URL Filtering on ACE 4710 -Deny access

Similar Messages

• URI filtering on ACE 4710 (A3(2.0))

  Hi,
  Is it possible to create a class-map/traffic-policy to filter on the URI of a web site? For example let's say I'm hosting both www.ab.com and www.xy.com - both on port 80 of a server. I have to allow port 80, but only want to allow www.ab.com.
  Is it as simple as:
  (config)# class-map type http inspect HTTP_INSPECT_L7CLASS
  host1/Admin(config-cmap-http-insp)# match url www/ab/com/*
  Any help would be appreciated!

  Actually www.ab.com is not a url but a hostname.
  The url would be the portion after the hostname starting with the first '/'.
  So, your class-map need to match on hostname.
  switch/Admin(config)# class-map type http loadbalance Host-AB
  switch/Admin(config-cmap-http-lb)# match http header Host header-value www.ab.com
  Gilles.

• URL filtering ACE after description of SSL traffic

  We currently have a Cisco CSS11501 which we have configured with SSL offloading.
  We offload the SSL traffic and after description of the ssl traffic we perform URL filtering.
  Can the Ace 4710 Appliance do the same?
  I have attached the current configuration of the css.
  Regards,
  Richard

  With the below config
  Traffic matching 10.10.10.10:443 will be SSL offloaded and then
  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if
  the request includes "/matchthis".
  ssl-proxy service APP1-SSL-PROXY
  key default-key.pem
  cert default-cert.pem
  class-map match-all APP1-443-VIP
  2 match virtual-address 10.10.10.10 tcp eq https
  class-map type http loadbalance match-any APP1-URLMAP
  2 match http url /matchthis.*
  policy-map type loadbalance first-match APP1-Policy
  class APP1-URLMAP
  serverfarm APP1-SFARM
  policy-map multi-match VIPS-VLAN79
  class APP1-443-VIP
  loadbalance vip inservice
  loadbalance vip icmp-reply active
  loadbalance policy APP1-Policy
  ssl-proxy server APP1-SSL-PROXY
  HTH
  Syed iftekhar Ahmed

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• ACE 4710 balance among URL

  I have ACE 4710 and I need configuration:
  I have real web-server with  folders : /1/index.html, /2/index.html, /3/index.html
  I need to  balance virtual service:
  If I try to connect URL: http://server/index.html,  then ACE balance among
  http://real_server/1/index.html,
  http://real_server/2/index.html,
  http://real_server/3/index.htm
  How can I  configure ACE ?

  ACE, can't modify the url.
  But it can send redirect.
  So you could build 3 redirect rservers, and have ACE loadbalance between them.
  rserver redirect HTTP-REDIRECT1
    webhost-redirection http://real_server/1/index.html
    inservice
  rserver redirect HTTP-REDIRECT2
     webhost-redirection http://real_server/2/index.html
     inservice
  rserver redirect HTTP-REDIRECT3
     webhost-redirection http://real_server/3/index.html
     inservice
  serverfarm redirect SF_REDIRECT
    rserver HTTP-REDIRECT1
      inservice
    rserver HTTP-REDIRECT2
      inservice
    rserver HTTP-REDIRECT3
      inservice
  But even if it works, this does not sound good.
  It seems like a design done by an application server person who does not know how network loadbalancers work.
  It seems like all you need is stickyness, which you are trying to achieve by redirecting to /1 or /2 or /3.
  But this can be done differently with cookies or by just doing stickyness on source ip address.
  Gilles.

