Cisco Application :: 389 Vip Not Responding To Client Requests On ACE
Jan 4, 2012
client is unable to establish a connection to the backend servers via the vip on port 389 ,636 configured that servers are listening on these ports .even the probe is successful on port 389 but not getting any response back from the servers. [code]
We have a 25Mbit connection comming in through a cable in the basement, going through a modem that is connected to a RVS4000 small buisness router on the first floor, that acts as the single NAT. Connected to that in parallel we have 4 wireless b/g or b/g/n routers of various cisco/linksys models, one for each floor, each with DHCP disabled.Over the last few months there have been some issues with the router and I'm curious if there is anything that can be done to solve them.The firmware of the router is the latest at the time of this writing, V184.108.40.206
1. The router will occasionally lock up and completely stop responding to DNS requests. Attempting to open a website will result in browsers giving their standard 'DNS Lookup Failure' messages. The router will also become completely non-responsive when trying to access it via its IP address (standard 192.168.1.1). No username/password dialog appears.However oddly enough IRC and other chats like skype will still work fine.Restoring Factory settings has not worked. This issue has gotten to the point where this happens about once a day. Restarting the router will fix the issue. While I think the issue may sometimes resolve itself, it could also just be one of the other people in the house restarting it manually.I'm assuming that the router is to blame here and not the cable modem in the basement or the DNS server of our ISP, mostly due to the fact that the router becomes unresponsive and won't let me log in as admin when this happens. also restarting the router, not the modem, seems to fix the issue.
2. The router's log is always empty Specifically I have enabled 'Output' and 'Local Log' as you can see here:
3. Issues with some people hogging bandwidth With 25 people and a 25Mbit connection each person in the house should effectively get about 125KB/s of download speed, especially since not everyone is always using bandwidth. However it can happen where one person is, often without knowing it, hogging a large chunk of bandwidth and slowing the network down for everyone, such as downloading multiple large files from different sites, streaming high-quality video, etc.I would like to know if any of the following might be possible to do with this router: See the bandwidth usage per individual MAC or IP address on the network over timeLimit the amount of bandwidth a specific MAC or IP address can use. Make the distribution of bandwidth more fair when a few people are using far more of it than other people.
I have at times resorted to limiting P2P via IPS in the past, and of-course that does work somewhat, but that's not ideal. I'd much rather just know who is doing it, and specifically by how much they are slowing other people down. While the IPS page will list the IP addresses of those trying to use P2P when it's disabled, there is no way for me to really quantify how much bandwidth they'd be using otherwise, and this doesn't at all include things straight-up HTTP downloads.In any case, this router should easily be able to handle ~25 simultaneous connections, right? Are there any settings that I should make sure to enable or set to distribute bandwidth more fairly, given the setup we have?
4. The IPS report chart is not readable.This is a bit of a nit-pick, but the IPS report chart is basically not readable because the colors used in the key are identical in color. Can you tell the difference between the colors of 'Network Traffic' and 'Attack Counts' in the key at the top? They could have used any two colors that are at least somewhat distinguishable, even light grey and dark grey would have been better, not magenta and another magenta.
I have my firewall on IP 192.168.0.1 (for example, real IP is a class C address). I have a web server (Ubuntu 10.04, though this happened before with an 8.04 box as well) on ip 192.168.0.101. Everything will be functioning fine, and I won't have any issues for a while. Then, randomly I'll have problems getting to my web server, getting disconnected from SSH sessions. I go to one of my linux boxes and do an "arping -b 192.168.0.101" and I will get two responses, one from my firewall and one from the box, as illustrated below. The only way to correct the issue that I've run into is to reload the firewall, which will then behave properly again until it randomly decides to start answering ARP requests on the other IP again.
nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lxWARNING: interface is ignored: Operation not permittedARPING 192.168.0.101 from 192.168.0.168 eth0Unicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx] 2.309msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.434msUnicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx] 2.280msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.377msUnicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx] 2.129msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.221msUnicast reply from 192.168.0.101 [xx:xx:xx:xx:xx:xx] 1.839msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 1.934msSent 4 probes (4 broadcast(s))Received 8 response(s)
nwiadmin@vm-test-lx:~$ arping -b if-webdevint4-lxWARNING: interface is ignored: Operation not permittedARPING 192.168.0.101 from 192.168.0.168 eth0Unicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.839msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 1.935msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 1.758msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.733msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 9.568msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 1.931msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.283msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 1.756msUnicast reply from 192.168.0.101 [yy:yy:yy:yy:yy:yy] 2.070msSent 9 probes (9 broadcast(s))Received 9 response(s)
how many clients simultaneously associate with Cisco AP 1252G.. right now when I try to connect more thn 25 rest unable to access the AP. Clients (smart phones plus laptops) are using 802.11b/g standard.
Please find attached a simple BYOD/ISE document I uploaded to kick start my new Wireless setup. Its all configured on my ISE sever and Controller as per doc.My setup:
-3600 AP's -Internal 5508 Controller -DMZ 5508 Controller (acts as a DHCP server for wireless clients)
Controllers have established connectivity (mobility acnhors), as a client I can connect fine to my new SSID get a DHCP IP address back from DMZ WLC and at the moment can connect out to the Internet fine (using no WLAN Security as a test). So this part is working.I have now followed the document configured ISE, enabled AAA on the Internal WLC only and used the AAA override setting on WLAN as in the attached document.I connect to SSID expecting to be redirected to my ISE Guest Portal, nothing happens other than connecting to Internet WebPages.My question is, if I have followed this document correctly why is the Internal WLC not redirecting client requests to ISE, is this because my mobility anchors need to be re-configured, perhaps the AAA/ISE config needs to be applied to my DMZ WLC not internal WLC?
I would prefer the Internal WLC to redirect the login to ISE, doesn't make sense to traverse through the DMZ Firewall onto DMZ WLC back into the Internal Network again to the ISE to authenticate.Or am I missing something additionally to this document to make sure clients are directed to the ISE Guest portal login.
I'm using Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and AAA RADIUS (ACS 3.3) and AD.Each time, when client connects, ASA issues 2 RADIUS requests, first - correct one which is successfully authenticated by ACS and immediately - second which always fails. I couldn't find any information related to this strange behaivor. "Double authentication" feature (most likeable to its name) is accessible only to Anyconnect clients which we don't use. When I'm authenicated using group password, there is only one RADIUS request.What is the source of such behavior?The negative impact is that my logs are filled with spurious failed auth attempts, and users are incrementig failed attemps counter in AD.
Debug from ASA: ----First request---- RDS 10/24/2011 16:16:01 D 0232 14884 Request from host 172.16.8.1:1645 code=1, id=22, length=145 on port 1025 RDS 10/24/2011 16:16:01 I 2519 14884  User-Name value: user1 RDS 10/24/2011 16:16:01 I 2519 14884  User-Password value: B2 A9 D0 2D 15 5F B8 BB DB 1E 3A 38 F5 24 72 B5 RDS 10/24/2011 16:16:01 I 2538 14884  NAS-Port value: -1072693248 RDS 10/24/2011 16:16:01 I 2538 14884  Service-Type value: 2
After replacing a Cisco CSS/SSL Accelorator and PIX firewall with an ACE 4710 to do load balancing and SSL encryption behind an ASA firewall we started seeing mangled HTTP requests in the Apache access logs for the servers in the server farm. This is occurring for several different URLs and not just the one above and for multiple web browsers.The ACE load balances to servers running Tomcat 7 with Apache HTTP server v. 2.2.14. A recent ACE software upgrade to A5(2.1) has not fixed the problem.
Physically, it's like this. The RED line denotes a boundary, and pretty much anything North of that is not accessible to us, we simply have a L3 trunk between our switches and "their" switches (S3/S4) and talk using EIGRP.
There are other servers in the top tier, some that also require load balancing, some that don’t. Typically, I want to load balance HTTPS requests from the internet, to one of the 3 servers in the top half.
I’m not sure what mode to select, routed, one arm? What about placement of the ACE? At the moment, I’ve just configured 1/1 on it and made it part of the MG MT VLAN, it's S VI exists on the S1/S2 switches, so I’m open to change as it's still all in the lab.
