I am using an ACE 30 module for loadbalancing to two proxy servers. Not all the traffic needs to be loadbalanced and directed to the proxy servers. I would like the clients trying to access our intranet and other internal resources to be redirected to them before they are loadbalanced and sent to the proxy servers . Can this be done with the ACE?
View 1 RepliesI have a requirement to bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .
We have a pair of ACE 4710 devices in front of a TMG 2010 array (3 members) and are having some issues. We have a nat pool on the ACE and need to be able to use integrated authentication in TMG since we are filtering URLs based on user ID. For example some users might have access to certain websites that other users do not have access to. TMG does all this fine when we send traffic directly to one of the TMG servers and it can successfully authenticate the user using the active directory username that was passed through. The problem occurs when we send traffic through the ACE first, upon which time the user credentials are no longer appearing to TMG and the user is getting prompted for a username/password whenever they try to access a website. Even when they do enter their username and password (which they shouldn't have to do) the request is still denied by TMG since it is coming from "anonymous" instead of their actual username.
Another problem we seem to be having which isn't as important right now is the fact that since we are using a nat pool on the ACE, every web request to the TMG servers comes from one of the NAT addresses, rather than the original client IP. Is there any way to get around this and have the actual client IP show up instead?
I want to use the ACE blade in CAT6500 to loadbalancing SYSLOG events towards (SIEM) collectors. Servers and network devices will sent there syslog messages to different collectors after being loadbalanced by ACE. I was just wondering, since a lot of clients are going to sent there complete syslog events to the VIP and thus introducing a high connection rate. (+/- 200.000 CPS) According to the specs, the ACE blade has a limitation of 325.000 connection per second. I suppose this is a limitation at device level. (not on a per context basis, and does that include both TCP and UDP packets?) Could the UDP BOOST feature might come in handy allowing very high rate UDP syslog packet loadbalancing?
View 2 Replies View RelatedI have three E1 as a part of Multilink group. If any one goes down. loadbalancing between the rest of the two E1 does not work...
View 2 Replies View Relatedwe have 6500 series switches by default all port channel loadbalancing is src-dst-ip.Now we have a requirement to change LACP load balance method to src-dst-port.
1) If we change LACP loadbalance method whar are the effects we are going have on our core network and all the existing servers
I want to route gre traffic through an ACE20, but it doesn't seem to work. The only thing I configured was an ACL with gre enabled, but the ACE20 seems to drop the gre packtes. The gre traffic is entering via the vlan 561 interface and should be send out via the vlan 472 interface. Source 10.94.32.212, destination 10.94.132.39. The tunnel control traffic on port tcp/1723 is working fine. In the service-policies is nothing configured for the gre traffic.
Code...
I have a Cisco ACE 4710 A5(1.2). Scenario: Inbound call from PSTN to SIP Phone. Call comes into the VIP and then load balances to sip server, the server then routes the call out via WAN to the SIP phone as below:
PSTN SIP Providor >(router)> ACE4710 > sip_server(s) > ACE4710 > (router) >SIP Phone
Note: Router is Cisco 3925 with "ip nat service sip udp port 5060" and Port 5060 mapped to the VIP of the ACE.If I put the sip server directly behind the router it works fine. From behind the ACE:
If I turn on sip inspect on the VIP the call setup (INVITE) and termination (BYE) work fine but the audio loops on the PSTN side from the mic to the speaker.If I turn OFF sip inspect then the audio is fine and mapped correctly but the call terminaton (SIP BYE) hits the VIP from the PSTN but never reaches the sip server.For ease and dianostics, I have turned off all sip servers except one meaning the load-balancer has only one server to choose from.SIP Call_id sticky is setup and seems to work, though irrelevent with one server only on test.How do I get the ACE to accept 'server initiated traffic' with sip inspect so it knows about the pending BYE when it comes back from the IP phone via the VIP?Config below, image attached. Bridged mode (also get the same result in routed mode)
access-list everyone line 8 extended permit ip any anyaccess-list everyone line 16 extended permit icmp any any
probe sip udp 1 description SIP Health Monitor interval 30 expect status 200 200
rserver host server1 description Production SIP Server ip address 10.44.56.172 conn-limit max 980 min 980 probe 1 inservice
serverfarm host sip failaction purge probe 1 rserver server1 inservice
[code].....
I hava Cisco ASA 5520 with AIP-SSM module. I would like to have the below features with ASA installed in Transparent mode.
1. Traffic shapping per user
2. Traffic shapping per IP subnet
3. Traffic shapping per Application
Is it possible with ASA installed in Transparent mode?
I have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established. At least I'm troubleshooting a problem that is starting to look like this is a possibility.
The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.
Any way to change this behavior? The scenario is a webapp. Client side starts more than one SSL session to the server, but only uses one immediately. The client knows it has more than one connection and may have told the server so. Like a control plus data channel(s) arrangement. The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel. However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.
I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done.
I have an HTTPS probe that sometime fail, sometimes does not fail.
[code]....
The probe that sometimes fails is the TEST-HTTPS. The TCP_443 probe works perfectly well.The ACE is configured in bridge mode.Is it possible to capture the PROBE traffic on the ACE side?
I want to be able to use port 1-80 for all outgoing traffic. I have a VPS outside my home, which can redirect the packets to the prober ports.Is it possible with an application on the computer and VPS? Or is it impossible?