• Access Server through VIP (ACE 4710) but very slow

  Re:  Access Server through VIP (ACE 4710) but very slow
  Hi Shiva
  Kindly  Help .....Accessing the server very slow.., Plz check my real  configuration... this configuration is for application server and after  this i have to configure more serverfarm for different server like  webmail etc. in this ACE 4710. I have only one ACE 4710 .
  ACE Version A4(2.0) = is there supports Probe with this version.???  without probe server will work but very slow. And plz guide Nat-pool is required
  VIP :-- 172.16.15.8
  LB/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging host 172.29.91.112 udp/514
  resource-class RC1
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname LB
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description clientside
    switchport access vlan 30
    no shutdown
  interface gigabitEthernet 1/3
    description serverside
    switchport access vlan 31
    no shutdown
  interface gigabitEthernet 1/4
    no shutdown
  context Admin
    description Management
    member RC1
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe http probe1
    description health check
    interval 5
    passdetect interval 10
    request method head
    expect status 200 200
    open 1
  rserver redirect https_redirect
    description redirect traffic to https
    webhost-redirection / 302
    inservice
  rserver redirect maintenance_page
    description maintenance page displayed
    webhost-redirection /sry.html 301
    inservice
  rserver host web1
    ip address 192.168.10.3
    inservice
  rserver host web2
    ip address 192.168.10.4
    inservice
  rserver host web3
    ip address 192.168.10.5
    inservice
  serverfarm host http
    rserver web1
      inservice
    rserver web2
      inservice
    rserver web3
      inservice
  serverfarm redirect https_redirect_farm
    description Redirect traffic to https
  serverfarm redirect maintenance_farm
    description send user to maintenance page
  parameter-map type connection paramap_http
    description parameter connection tcp
    exceed-mss allow
  sticky ip-netmask 255.255.255.0 address source Sticky_http
    timeout activeconns
    serverfarm http
  class-map match-all REMOTE-ACCESS
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  class-map match-all slb-vip
    2 match virtual-address 172.16.15.8 tcp eq www
  policy-map type management first-match remote_access
    class class-default
      permit
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match slb
    class class-default
      serverfarm http
  policy-map type inspect http all-match slb-vip-http
    class class-default
      permit
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply active
      inspect http policy slb-vip-http
      connection advanced-options paramap_http
  interface vlan 30
    description "Client Side"
    ip address 172.16.15.24 255.255.255.0
    access-group input everyone
    service-policy input client-vips
    no shutdown
  interface vlan 31
    description "Server Side"
    ip address 192.168.10.1 255.255.255.0
    service-policy input remote_access
    no shutdown
  interface vlan 1000
    description managment
    ip address 172.29.91.110 255.255.255.0
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.15.1
  snmp-server contact "PHQ"
  snmp-server community phq group Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/  role Admin domain
  default-domain
  username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR.  role Admin domain de
  fault-domain
  username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0  role Admin domain d
  efault-domain
  ssh key rsa 1024 force
  banner motd # "ro" #
  Regards,
  Prem

  Hi Shiva,
  plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
  Regards,
  Prem

• Full URL re-direct with ACE 4710

  Is there anyway to perform a redirect on the ACE 4710 so that it will redirect a request sent to the domain mydomain.com be redirected to www.mydomain.com, this is so that an installed SSL certificate will match.
  Thanks

  Thank you for your response, but the redirect would occur before any encyption.. for example today this is what happens
  someone goes to
  http://www.mydomain.com
  and the ACE redirects the connection to
  https://www.mydomain.com
  What I want is for someone to go to
  http://mydomain.com (without the www) and for it to redirect to
  http://www.mydomain.com which will inturn redirect to https://www.mydomain.com
  or it can just redirect to https://www.mydomain.com
  So the encryption will not occur until it is redirected to teh correct websit

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• Apache user dir (13)Permission denied: access to /~simha/ denied

