Cisco Application :: ACE 20 Service-policy Out Of Service / Still Able To Connect To VIP
Feb 28, 2012
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
I am Using Windows 7 32-Bit, and my Network usually works fine, and my internet has been working fine up until recently. However about a month (maybe more) I noticed a problem that kept cutting me off occasionally and said Diagnostic Policy was not started, I troubleshooted it and it was fine. Much more recently this has been happening more frequently and troubleshooting it doesn't solve the problem. I can get online for 10-15 Mins then I am cut off again. Restarting the computer often fixes it but not always. I went to Services and found the Diagnostic Policy Service is not running, I press start and receive this error message.
The Diagnostic Policy Service service on local computer started and then stopped. Some services stop automatically if they are not in use by services or programs.I am quite sure my loss of Internet is due to this as this is a network related service and what the troubleshooter always finds to be the problem. Other Computer/Devices in the house connect to the internet fine with no loss of connection so it has nothing to do with that. I have tried various fixes like uninstalling network adapter drivers, and checking permissions in Registry but it has not worked.
We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
I encountered this problem with cisco 870 atm interface. I applied service-policy output, its being accepted but when you do a show run interface, it's not there.
I have the following scenario: Pair of Cisco 887VA routers acting as Layer 3 for Voice/Data VLANs with a pair of 2960 LAN Base switches acting as Cores and possibly then 2960 LAN Lites hanging off them as access switches. Our Service Provider has provided an example config where the class-maps match based on dscp values for the QOS policy applied to the DSL circuits. We can obviously trust the attached phones but I want to be able to mark data traffic on my core switches based on destination IP/port to allow application definition. My major question is can I have a service policy on my Layer 2 uplinks to the routers where the linked classes setting dscp vlaues are based on class-maps matching on the contents of IP access lists based while at the same time not remarking the EF marked packets from the phones?
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
Configuring Cisco 2951 router using Cisco Configuration Professional. I have created a zone based firewall on the router and have created a zone policy for network traffic between two LANs or two zones. I need a create a rule for new traffic that should allow a custom user defined service to flow between the two zones associated with with two LANs.
The problem is How do I created a custom service that I can use for the new traffic rule? I created a network service object as shown in the screenshot below:However, when I am adding the new rule, this service object does not appear in the user defined service in the protocols tree box as shown in the screenshot below:
What is the proper way to create a custom user defined service? I was not able to create it using Class map by the way because again I did not find the service object group in the user defined service when creating a class map.
When I create a service object or group and add the object to a new rule it never works.I mean the traffic match not the rule. I see not hits.I placed the rule on top of my access list to check if I do somethink wrong but it is not working. When I place only a service for example tcp/23 it is working.
I am facing issue while configuring service-policy output command in Cisco 7609-S router with c7600s72033-adventerprisek9-mz.122-33.SRE2.bin IOS. However, in the same series router having IOS c7600s72033-adventerprisek9-mz.122-33.SRC6.bin is supported service-policy output.Both the switch have WS-SUP720-3BXL SUP.
I got this 3640, trying to apply a service-policy (output and input), but seems like I do it something wrong...because he only apply the output policy... here the config, I already try to config the service police inside the fa0/0, but is not showed at all, he only show the output, its like I never apply that
I run 2801 with 124-24.T3 and I have following problem: router is connected to internet over pppoe and ISP once per day breaks this link. so I get:
Jun 7 19:31:56.639 MSK: %DIALER-6-UNBIND: Interface Vi2 unbound from profile Di1 Jun 7 19:31:56.663 MSK: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
and I also have tunnel interface which endpoint is accessible over internet. so I get:
Jun 7 19:31:56.679 MSK: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel1 68844500 - looped chain attempting to stack Jun 7 19:31:57.635 MSK: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down Jun 7 19:31:59.199 MSK: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
this is not a problem, problem is that router when interface goes down removes service-policy output from it, so I receive such message every day from runcid:
ip ospf cost 1 ip ospf mtu-ignore tunnel source Loopback1 tunnel destination 192.168.200.199 - service-policy output tunnel_mpr_gre and have to restore policy manually.
Have installed an 887VA on the end of a ADSL connection. The provider has specified EF 150 on the link. The router is configured using a Virtual Template.
If the Virtual Template has a service policy applied, we don't have connectivity to their main site - although the CD and PPP lights are lit. As soon as the service policy is removed, we have connectivity.