I saw a strange beaviour in the ACE30 today.We are configuring most of our VIP:s with "loadbalance vip icmp-reply active" and I haven't thought about it that much.I just assumed it would do what the command says.Today an Intel tech called and said that he had taken down the webservice on port 80 on both servers in a serverfarm and he could still ping the VIP.I had a look in the ACE and saw that the VIP was marked OUTOFSERVICE. But he could still ping it at that moment.What is the criteria for the VIP not to respond to ping with the above command set?
I have two wi-fi network, and i have written client server model in c (Linux), client has three threads and each thread having different physical wi-fi conection to server. But the problem is that, overall data rate is not increased by this, it is similar to using with one wi-fi connection.
I’m wondering if there is a way to configure CSS11503 running 8.10 so that the servers in the content rules can see the client port number?The servers can see the client IP, but not the port!! It seems when forwarding packets to the servers in the content rule, the CSS uses a new high-number port when communicating with servers.
Whatever a NAT is supported for ACE-20 module? I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure if the configuration below is correct. ACE module should be configured in bridge mode with two vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36. NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding "policy-map type loadbalance". Check two parts of configs and if the ACE config is properly converted from CSM and will be working in the same way (especialy for NAT). [code]
I have an environment with SSL termination and client authentication with a client certificate. Now, the backend server application needs to be informed of the client DN information present in the presented client certificate. Is it possible to tell the ACE to send specific client certificate fields to the backen server via insertion of an HTTP header or, to forward the entire client certificate in any way to the backend server ?
I have a ACE4710 setup to load balance a couple of web servers. The real servers all show as inservice as do the propbes and serverfarms/virtual servers. If I ping the Virtuual server ip address I get a reply but it I try to access VIP via telnet or web browser. I get a connection could not be open error on the client.The question is how do i determine where the error is comming from so far I can not tell if the client is getting through the acl or not.I have used the trouble shooting guide and nothing has worked to determine the cause so far. show service-policy int479 detail does not show an increase in the hit count when I try to connect.show stats conn does not show an increase in failed or timed out connections when i try to connect. [code]
I have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established. At least I'm troubleshooting a problem that is starting to look like this is a possibility.
The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.
Any way to change this behavior? The scenario is a webapp. Client side starts more than one SSL session to the server, but only uses one immediately. The client knows it has more than one connection and may have told the server so. Like a control plus data channel(s) arrangement. The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel. However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.
I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done.
We have a router (7206) which connected to client device in /30 IP segment, but this device is a switch which connected to many more devices. Doing packet capture on our router interface unravel many ARP requests whcih comes from the client switch. Is there any feature or command which we can stop this?
We have a router (7206) which connected to client device in /30 IP segment, but this device is a switch which connected to many more devices. Doing packet capture on our router interface unravel many ARP requests which comes from the client switch.Is there any feature or command which we can stop this?
We have an 1140N AP connected to a switch and our "network partner" controls the router and will hand out DHCP and do the NAT for this WLAN. How can I configure the AP to forward DCHP requests through.
I have WPA2 PSK (TKIP) setup and the client is able to authenticate however we fail to get an address. In this case the Ethernet interface was left alone so it has the default config and it gets a DHCP address fine. How can I configure this AP to enable the rest of the WiFI clients to get an IP?
I am using ACS5.1 connected to WLC (v7.x) and frequently see host auth requests in the ACS logs. I am not interested in seeing host auth requests at all. Is there anyway just to ignore these.The issue is that these will always fail. If I enable the lock out facility within WLC and a host continually tries to auth the WLC will lock-out that mac address meaning that when the user is ready to connect with their own credentials they are unable to as the WLC is blocking that mac address from connecting to the wireless network.I tried disabling the 'process host lookup' option, but this apparently only changes the type of request to appear like a standard PAP auth request which again fails, filling up my RADIUS logs and stopping me from enabling the WLC lookout feature.So, as I say, I want to simply ignore host requests. I have no control over the end points so am unable to go and update config etc of these devices.