View 1 Replies View RelatedI trying configure ASN traffic load balance, but doesn't works.I have one Cisco Catalyst 6509 and onde Cisco Ace10 module, in my context "PanWEB" i have the interfaces above: [code] If i try to establish a telnet session(telnet 10.96.202.10 80) i see the SYN packet passing through the ACE and going to the real server, but, the server do not response the SYN packet. I done a capture in the server using wireshark and could see that the IP address of the destination is the VIP and not the rserver ip address , this is a problem? Why can not I have the SYN + ACK from the server?
View 5 Replies View RelatedA company I work for has a number of CSM modules (WS-X6066-SLB-APC) installed in 6513 chasis switches. The CSM modules are running version 4.2(14)These CSM modules are configured to load-balance a number of vservers via serverfarms, each serverfarm containing multiple real servers.
Here is some example configuration:
vserver SITE
virtual 10.1.2.3 tcp www
serverfarm SERVERFARM
persistent rebalance
inservice
[code]....
The company is facing a problem with what seems to be related to return code checking. Every once in a while a server will suddenly not receive any traffic for 5 minutes. This always occurs right after the server has sent a HTTP 503 return code. However we cannot see in the CSM logs that the CSM module has actually disabled the real server. For other serverfarms which are running regular HTTP and/or ICMP health checks to real servers we can clearly see in the CSM logs when a real server has been temporarily disabled due to health check failures.
The return code checking is set to disable a real server for 300 seconds after the CSM has received five HTTP 503 responses from the real server. If we check the real server log however we cannot find more than that single 503 return code right before the server stops seeing any incoming traffic unless we move back at least hours in time.I have tried to figure out what time frame those 5 return codes must be received within for them to count towards the maximum allowed return codes, but nowhere in no documentation can I find any information about this time frame.For all I know the CSM could keep track of every incoming 503 forever, until the maximum of five 503's is reached, and then the server is disabled for 300 seconds.
Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.
View 2 Replies View RelatedI'm looking for a way to configure Cisco ACE4710 loadbalancer to bypass traffic that is initiated from server side to Internet?Are there any way to configure this, so that the loadbalancer will not maintain session for this bypass traffic to maximize throughput?
View 1 Replies View RelatedI am facing problem with ACE configuration. I want to redirect 443 traffic to my Proxy Server. But I am not able to do this. I want to redirect only subnet 192.168.80.0/24..Then only it is working but I dont have to have this policy to be applied on all the users only one subnet I want to have under HTTPS policy.
how can I apply the policy only on specific subnet so that port 443 traffic can be redirect and rest of all subnets can go direclty to Internet.
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies View RelatedWe have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
View 8 Replies View RelatedWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
View 3 Replies View RelatedI am taking an introduction class to CCNA and we are focusing on the Application Layer,and I'm having some difficulty in understanding what is an Application Layer Service. Is the Application Layer Service the same as Application Layer Software?
View 3 Replies View RelatedIs it possible to upgrade ACE 4710 from A3 to A4? What does this actualy means by A3, A4 & A5.
I want to upgrade ACE from A3 to A4 becase I want to enable switch-mode on ACE. Current S/W version is A3 2.0 which is not supporting this command. While reffering the command refernce guide saw that this command is supported in A2 & A4 version from 2.0 itself but for A3 in 2.7 (which is the latest) also this is not supporting this feature.
I have an issue with LMS not terminating SSH sessions on the Cisco ACE?
Cisco LMS 3.2
Cisco ACE A2(3.3)
I have two GSS. One in side A and one in side B. This in side A is primary and make management function, this in side B is secondary. Site A and B are DC work in active-active.
I have version 3.1.2 and I have to upgrade to 4.1 becouse 4.1 work with DNSSec. This is true?
I read that first I have to upgrade primary. But what with secondary? How it work? When I will be upgrade primary it will be not impact to synchronization with secondary?
We've got an application that broke after upgrading our ACEs from A5(2.1) to A5(2.2); the problem lies in how the ACE handles URLs with embedded backslash characters in them - e.g.: URL
Prior to the upgrade the ACE would forward these to the back-end servers; after the upgrade the ACE resets the client connection.
(We're doing SSL offload on the ACE; the back-end connection is HTTP over port 80, only the client-side traffic is over SSL.)
Some browsers will convert these to percent-encoded form - i.e. URL
and things work for these; but other browsers won't do this. So I'd like to set up a rewrite rule in the ACE that will replace any (or at least the first) '' with the string '%5C'. Just how to do this isn't clear from the command ref, and the config guide is a tad shy on similar examples.
Is the XFF [URL] on the Cisco CSS 11503? If not, is it on the roadmap for a future code release?
View 1 Replies View RelatedI would like to allow yahoo chat application to a particular user in my office thru Cisco ASA, can i have configuration for this The list of IP addresses and port number which is Yahoo Chat is using.
View 2 Replies View RelatedAs per CISCO QoS document URL, IOS from 12.2(13)T support drop command in policy map. But our CISCO ASR 1013 having IOS of Version 15.2(1)S1 doesn't have drop syntax.How can we drop specific application using QoS in ASR 1013 of IOS version 15.2 and higher?,Can I allow few users for a particular application (like P2P) and drop other users based on users source IP?
View 2 Replies View Related