  I am getting Access forbidden! when I am trying to connect to http://localhost/~simha/ where simha is my user name
  my /var/log/httpd/error_log says
  [Thu Jul 08 17:44:30 2010] [error] [client 127.0.0.1] (13)Permission denied: access to /~simha/ denied
  I tried a lot and gave up. Can any one help me in this in regard
  The following are the permisions of my home dir simha and public_html
  drwx--x--x 130 simha users 16384 Jul 8 17:04 simha
  drwxr-xr-x 2 simha users 4096 Jul 8 17:02 public_html
  The following are my httpd.conf
  # This is the main Apache HTTP server configuration file. It contains the
  # configuration directives that give the server its instructions.
  # See <URL:http://httpd.apache.org/docs/2.2> for detailed information.
  # In particular, see
  # <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
  # for a discussion of each configuration directive.
  # Do NOT simply read the instructions in here without understanding
  # what they do. They're here only as hints or reminders. If you are unsure
  # consult the online docs. You have been warned.
  # Configuration and logfile names: If the filenames you specify for many
  # of the server's control files begin with "/" (or "drive:/" for Win32), the
  # server will use that explicit path. If the filenames do *not* begin
  # with "/", the value of ServerRoot is prepended -- so "/var/log/httpd/foo_log"
  # with ServerRoot set to "/etc/httpd" will be interpreted by the
  # server as "/etc/httpd//var/log/httpd/foo_log".
  # ServerRoot: The top of the directory tree under which the server's
  # configuration, error, and log files are kept.
  # Do not add a slash at the end of the directory path. If you point
  # ServerRoot at a non-local disk, be sure to point the LockFile directive
  # at a local disk. If you wish to share the same ServerRoot for multiple
  # httpd daemons, you will need to change at least LockFile and PidFile.
  ServerRoot "/etc/httpd"
  # Listen: Allows you to bind Apache to specific IP addresses and/or
  # ports, instead of the default. See also the <VirtualHost>
  # directive.
  # Change this to Listen on specific IP addresses as shown below to
  # prevent Apache from glomming onto all bound IP addresses.
  #Listen 12.34.56.78:80
  Listen 80
  # Dynamic Shared Object (DSO) Support
  # To be able to use the functionality of a module which was built as a DSO you
  # have to place corresponding `LoadModule' lines at this location so the
  # directives contained in it are actually available _before_ they are used.
  # Statically compiled modules (those listed by `httpd -l') do not need
  # to be loaded here.
  # Example:
  # LoadModule foo_module modules/mod_foo.so
  LoadModule authn_file_module modules/mod_authn_file.so
  LoadModule authn_dbm_module modules/mod_authn_dbm.so
  LoadModule authn_anon_module modules/mod_authn_anon.so
  LoadModule authn_dbd_module modules/mod_authn_dbd.so
  LoadModule authn_default_module modules/mod_authn_default.so
  LoadModule authz_host_module modules/mod_authz_host.so
  LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
  LoadModule authz_user_module modules/mod_authz_user.so
  LoadModule authz_dbm_module modules/mod_authz_dbm.so
  LoadModule authz_owner_module modules/mod_authz_owner.so
  LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
  LoadModule authz_default_module modules/mod_authz_default.so
  LoadModule auth_basic_module modules/mod_auth_basic.so
  LoadModule auth_digest_module modules/mod_auth_digest.so
  LoadModule file_cache_module modules/mod_file_cache.so
  LoadModule cache_module modules/mod_cache.so
  LoadModule disk_cache_module modules/mod_disk_cache.so
  LoadModule mem_cache_module modules/mod_mem_cache.so
  LoadModule dbd_module modules/mod_dbd.so
  LoadModule dumpio_module modules/mod_dumpio.so
  LoadModule ext_filter_module modules/mod_ext_filter.so
  LoadModule include_module modules/mod_include.so
  LoadModule filter_module modules/mod_filter.so
  LoadModule substitute_module modules/mod_substitute.so
  LoadModule deflate_module modules/mod_deflate.so
  LoadModule ldap_module modules/mod_ldap.so
  LoadModule log_config_module modules/mod_log_config.so
  LoadModule log_forensic_module modules/mod_log_forensic.so
  LoadModule logio_module modules/mod_logio.so
  LoadModule env_module modules/mod_env.so
  LoadModule mime_magic_module modules/mod_mime_magic.so
  LoadModule cern_meta_module modules/mod_cern_meta.so
  LoadModule expires_module modules/mod_expires.so
  LoadModule headers_module modules/mod_headers.so
  LoadModule ident_module modules/mod_ident.so
  LoadModule usertrack_module modules/mod_usertrack.so
  #LoadModule unique_id_module modules/mod_unique_id.so
  LoadModule setenvif_module modules/mod_setenvif.so
  LoadModule version_module modules/mod_version.so
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_connect_module modules/mod_proxy_connect.so
  LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
  LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
  LoadModule ssl_module modules/mod_ssl.so
  LoadModule mime_module modules/mod_mime.so
  LoadModule dav_module modules/mod_dav.so
  LoadModule status_module modules/mod_status.so
  LoadModule autoindex_module modules/mod_autoindex.so
  LoadModule asis_module modules/mod_asis.so
  LoadModule info_module modules/mod_info.so
  LoadModule suexec_module modules/mod_suexec.so
  LoadModule cgi_module modules/mod_cgi.so
  LoadModule cgid_module modules/mod_cgid.so
  LoadModule dav_fs_module modules/mod_dav_fs.so
  LoadModule vhost_alias_module modules/mod_vhost_alias.so
  LoadModule negotiation_module modules/mod_negotiation.so
  LoadModule dir_module modules/mod_dir.so
  LoadModule imagemap_module modules/mod_imagemap.so
  LoadModule actions_module modules/mod_actions.so
  LoadModule speling_module modules/mod_speling.so
  LoadModule userdir_module modules/mod_userdir.so