I'm working on a project where a wi-fi client is tracked and located using RADIUS authentication requests. The problem I'm running into is that the WLC (5508) sends an RADIUS authentication request to my freeradiusd, which is ok so far, but if the client roams to another accesspoint (3602AG, 1131AG, 1252AG), the WLC does not send a further RADIUS auth. request - and the client is allowed to connect to the next ap.Is there an option like RADIUS-cache which I can disable, so that the WLC sends everytime an authentication request when a client tries to connect to an ap or roams from one ap to another one?
I have 2 1242AG APs setup with one SSID and no vlans configured. The APs are connected to a switch along with my DHCP server. Clients are able to connect to the SSID but are unable to get an IP from the server. Clients can plug into the switch and get an IP. If I configure a static IP on the wireless card, the client works fine.
Is there something I'm missing on the AP to allow DHCP requests to pass through? IPhelper?
Here is the AP info: AIR-AP1242AG-A-K9 12.4(21a)JA1
My friend is invisible to ping requests. I know he is online because he is on my Gtalk friend's list. This is because he is using Windows 7. Earlier, when he was on Win XP, he responded to ping requests. He said that he didn't mess with the firewall settings. Therefore this feature comes default with 7.I'm using XP and I don't want to change to 7 right now. Can I get this feature?
I am trying out a DAP-1513 unit but there is no forum section for this? My question seems to be general and might cover the other models also. Do the DHCP request, from the attached LAN devices on the DAP, get pass to the DHCP "server?"
Cisco Small Business Switch POE ESW-520-24P with a Wireless Access Point Cisco Aironet AP1141. Both the devices are upgraded to the latest firmware.
Connected to the ESW-520-24P is a Windows 2008 SBS 2011 with DCHP and Domain Controller. Along with the server I have a number of wired computers connected to the switch which do not have any issues and connect to the DHCP server without any problems.
When connecting two wireless devices to the AP1141, they get the IP address and DHCP from the server; but when connecting other devices apart the first two they will fail to connect to the DHCP server and do not get any IP Address. They manage to connect to the Wireless access point but they cannot contact the DHCP server.
I have a school with 550 iPads. We are using two 5508 WLCs sharing the number of APs. The DHCP server and the default gateway for the network are on the firewall. The clients are able to get a DCHP. After some time, maybe about longer than a month, the clients are no longer able to get DCHP addresses. A reboot of both controllers takes care of this. Presently we are runing 7.2.110 OS. I am going to upgrade to the latest 7.4.100, and reload tonight.
I have configured ACS 5.1 and using Tacacs. I have two juniper SSG140 FW's in different subnet. Tacacs authentication is working on one SSG140 FW, but not on the other one. Tacacs configuration on both FW's are exactly the same. Both FW's have been added in the ACS server with the same shared secret key same profile etc. I don't even see the authentication requests from the FW. ACS can ping both FW's and vice versa. [code]
I have a Linksys WAP200 Wireless-G Access Point problem. It is SW version 220.127.116.11. I have it configured for a small network and the problem seems to be that it is not forwarding DHCP requests onto my DHCP server. I know that it is not a SSID or Key issue as when I give my devices static IP addresses, they communicate fine within my system. The only issue seems to be when the devices make DHCP client requests. I also know that the problem is not my DHCP server as it has the device's IP / mac addresses in its configuration file and other wired devices are able to communicate with it to get their IP address through DHCP.
I have seen that there was talk in some blogs about WAP200 no forwarding DHCP requests and I was hoping that updating the device to the latest release would have resolved the problems.
We have setup a bridge between two of our offices using two WET200's in adhoc mode. Everything is connected fine and the signal strengh is good. All traffic pass's over the bridge correctly but DHCP requsts/replys seem to be failing to traverse the bridge. Our DHCP server is hosted on site A and the computers on site B fail to obtain thiers IP's from the dhcp over the bridge requiring us to use static IP's.Firmware is currently the latest.
I have a sg200-18 connected via one of the ports to my ISP's router/modem. Using an unmanaged switch everything works as expected, but after a few days on my sg200 my two computers fail to get assigned IP's and cannot connect to anything. I also have a couple printers that seem to have no problems getting their IP's passed through to the router as I can use them fine from my machines when connected to the unmanaged switch.
Is there a possibility I don't have my switch setup properly to know that all outgoing data must go to the router, or UDP traffic is being dropped somehow?