In 2008-2010 timeframe, I used the ace 4710 appliances at one customer and kind of liked them. The deployment was not too SSL intensive and B/W requirements were low, but I configured a few HA pairs and that worked well. The configuration was pretty comparable to other Cisco devices; so easy to learn/pick-up.Fast forward to 2011: stepped into an environment, where customer purchased 3 - ACE 20 modules (before I got here), and had multiple issues with them. I found 4 documented TAC cases, and 1 was still open. I started working from December 2011 on getting Cisco to own-up WRT modules but customer by that time had had enough.
The most serious issue was a random reboot, hang or lockup. I wasn’t here to work with them to verify, but that’s eventually what the deal breaker was. Around the February 2012 timeframe, talking to Cisco SE, he revealed Cisco had an independent lab in Switzerland verify that some hardware component on the device had a terminal defect, in which a bit would flip, and force the device to lock or reboot - subject ot radioactive decay or interference.Cisco and the lab attributed this to improper shielding, coupled with defective material in the electronic component; hence the device was highly susceptible to radiation-type errors. This is the kind of stuff you read in doomsday reports! As a result, Cisco was EOL-ing the ACE-20 module. I am trying to get Cisco to replace the ACE-20 modules with something else, but they haven’t been too cooperative. They have also limited their SE/Salseperson presence where I work (Pacific Northwest); and are not too responsive.
I have gotten a verbal agreement to get a credit on prior purchases for the amount this customer spent on the ACE-20 modules. However, the credit is only a few points off their normal discounting model. And Cisco will not go into loss on new product sales. Using example, $100 product would cost me $55 with standard Cisco discounting. Cisco’s cost might be $45 so I will only get another $10 credit on this new purchase.The 3 Cisco ACE-20’s originally cost customer about $100K, so to dwindle this credit down, we would need to purchase about $1-$2 million of new hardware - that's a lot of new gear! And I don’t have any real way of knowing that Cisco is applying the credit honestly, and they won’t put anything in writing. This entire issue has really dampened customer’s impression of Cisco. They had smartnet on the ACE-20’s for 2+ years, but then dumped that after losing faith in the product. Now I am trying to resurrect smartnet to see if Cisco will give us an alternate product.
And to cap it all off, the original Cisco salesperson (who sold customer the ACE’s), has left and went to work for F5! And yes, he has been calling on customer to try to sell some big-IP's! At least there is some humor in all of this. So... Has anyone else had bad experience with ACE-20 module? How about ACE 4710? How to get a reliable working ACE module from Cisco?
My TCOM guys say they do not see the ACE as a CDP neighbor on their switches. Is CDP enabled by default? I cannot find any documentation that suggests this is configuration (like on the Cisco CSS - where it can be enabled, but cannot see its' CDP neighbors).
BTW - The ACE 4710 Appliance documentation uses CDP as acronym for Certificate Revocation List Discovery Point (for SSL CRL's).
I have a pair of ACE 4710's that I am deploying within a datacenter. The primary and secondary ACE appliances have identical configurations except for the IP addressing and priorities for FT. The FT peer is going into a TL error state.
On the primary ACE appliance, I am able to ping and telnet from/to it without any issues. All of the routing works as it should and everything is seen in the ARP table as it should. The secondary appliance is able to ping everywhere, but telnet out of or into that appliance does not work.
I am able to see the IP addresses in the arp table and can successfully ping end to end from the secondary device, just unable to telnet into or out of it. When I try to telnet out of the secondary device, it reports that there is no route, even though the IP's I am trying to telnet to are directly connected and those interfaces are up and working (otherwise ping would fail). The exact same filters (access-lists, service-policies) are configured in the exact same format and applied to the exact same interfaces.
I tried removing all of the fault tolerance configurations and just created a Layer 3 vlan interface for management and I am still unable to telnet into or out of the appliance. This is not a complicated setup and I have to think there is something obvious that I'm missing, but I'm hung up on the fact that the config's are almost identical while one works exactly as intended and the other reports no route to host for a directly connected interface.
i have a 4710 appliance (one armed) and i am load balancing with two webservers. In the URL, there are links that need to be redirected to https:
i am using the
rserver redirect REDIRECT-TO-HTTPS[URL]
The https is working but i have a problem. when i access the Main link "first" it is redirected to https to the Main link.But if i access one of the Sublinks directly(without having to click on the main link first) the page is redirected to https but to the Main Link. i have to click the Sublink again in order to get the page.How can i redirect to https and stay on the same page? What might be the general link in the webserver-redirection?