  LoadModule alias_module modules/mod_alias.so
  LoadModule rewrite_module modules/mod_rewrite.so
  LoadModule php5_module modules/libphp5.so
  <IfModule !mpm_netware_module>
  <IfModule !mpm_winnt_module>
  # If you wish httpd to run as a different user or group, you must run
  # httpd as root initially and it will switch.
  # User/Group: The name (or #number) of the user/group to run httpd as.
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  User http
  Group http
  </IfModule>
  </IfModule>
  # 'Main' server configuration
  # The directives in this section set up the values used by the 'main'
  # server, which responds to any requests that aren't handled by a
  # <VirtualHost> definition. These values also provide defaults for
  # any <VirtualHost> containers you may define later in the file.
  # All of these directives may appear inside <VirtualHost> containers,
  # in which case these default settings will be overridden for the
  # virtual host being defined.
  # ServerAdmin: Your address, where problems with the server should be
  # e-mailed. This address appears on some server-generated pages, such
  # as error documents. e.g. [email protected]
  ServerAdmin [email protected]
  # ServerName gives the name and port that the server uses to identify itself.
  # This can often be determined automatically, but we recommend you specify
  # it explicitly to prevent problems during startup.
  # If your host doesn't have a registered DNS name, enter its IP address here.
  #ServerName www.example.com:80
  # DocumentRoot: The directory out of which you will serve your
  # documents. By default, all requests are taken from this directory, but
  # symbolic links and aliases may be used to point to other locations.
  DocumentRoot "/srv/http"
  # Each directory to which Apache has access can be configured with respect
  # to which services and features are allowed and/or disabled in that
  # directory (and its subdirectories).
  # First, we configure the "default" to be a very restrictive set of
  # features.
  <Directory />
  Options FollowSymLinks
  AllowOverride None
  Order deny,allow
  Deny from all
  </Directory>
  # Note that from this point forward you must specifically allow
  # particular features to be enabled - so if something's not working as
  # you might expect, make sure that you have specifically enabled it
  # below.
  # This should be changed to whatever you set DocumentRoot to.
  <Directory "/srv/http">
  # Possible values for the Options directive are "None", "All",
  # or any combination of:
  # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  # Note that "MultiViews" must be named *explicitly* --- "Options All"
  # doesn't give it to you.
  # The Options directive is both complicated and important. Please see
  # http://httpd.apache.org/docs/2.2/mod/core.html#options
  # for more information.
  Options Indexes FollowSymLinks includes
  # AllowOverride controls what directives may be placed in .htaccess files.
  # It can be "All", "None", or any combination of the keywords:
  # Options FileInfo AuthConfig Limit
  AllowOverride None
  # Controls who can get stuff from this server.
  Order allow,deny
  Allow from all
  </Directory>
  # DirectoryIndex: sets the file that Apache will serve if a directory
  # is requested.
  <IfModule dir_module>
  DirectoryIndex index.html
  </IfModule>
  # The following lines prevent .htaccess and .htpasswd files from being
  # viewed by Web clients.
  <FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
  </FilesMatch>
  # ErrorLog: The location of the error log file.
  # If you do not specify an ErrorLog directive within a <VirtualHost>
  # container, error messages relating to that virtual host will be
  # logged here. If you *do* define an error logfile for a <VirtualHost>
  # container, that host's errors will be logged there and not here.
  ErrorLog "/var/log/httpd/error_log"
  # LogLevel: Control the number of messages logged to the error_log.
  # Possible values include: debug, info, notice, warn, error, crit,
  # alert, emerg.
  LogLevel warn
  <IfModule log_config_module>
  # The following directives define some format nicknames for use with
  # a CustomLog directive (see below).
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
  LogFormat "%h %l %u %t \"%r\" %>s %b" common
  <IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
  </IfModule>
  # The location and format of the access logfile (Common Logfile Format).
  # If you do not define any access logfiles within a <VirtualHost>
  # container, they will be logged here. Contrariwise, if you *do*
  # define per-<VirtualHost> access logfiles, transactions will be
  # logged therein and *not* in this file.
  CustomLog "/var/log/httpd/access_log" common
  # If you prefer a logfile with access, agent, and referer information
  # (Combined Logfile Format) you can use the following directive.
  #CustomLog "/var/log/httpd/access_log" combined
  </IfModule>
  <IfModule alias_module>
  # Redirect: Allows you to tell clients about documents that used to
  # exist in your server's namespace, but do not anymore. The client
  # will make a new request for the document at its new location.
  # Example:
  # Redirect permanent /foo http://www.example.com/bar
  # Alias: Maps web paths into filesystem paths and is used to
  # access content that does not live under the DocumentRoot.
  # Example:
  # Alias /webpath /full/filesystem/path
  # If you include a trailing / on /webpath then the server will
  # require it to be present in the URL. You will also likely
  # need to provide a <Directory> section to allow access to
  # the filesystem path.
  # ScriptAlias: This controls which directories contain server scripts.
  # ScriptAliases are essentially the same as Aliases, except that
  # documents in the target directory are treated as applications and
  # run by the server when requested rather than as documents sent to the
  # client. The same rules about trailing "/" apply to ScriptAlias
  # directives as to Alias.
  ScriptAlias /cgi-bin/ "/srv/http/cgi-bin/"
