/owa/&reason=0
  replaced with this one
  https://cas.mycompany.com/owa/auth/logon.aspx?url=https://cas.mycompany.com/owa/&reason=0
  I had originally tried the following in the action list:
  header rewrite response location header-value "(owa/auth/logon\.aspx\?url=)http(://bnecas\.thiess\.aus/owa/&reason=0)" replace "%1https%2"
  ssl url rewrite location bnecas\.mycompany\.com sslport 443
  but it didn't work.  I'm probably screwing up the regex somewhere however there doesn't seem to be very clear examples anywhere I can find.
  Any help will be greatly appreciated and of course I will be sure to rate every post that responds to my plea for help.
  Brad

  Hi Brad,
  try this:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  action-list type modify http X
    header rewrite response Location header-value "http://(.*url=)http://(.*)" replace "https://%1https://%2"
  we wont be using ssl url rewrite in this case
  Also we will be needing persistence rebalance applied through application parameter map and apply that under the VIP class

• [UDP fast age support for ACE Module]

  Hello,
  I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
  It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
  (I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
  Thanks in advance!
  c.

  Hi Carlos,
  Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
  The "show version" for V2 is slightly better -
  system: Version A2(1.2) [build 3.0(0)A2(1.2)
  Cathy

• Inventory collection fails for ACE module (RME 4.3.1)

  I am trying to collect the inventory and ultimately the configurations for my ace modules.  When i try to do an inventory collection I get the error
  Device sensed, but collection failed
  Anybody have any ideas?
  Chris

  Post your IC_Server.log.
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• ACE issue with compression when SSL Initiation is turned on?

  We currently doing an evaluation of the Cisco ACE 4710 and have some sites where the backend is Tomcat and SSL is turned on. When we set Default L7 Load-Balancing Action to Load Balance with Compression Method Deflate (I haven't tried gzip yet), requests to these sites return badly mangled stuff. Like a gif image at 7,700 bytes comes back as a 7 bytes file, even default should only try compression on text/*.
  Has anyone seen a similar issue?

  It turned out the problem was a configuration issue and my understanding of the ACE works with compression, policies, etc.
  In conjunction with this I seemed to have found a bug in the GUI, which is also still present in A3 (2.3). I now have a default L7 policy which just set SSL Initiation to ssl client. Added another L7 policy but when looking at the virtual server afterwards the GUI doesn't show that policy.
  switch/Development# show running-config policy-map FORD-APP.PERF.AUTC.COM-l7slb
  Generating configuration....
  policy-map type loadbalance first-match F-APP.PERF.AUTC.COM-l7slb
  class default-compression-exclusion-mime-type
  serverfarm F-APP.PERF.AUTC.COM
  compress default-method deflate
  insert-http rl_client_ip header-value "%is"
  ssl-proxy client Backend
  class class-default
  serverfarm F-APP.PERF.AUTC.COM
  insert-http rl_client_ip header-value "%is"
  ssl-proxy client Backend
  See attachment with screen shot of GUI

• ACS support for ACE Module

  Does ACS for Windows 3.3 support AAA for the ACE module?

  I don't think that is correct. I am still
  having issues with ACE and ACS. See below:
  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• ACE module - end-to-end SSL

  Hello,
  I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
  I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
  Is there any clear documentation on how to configure an end to end SSL ?
  I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
  I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
  Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

  just don't know where to start.
  I feel like you do not have the right key/cert.
  This would be the very first thing to verify.
  Where did you get your key and cert ?
  What certificate authority signed your certificate ?
  The creation of the session key requires the use of an RSA key pair (private/public).
  Every server must have a public and a private key associated with a certificate signed by a certificate authority.
  If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
  Maybe you should start be reading on the subject from various article available on the WEB.
  openssl is a great tool to generate keys and certficates.
  I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
  Then import everything into ACE.
  Once you have valid key/cert we can continue with the configuration.
  Gilles