I would just like to double-check a point with the forum on licensing on 4710 Appliance.If with version 4.2 and above 2Gbps Bandwidth licence is required, the output of the sho license status should be?
I wanted to find out how many times can I apply a healthcheck in a single context. I have 50 farms that are using the same port and instead of creating 50 different healthchecks, I want to just create 1 healthcheck for the 50 farms and apply it to each farm. I also need to know if the same limitations (whatever they may be) is the same for the 4710, ACE20 and ACE30.
We have an ACE Appliance in a DMZ and the ACE Appliance's Admin Context IP is translated between ACE and ANM. The ANM Server does not get translated. It is just the opposite then in another Community discussion.
Our Problem: When adding the ACE4710 Appliance to the ANM imported Device List, we use the ACE's NATed Admin Context IP. Import works well, but ANM reflects the Admin Context IP with it's real configured IP. Polling the ACE Appliance does not work therefore.
Is there a possibility of telling the ANM, that the ACE has to be polled through a NATed IP? I could not find a field to set a NATed Mgmt IP.
Configured IP on ACE Admin Context: 192.168.0.10 NATed ACE Admin Context IP: 172.16.0.10
Imported ACE with IP 172.16.0.10 into ANM, but ANM polls for Rserver, Vserver, Probes, etc. via 192.168.0.10 - which is not reachable from the ANM.
The compatibility matrix shows no support for a Location Appliance 2700 for any version 7.0.x.x for WCS and WLC. However, I did see a thread here where a v6.0.x.0 had compatibility. v18.104.22.168 is MD. Is it compatible with v7 WCS and WLC?
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin server xx.xx.xx.xx
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
We have Router CISCO7613,SSO redundancy configured with two Sup 720-3BXL running 12.2(33)SRC1 image. Even thought I've configured SSO, my standby sup remains in COLD state with the following logs generated.
Mar 20 22:07:32.514 IST: %ISSU-SP-3-PEER_IMAGE_INCOMPATIBLE: Peer image (c7600s72033_sp-ADVENTERPRISEK9-M), version (12.2(33)SRC1) on peer uid (8) is incompatible Mar 20 22:07:32.514 IST: %ISSU-SP-3-PEER_IMAGE_INCOMPATIBLE: Peer image (c7600s72033_sp-ADVENTERPRISEK9-M), version (12.2(33)SRC1) on peer uid (8) is incompatible Mar 20 22:08:48.263 IST: %PFREDUN-SP-4-INCOMPATIBLE: Defaulting to RPR mode (Runtime incompatible) [code]...
These logs says that due to some reasons, the configuration is not being synchronized with active and standby sups and hence the redundancy mode remains in RPR mode and SSO not achieved, and hence COLD state. However, I couldn't find a reason why the configuration is not being synchronized, I've issued the command, redundancy config-sync ignore mismatched-commands, and everything worked fine, SSO achieved and standby sup came to HOT state.Now my query is,
1. Why the configuration was not synchronized and standby SUP got in COLD state?? 2. Since I issued the suggested command, at least, some of the mismatched lines in configuration will be ignored, Will that create a problem when my Active sup fails and standby become active?
Do you know if it is possible in ACE 4710 appliance to configure a SIP TLS ?The SIP probe we have in the configuration guide it is only for clear text. for Lync 2013 we need to establish first a TLS session and then within it, send an SIP request..IS it possible in any version? I tried also to configure a HTTPS probe but it fails as it sends a GET which the Lync SIP server doesn't understand.