  </IfModule>
  <IfModule cgid_module>
  # ScriptSock: On threaded servers, designate the path to the UNIX
  # socket used to communicate with the CGI daemon of mod_cgid.
  #Scriptsock /var/run/httpd/cgisock
  </IfModule>
  # "/srv/http/cgi-bin" should be changed to whatever your ScriptAliased
  # CGI directory exists, if you have that configured.
  <Directory "/srv/http/cgi-bin">
  AllowOverride None
  Options None
  Order allow,deny
  Allow from all
  </Directory>
  # DefaultType: the default MIME type the server will use for a document
  # if it cannot otherwise determine one, such as from filename extensions.
  # If your server contains mostly text or HTML documents, "text/plain" is
  # a good value. If most of your content is binary, such as applications
  # or images, you may want to use "application/octet-stream" instead to
  # keep browsers from trying to display binary files as though they are
  # text.
  DefaultType text/plain
  <IfModule mime_module>
  # TypesConfig points to the file containing the list of mappings from
  # filename extension to MIME-type.
  TypesConfig conf/mime.types
  # AddType allows you to add to or override the MIME configuration
  # file specified in TypesConfig for specific file types.
  #AddType application/x-gzip .tgz
  # AddEncoding allows you to have certain browsers uncompress
  # information on the fly. Note: Not all browsers support this.
  #AddEncoding x-compress .Z
  #AddEncoding x-gzip .gz .tgz
  # If the AddEncoding directives above are commented-out, then you
  # probably should define those extensions to indicate media types:
  AddType application/x-compress .Z
  AddType application/x-gzip .gz .tgz
  # AddHandler allows you to map certain file extensions to "handlers":
  # actions unrelated to filetype. These can be either built into the server
  # or added with the Action directive (see below)
  # To use CGI scripts outside of ScriptAliased directories:
  # (You will also need to add "ExecCGI" to the "Options" directive.)
  #AddHandler cgi-script .cgi
  # For type maps (negotiated resources):
  #AddHandler type-map var
  # Filters allow you to process content before it is sent to the client.
  # To parse .shtml files for server-side includes (SSI):
  # (You will also need to add "Includes" to the "Options" directive.)
  #AddType text/html .shtml
  #AddOutputFilter INCLUDES .shtml
  </IfModule>
  # The mod_mime_magic module allows the server to use various hints from the
  # contents of the file itself to determine its type. The MIMEMagicFile
  # directive tells the module where the hint definitions are located.
  #MIMEMagicFile conf/magic
  # Customizable error responses come in three flavors:
  # 1) plain text 2) local redirects 3) external redirects
  # Some examples:
  #ErrorDocument 500 "The server made a boo boo."
  #ErrorDocument 404 /missing.html
  #ErrorDocument 404 "/cgi-bin/missing_handler.pl"
  #ErrorDocument 402 http://www.example.com/subscription_info.html
  # EnableMMAP and EnableSendfile: On systems that support it,
  # memory-mapping or the sendfile syscall is used to deliver
  # files. This usually improves server performance, but must
  # be turned off when serving from networked-mounted
  # filesystems or if support for these functions is otherwise
  # broken on your system.
  #EnableMMAP off
  #EnableSendfile off
  # Supplemental configuration
  # The configuration files in the conf/extra/ directory can be
  # included to add extra features or to modify the default configuration of
  # the server, or you may simply copy their contents here and change as
  # necessary.
  # Server-pool management (MPM specific)
  #Include conf/extra/httpd-mpm.conf
  # Multi-language error messages
  Include conf/extra/httpd-multilang-errordoc.conf
  # Fancy directory listings
  Include conf/extra/httpd-autoindex.conf
  # Language settings
  Include conf/extra/httpd-languages.conf
  # User home directories
  Include conf/extra/httpd-userdir.conf
  # Real-time info on requests and configuration
  #Include conf/extra/httpd-info.conf
  # Virtual hosts
  #Include conf/extra/httpd-vhosts.conf
  # Local access to the Apache HTTP Server Manual
  #Include conf/extra/httpd-manual.conf
  # Distributed authoring and versioning (WebDAV)
  #Include conf/extra/httpd-dav.conf
  # phpMyAdmin configuration
  Include conf/extra/httpd-phpmyadmin.conf
  # Various default settings
  Include conf/extra/httpd-default.conf
  # Secure (SSL/TLS) connections
  #Include conf/extra/httpd-ssl.conf
  Include conf/extra/php5_module.conf
  # Note: The following must must be present to support
  # starting without SSL on platforms with no /dev/random equivalent
  # but a statically compiled-in mod_ssl.
  <IfModule ssl_module>
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  </IfModule>
  The following are my /etc/httpd/conf/extra/httpd-userdir.conf
  # Settings for user home directories
  # Required module: mod_userdir
  # UserDir: The name of the directory that is appended onto a user's home
  # directory if a ~user request is received. Note that you must also set
  # the default access control for these directories, as in the example below.
  UserDir public_html
  # Control access to UserDir directories. The following is an example
  # for a site where these directories are restricted to read-only.
  <Directory /home/*/public_html>
  AllowOverride FileInfo AuthConfig Limit Indexes
  Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
  <Limit GET POST OPTIONS PROPFIND>
  Order allow,deny
  Allow from all
  </Limit>
  <LimitExcept GET POST OPTIONS PROPFIND>
  Order deny,allow
  Deny from all
  </LimitExcept>
  </Directory>
  I also tried adding user to the group http. BUt nothing is working.