We've had three sites with the same problem. Two of the sites don't have QoS specified on the link but had the same problem if the service policy was applied.
I have some trouble with that policy-map on my 2960 or 3560 switches with LAN base 12.2(53)SE2. I want to use that feature to catch video traffic from webcams in laptops which can't send dscp values out of the box. This is my test config to check if the function is working: catch every traffic from my workstation for testing, access-list 101 permit ip any any, class-map match-all CL_TEST
1. I can't see any counters with the command "sh policy-map interface FastEthernet 0/1". Cisco tells that this command is not possible. But how I can see if the policy is working correct? 2. When I did the configuration I can't see any packets with dscp af41 on the out going interface on the switch with "sh mls qos int gi0/1 statistic" as I expected. After reloading the switch I see the pakets with af41. Okay for that moment. But.After that I changed something in the policy-map. Only "set ip dscp ef" for a second test.
Generating some traffic I see only packets with af41 as before I changed the policy-map. No traffic with ef on the outgoing interface.
I've run a across a strange issue that I've not encountered before and after the things I've tried am beginning to think it's a limitation of the router itself. What I have are 3 Cisco 1941 routers that are all endpoints for a customer's MPLS network. STL is the headquarters and both remote offices have a link back this router. Each of the remote locations only have 1 serial interface. It is a flat network with few routes and a small shoretel voip system running across it. Each router is running C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M5, RELEASE SOFTWARE (fc2).
QoS is configured as follows on each router:
class-map match-any AutoQoS-VoIP-Remark match ip dscp ef match ip dscp cs3 match ip dscp af31 class-map match-any AutoQoS-VoIP-Control-UnTrust match access-group name AutoQoS-VoIP-Control class-map match-any AutoQoS-VoIP-RTP-UnTrust
[code]....
If I try to apply the policy map to serial0/0/0, I get the following error:
% policy map utoQos-Policy-Untrust not configured
I've tried to create a different policy map with the same settings and get the same error. We thought that when it was first set up, each interface belonged to the same network, so we separated things out (hence the .252 mask). I'm not sure what else to try and I'm hoping its something painfully simple that I'm missing.
We have a problem with some websites being blocked every now and then. Everyone inside can access this external website for weeks, and then suddenly it's not available for a few hours, and then it comes back. All without me making any changes to the firewall, ASA5510. The external website that has nothing to do with us can be accessed from anywhere outside our network, example on my iphone through Verizon.
We have not set up any rules about blocking websites, all I found was the Default Service Policy. After backing up and then deleting the rule we are able to access all sites.
i just configured a C6K VSS with Sup2T, 15.1SY IOS software and a WS6724-SFP module with the follwing cos config:
auto qos default table-map cos-discard-class-map map from 0 to 0 map from 1 to 8 map from 2 to 16
[code]....
After applying the service policy to one interfac of the WS6724-SFP module the policy is deployed to all interfaces of the module. So far it should be ok but after a short time all interface of the module begin to go down an up and down and up ... flapping.
In my Cisco ASA 5510 in release 8.2, I have an extrage behavior in the output of "show service-police" command. The issue is that I create a class-map to limit trafic in one of ASA interfaces and I applied in a service policy. This is the configuration:
access-list ACL-Limitada extended permit ip host srv-proxy any access-list ACL-Limitada extended permit ip any host srv-proxy access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp-data access-list ACL-Limitada extended permit tcp 192.168.10.0 255.255.255.0 any eq ftp access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp-data access-list ACL-Limitada extended permit tcp any 192.168.10.0 255.255.255.0 eq ftp
i would like to know the possibility to use mls qos trust dscp with service-policy in the IOS ver.12.2(25)SEE2.The specific version is not possible to configure like below.
Cat3750(config-if)#do sh run int f1/0/1 Building configuration...
I have a 3750 switch (c3750-ipbasek9-mz.122-46.SE.bin) were i want to add bandwitdh limit pr. interface, doing the following:
ip access-list extended customer_A permit ip any any class-map match-all BW_10Mbps
[Code]....
When i trie to apply the "service-policy output 10 Mbps" to the interface, it says the service-policy output is not supported on the switch. Is this a software related isue ?
interface Vlan24 description Internal Wireless Internet ip address 10.x.0.1 255.255.254.0
[Code]....