We have an ANM Virtual Appliance, version 5.2, were we login and can go no further. This was working for fine for approximately two and half weeks. We created a backup and re-loaded the system via CLI with the same result. We logged in again via SSH and we have noted the following:
cscoanmsa/admin# sh disk temp. space 4% used (141244 of 4951688) disk: 7% used (353916 of 5935604) Internal filesystems: warning - /var is 100% used (89219000 of 89258112) cscoanmsa/admin# sh application status ANM
Is there any way to access and clean out the /var directory from the CLI. is this achieved simply via the "delete" command with the full path ?
The upgrade process for ANM virtual appliance 4.2 involves doing a backup and restore as root user. I have looked through the documentation and have even reinstalled the virtual appliance to see if the install script gives away the root password for the OS but without luck.
We have several 474 and 594 class WAAS appliances in the field. When power is lost to a given location, almost all of the other devices we have at these sites will start themsleves back up upon the restoration of power. Since the 474 and 594 WAAS appliances are basically PC based devices they do not seem to have the ability to start themselves back up when power is restored. What we would like is to have a solution wherein the WAAS device powers up on its own once power is restored much like the routers, switches, servers and PBX devices at the same location.
Is this module supported in the CISCO2900 routers?I have come across two documents that seem to contradict each other:In this one says:
Cisco 8-Port Channelized T1/E1 and ISDN PRI High-Speed WAN Network Module # –Part number: NM-8CE1T1-PRI # –Provides channelized T1 or E1 connections or ISDN PRI connection # –Supported on Cisco 3800, Cisco 2900, and Cisco 3900 series routers
How to configure HSRP with Statefull NAT using the application redundancy of the IOS XE? I want to have static NAT using the HSRP groups for clients and SNAT. (I want to achieve this as in normal IOS -[URL] High Availability NAT with HSRP)The configuration that I have on the 1st ASR. The configuration is similar on the second ASR
redundancy mode none application redundancy group 1 name NAT-HSRPIN
IP nat inside source static 10.10.10.20 "real ip address" redundancy 1 mapping-id 1 extendable.
I've got basic connectivty to our ACE30 module and when I try connecting to the management IP address (attached to the Admin context), I see a very basic GUI which only lists the CSM to ACE config conversion tool. I don't see a GUI as detailed in the document: url...How do I get the ACE Applicance Device Manager GUI working so that I can then configure real servers, serverfarms etc rather than via the GUI?Having read through copious amount of documentation I can't seem to find a refrence that would ne useful here. This should be a fairly straight forward exercise - do I need to install some other software to get the full fledged GUI working?
recently when i run the commit vip redundancy script, i encountered the following error. This script has never failed in the past. Upon checking the backup CSS, i did notice that my most recent changes were actually synced. The following is the debug i have captured while running the script.
active-lb# script play commit_vip_redundancy "local 22.214.171.124 remote 126.96.36.199 -a -d" active-lb# Checking available disk space on systems ... Checking the disk space locally before continuing with the script. Verifying that another local session is not running the script. Creating script/vipr_config_sync_lock file. Verifying app and redundancy configs ... Verifying that app session is up with backup switch. Making sure app session is up. Seconds to wait before calling it quits: 60 Checking the disk space remotely before continuing with the script. Checking local and remote switch versions ... Storing the running code versions of the local and remote switch. Storing the local switch's version. Retrieving the remote switch's version. Checking remote version for 4.0 Checking if switch is BACKUP for any virtual routers and if the state is 'No Service'. Checking vip redundancy state.... Checking if backup switch is Master for any VRIDs. If it is, either a local
Since the ACE supports only static routing, when pointing a default route from the ACE what is your preferred method when using multiple 6500s with an ACE in each in a failover scenario to prevent just pointing at one 6500? Static route to an HSRP address? Multiple static routes on the ACE, etc?
i'm looking for a recommendation for a setup guide including ft i've had a quick look a wiki and i can get basics but i'm not sure about if i need to setup additional contexts etc when i'm the only one using the appliance?
I have an issue with a customer that wants to update a server behind the ACE. The problem is that when the application wants to update the server it does it with the name.Doing some research I found that you can rewrite the record DNS based on the static NAT you set up on the ACE. The feature is called DNS inspection. Is the same feature as the ASA (DNS doctoring).I apply it to the outside interface and it did not work.
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710