  Do you have [or more like lack] +x on the user folder?

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins

• ACE 4710 - show stats connection questions

  Hi,
  I have three questions regarding the "show stats connection" command in the ACE 4710:
  1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
  2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
  3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
  Thanks in advance for your help!
  Best regards,
  Harry

  Harry,
  a connection failed if the server did not respond or resonded with a RST.
  As long as the connection gets establised, it is counted as a success.
  The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
  Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
  Gilles.

• ACE 4710 and mangled HTTP requests

  After replacing a Cisco CSS/SSL  Accelorator and PIX firewall with an ACE 4710 to do load balancing and  SSL encryption behind an ASA firewall we started seeing mangled HTTP  requests in the Apache access logs for the servers in the server farm.  Here is one example:
  XX.XX.XXX.XXX  - - [21/Oct/2012:01:42:12 -0500]  "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  Rather  than appearing just after the timestamp, the "POST /register/LServlet"  is tacked on to header information that shouldn't even appear in the  log. Also the first letter in that header information is always missing  (heckoutFlag instead of checkoutFlag in this example). 
  The  mangled request always shows up as a 501 HTTP error and shows up late  in the Apache access logs (timestamp is out of chronogical order) and  always appears with several duplicate POSTs:
  XX.XX.XXX.XXX - - [21/Oct/2012:01:42:23 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XX.XXX  - - [21/Oct/2012:01:42:12 -0500]   "heckoutFlag=true&verifyPassword=false&newsletter=false&emailaddress=&email2=&pass1=&pass2=&username=POST /register/LServlet HTTP/1.1" 501 3322 "https://www.ourwebsite.com/register/CServlet"  "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  XX.XX.XXX.XXX - - [21/Oct/2012:01:44:12 -0500] "POST /register/LServlet HTTP/1.1" 200 8537 "https://www.ourwebsite/register/CServlet" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
  This is occurring for several different URLs and not just the one above and for multiple web browsers.
  The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14.
  A recent ACE software upgrade to A5(2.1) has not fixed the problem.
  Has anyone seen this before?
  Thanks for any insight you can provide.
  -Kari

  Hi Kari,
  Do you have a sample of the configuration which you got with the CSS?
  What is the current configuration which you got on the ACE?
  Can you shows this output: # show stats http?
  Jorge