So, I am trying to limit the bandwidth used by this vlan. The service-policy output statement works, the service-policy input statement does not. My test is to get on that vlan and go to speedtest.net. My download speeds are about 3.5Mb/s, my upload speeds are about 20Mb/s.
it has something to do with this:
sh mls qos ip QoS Summary [IPv4]: (* - shared aggregates, Mod - switch module Sid - Switch Id) Int Sid Mod Dir Class-map DSCP Agg Trust Fl AgForward-By AgPoliced-By
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
I am not able to configure Service policy output command in Cisco 2921 router.While configuring I am getting below error.Same config is working fine in Cisco 3845 router.I am suspectting the problem with license in IOS.
I have an ASA 5510 deployed and we are getting a tonne of port scanning traffic (who isn't these days) and ping traffic.The threat scanning thresholds seem a bit too high and was wondering if there is a way to use a Service Policy Rule to perform a Shun/Block of the hosts rather than the firewall simply blocking the request via the ACL and sending a reply.
In other words, if I do nothing, I know the ACL is protecting the resources but it is still replying to the client connection. I want the end result to be the same as a "Shun" where the connection is dropped and no reply is sent. how to employ Service Policy Rules to thwart Port Scanning and/or IP Spoofing?
I have a fresh installation of LMS 4.0 on windows server 2003, when i click to open topology i get error message : ANIServer service may be down or Host name isn't DNS resolvable
i tried pdshow -brief ANIServer ===> service UP
DNS is working using host file in driversetc i restarted the server
i have two CSS-11503 in redundant mode running 8.20 code. We had an incident in our network where a layer 2 loop caused some high traffic through the CSS' and had to shutdown some network gear(including the CSS) to clear the problem. When the CSS' were powered back up, the SSL service was suspended, why this would occur? There rest of the config appeared normal. I am the only person on these boxes, the configs were written, and I have never had a reason to suspend the ssl service.
We are planning to implement the following policy map for egress traffic on an Nexus 7000:
policy-map type queuing dd-1p3q1t-8e-out-10G class type queuing 1p3q1t-8e-out-pq1 priority level 1 shape percent 10 class type queuing 1p3q1t-8e-out-q2 bandwidth remaining percent 5 class type queuing 1p3q1t-8e-out-q3 bandwidth remaining percent 5 class type queuing 1p3q1t-8e-out-q-default bandwidth remaining percent 90
We are using two N7K's to which is one N5K connected through a vPC. From the N5k we use a port-channel with 4 * 10G. Two of this four ports are connected to on N7K and the other two are connected to the other N7K. On the n/K's we are using vPC.
My question now are:
1. Where i have to connect the policy map? To the port-channel or on each physical interface?
2. When i have to connect this policy to the port-channel, how does i have to set the shape percent, when i would like to reserve 10% from the 40G? Does i have to set the shape value to 5% on each N7K because vPC?
some misconfiguration (?) may be the reason for an undesired behaviour we are experiencing with our Cisco CSS 11501s. Balancing mechanisms work fine, however if a service transitions to the "down" state, the corresponding flows remain "alive" leading to a temporary outage of our service. Subsequent client requests are still being sent to the "down" frontend which is unresponsive.
I have an ACE4710 with a few basic farms running and it works great however I now need to implement an SSL proxy service for the first time. The requirement is that clients who are already using FQDN's need to be sent to diffent real server IP addresses as each client will have their own VM. All the clients will use the same global IP address with different A records.
i need to be able to find out what application/service is sending out net bios broadcasts on a network segment the requests are for machines that no longer are on the network but something is trying to obtain there ip address as they are not in dns any more i am assuming this is why they are resorting to netbios broadcasts i need to some how isolate what application or service is trying to find out.
I have an ACE10-6500-K9 (Application Control Engine service module for Catalyst 6500) but I can't access it because I lost the admin password.I would like to know how to perform a Password Recovery Procedure on this device.Is it similar to the password recovery procedure on an ACE 4700 appliance?
Does ACE service module support SHA2(256) certificates? I see that private key generation defaults to SHA1 and does not provide any option, also the cipher suites in SSL parameters map do not show SHA2 options. Can it handle SHA2 in any software release? I am currently running A2(2.3) build 3.00
My ACE module ACE30-MOD-K9 crashed today, and at the show ver output i see "last boot reason: Service "cfgmgr" ".the curent version we running is Version A5(1.2) [build 3.0(0)A5(1.2).
After doing some research i found known bug that supposed to be fixed in this version: CSCtu36146
CSCtu36146—The ACE becomes unresponsive due to a configuration manager (Cfgmgr) process failure with the last boot reason: Service "cfgmgr."