• ACE 4710 - Internet Explorer cannot display the webpage randomly

  We have a ACE 4710 with a basic config, (see below).
  When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
  We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
  We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
  Thanks in advance for any advice.
  HOST-1/Admin# show run
  Generating configuration....
  logging enable
  logging fastpath
  logging standby
  logging timestamp
  logging trap 6
  logging history 6
  resource-class SLB_ResourceClass_T_R
    limit-resource all minimum 10.00 maximum unlimited
  resource-class sticky
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-t1k9-mz.A5_1_2.bin
  peer hostname HOST-2
  hostname HOST-1
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    description LB003
    switchport access vlan 1
    shutdown
  interface gigabitEthernet 1/4
    description LB004
    switchport access vlan 2
    shutdown
  interface port-channel 1
    port-channel load-balance src-dst-port
    no shutdown
  clock timezone standard GMT
  switch-mode
  context Admin
    description SUTLB01
    member SLB_ResourceClass_T_R
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe tcp probe_tcp_80
    port 80
  rserver host Server_S_W301
    description Server_S_W301
    ip address x.x.32.152
    inservice
  rserver host Server_S_W302
    description Server_S_W302
    ip address x.x.32.154
    inservice
  serverfarm host sfarm_T_R
    description sfarm_T_R
    predictor leastconns
    probe probe_tcp_80
    rserver Server_S_W301 80
    rserver Server_S_W302 80
      inservice
  sticky http-cookie Cookie1 T_R_sticky_cookie
    cookie insert browser-expire
    timeout 3600
    serverfarm sfarm_T_R
  class-map match-any T_R_L4Class
    2 match virtual-address x.x.33.150 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match T_R_L7policy
    class class-default
      sticky-serverfarm T_R_sticky_cookie
  policy-map multi-match T_R_L4Policy
    class T_R_L4Class
      loadbalance vip inservice
      loadbalance policy T_R_L7policy
      loadbalance vip icmp-reply active
      nat dynamic 2 vlan 1000
  interface vlan 1000
    ip address x.x.33.148 255.255.254.0
    access-group input ALL
    nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input T_R_L4Policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 x.x.32.1
  ssh key rsa 1024 force

  +------------------------------------------+
  +-------------- HTTP statistics -----------+
  +------------------------------------------+
  LB parse result msgs sent : 421347     , TCP data msgs sent       : 2099597
  Inspect parse result msgs : 0          , SSL data msgs sent       : 0
                        sent
  TCP fin msgs sent         : 6169       , TCP rst msgs sent:       : 769
  Bounced fin msgs sent     : 5          , Bounced rst msgs sent:   : 1
  SSL fin msgs sent         : 0          , SSL rst msgs sent:       : 0
  Drain msgs sent           : 337811     , Particles read           : 5040829
  Reuse msgs sent           : 0          , HTTP requests            : 342499
  Reproxied requests        : 183422     , Headers removed          : 37475
  Headers inserted          : 342124     , HTTP redirects           : 0
  HTTP chunks               : 224859     , Pipelined requests       : 71466
  HTTP unproxy conns        : 267246     , Pipeline flushes         : 0
  Whitespace appends        : 0          , Second pass parsing      : 0
  Response entries recycled : 71302      , Analysis errors          : 0
  Header insert errors      : 22         , Max parselen errors      : 215
  Static parse errors       : 99         , Resource errors          : 0
  Invalid path errors       : 0          , Bad HTTP version errors  : 0
  Headers rewritten         : 0          , Header rewrite errors    : 0
  SSL headers inserted      : 0          , SSL header insert errors : 0
  SSL spoof headers deleted : 0         , Unproxy msgs sent         : 267246
  HTTP passthrough stat     : 0
  NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off

• ACE 4710 transparent LB with two Caches and two routers.

  Hello,
  I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
  I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
  Kindly I need some assistance
  Thank you and regards,
  George
  access-list PERMIT_ALL line 8 extended permit ip any any
  access-list CFLOW line 8 extended permit ip any any
  ip name-server 8.8.8.8
  ip name-server 4.2.2.2
  ##################################Config for Cache Cache Servers###################
  probe http CISCO_WWW_PROBE
    ip address 72.163.4.161
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 5
    request method head url /index.html
    expect status 200 200
    exit
  probe http YAHOO_WWW_PROBE
    ip address 87.248.112.181
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 5
    request method head url /index.html
    expect status 200 200
    exit
  serverfarm host TRANSPARENT_PROXY_SF
    description Transparent Proxy Farm
    transparent
    predictor hash url
    probe CISCO_WWW_PROBE
    probe YAHOO_WWW_PROBE
    rserver CFLOW01
      inservice
    rserver CFLOW02
      inservice
    exit
    exit
  ############################################# Router Cache Farm ############################
  probe icmp ICMP_PROBE
    description *** Probe for icmp health monitoring ***
    interval 5
    faildetect 2
    passdetect interval 60
    passdetect count 2
    exit
  rserver host Router01
    description Connection to Sodetel Router
    ip address 192.168.14.4
    probe ICMP_PROBE
    inservice
  rserver host Router02
    description Connection to IDM Router
    ip address 192.168.14.5
    probe ICMP_PROBE
    inservice
  serverfarm host Routers
    description Transparent Proxy Farm
    transparent
    predictor hash url
    probe ICMP_PROBE
    rserver Router01
      inservice
    rserver Router02
      inservice
    exit
    exit
  ################################# Management################################
  class-map type management match-any REMOTE_MGMT
    description Allow Remote management for below protocols
    8 match protocol icmp any
    9 match protocol ssh source-address 172.31.13.31 255.255.255.255
    10 match protocol ssh source-address 172.31.31.21 255.255.255.255
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_MGMT
      permit
  class-map match-all CFLO2Internet
    2 match virtual-address 0.0.0.0 0.0.0.0 any
  class-map match-all TRANSPARENT_VIP_CM
    2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
  policy-map type loadbalance first-match TRANSPARENT_LB_PM
    class class-default
      serverfarm TRANSPARENT_PROXY_SF backup Routers
  policy-map type loadbalance first-match CFLO2Internet_LB
    class class-default
      serverfarm Routers
  policy-map multi-match CFLO2Internet_PM
    class CFLO2Internet
      loadbalance vip inservice
      loadbalance policy CFLO2Internet_LB
      loadbalance vip icmp-reply active
      connection advanced-options TCP
  policy-map multi-match L3L4_PM
    class TRANSPARENT_VIP_CM
      loadbalance vip inservice
      loadbalance policy TRANSPARENT_LB_PM
      loadbalance vip icmp-reply active
      connection advanced-options TCP
  ====Interfaces======
  interface vlan 11
    description Interface between Routers and ACE
    ip address 192.168.14.2 255.255.255.224
    alias 192.168.14.1 255.255.255.224
    peer ip address 192.168.14.3 255.255.255.224
    no icmp-guard
    access-group input PERMIT_ALL
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    service-policy input L3L4_PM
    no shutdown
  interface vlan 21
    description Connection to CFlow ServerFarm
    ip address 192.168.12.2 255.255.255.224
    alias 192.168.12.1 255.255.255.224
    peer ip address 192.168.12.3 255.255.255.224
    no icmp-guard
    access-group input CFLOW
    service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
    no shutdown

  Hi George,
  In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
  The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
  If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
  Regards
  Daniel

• ACE 4710 is not working

  Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way. 
  Routed Scenario:
  ==========================================
  probe http Http_Probe
    description Server Healty Check
    port 80
    request method head url /index.htm
  probe icmp ICMP_Check
    interval 10
    passdetect interval 5
  rserver host NetCad_Server_1
    ip address 172.16.1.100
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_2
    ip address 172.16.1.101
    probe ICMP_Check
    inservice
  rserver host NetCad_Server_3
    ip address 172.16.1.102
    probe ICMP_Check
    inservice
  serverfarm host NetCad_Servers
    probe Http_Probe
    rserver NetCad_Server_1 80
      inservice
    rserver NetCad_Server_2 80
      inservice
    rserver NetCad_Server_3 80
      inservice
  sticky http-cookie Cookie1 1
    serverfarm NetCad_Servers
  class-map match-all VS_NetCad
    2 match virtual-address 192.168.13.162 255.255.252.0 tcp any
  policy-map type management first-match mgmt-pm
    class class-default
      permit
  policy-map type loadbalance first-match VS_NetCad-l7slb
    class class-default
      serverfarm NetCad_Servers
  policy-map multi-match int40
    class VS_NetCad
      loadbalance vip inservice
      loadbalance policy VS_NetCad-l7slb
      loadbalance vip icmp-reply
  interface vlan 40
    description Client Side
    ip address 192.168.13.161 255.255.252.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    service-policy input mgmt-pm
    service-policy input int40
    no shutdown
  interface vlan 41
    description Server Side
    ip address 172.16.1.1 255.255.255.0
    ip options allow
    no normalization
    no icmp-guard
    access-group input Permit_ALL
    nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
    service-policy input mgmt-pm
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.12.1
  ==========================================

  Hi,
  Let me explain you.
  Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3
  Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.
  src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send  it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:
  src 1.1.1.1       dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.
  Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.
  Src 1.1.1.1 dst 2.2.2.2
  After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:
  src 3.3.3.4 ----->dst 3.3.3.3
  Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.
  So NAT is always applied to server side vlan and  that's why pool is  chosen from server side subnet.
  Let me know if you have any questions.
  Regards,
  Kanwal