I am looking at management (backup of the configuration) of the ACE 4710 running A4.1, the management software is Cisco Cirrus. The question I have is around the management of the context's, I have a backup of the Admin but would like the user context's also, how this is completed.
I have an HA ACE deployment and all seemed to be working well until I tried to access the ACE via the management VLAN in the one non-system context, no go.The ACE is in one-armed mode with an Admin/System context and one user context (named Messaging). Source NAT has been set up in the user context. All VLANs are in a port channel back to the core switches.I can access the ACE via the Management VLAN in the system context, all OK. I can access the load-balanced servers via the VIP in the user/Messaging context, all OK. I CANNOT acccess the managment VLAN other than ping it (resonds to ping, but telnet, ssh, https, etc. fails).The system/Admin context has a default route to the Management VLAN on the core. The User/Messaging context has a default route to the core switches on VLAN 5, which is the VLAN where the VIP resides.If I change the default route in the User/Messaging context to the Management interface on the core switches then I can access both contexts for management, but then the load-balancing falls over and I cannot access the serverfarm (via the VIP). Traces on the rservers show that NAT is being hit on the ACE and the requests are coming from the real IP of the clients. Put the default route back to the User/Messaging VLAN on the core and NAT is back to what it would be expected to be, and then remote/management access to the ACE is gone.
Is it possible to use 1 or 2 of the 4 gigabit ethernet ports from one ACE straight into the other ACE for redundancy? So ACE_01 gig0/4 to ACE_02 gig0/4.If so, is it a case of just having the layer 3 config instead of trunking etc..Also - is it possible to create a context within the same vlan as the Admin context?
I have two ACE working on active-standby mode, I have one context configured on bridge mode, with two vlans, the client (vlan 100) and server (vlan 101) sides.I need to balance another service for two servers (different from the ones on the first context ) on the vlan 101, so as the documentation says i can't configure the same vlan on another context because it is already configured on the 1st context as bridge.so my question is the only way i could balance this service is to configure it on the same context??. or there is another way?.These are the design limitations that i have to do this:
1.- I can't change the servers IP address.
2.- The VIP which will answer the clients request is on the same IP network segment as the servers, for example: server1: 192.168.100.125, server2: 192. 168. 100.126, VIP: 192.168.100.124
We are having issues with our Cisco ACE 4710, it suddenly stopped to telnet admin context.We are able to telnet another context from the same appliance, but unable to telnet the admin context. Is possible to pings the gateways from the other contexts, but we are not able to ping the gateway from the admin context.Actual we have 5 context with the minimum allocation is 10%.ACL and policy map allowing telnet and etc are enable and configured on the interface.
Am trying to replicate the managment interface functionality of a CSS on ACE 4710 but have problem with it being treated as a general routed interface.
Scenario On ACE 4710 I have a front-end interface for client facing VIPS and a back-end interface facing a server farm, taking care of load balancing flows
Non load-balance system traffic for the back-end servers also flows through these two ACE interfaces, following a default route path (the back-ends use the ACE as default gateway) i.e. dns requests from the servers flow through the ACE egressing the front-end interface to hit a firewall and route to an internal dns server.
Issue If I add a "management interface" to the ACE 4710 and give it an IP address for management access, the interface by default assumes 'routed' mode and as the ACE treats this as a general interface it will route traffic out of it. For example if the IP address of this management interface is on the same network as the internal dns server, it breaks that connectivity. This as the ACE will see the "management" interface as best route to directly connected network and send traffic to dns server over that, however dns server response traffic will follow its defult route path via firewall and ACE front-end interface to get reply to back-end server. The firewall will block this traffic as traffic is asymmetrically routed and firewall not seen the initial dns request packet.
Question Is there a way of making an ACE interface a 'non routed' management only interface for out of band management use? That is ACE will not attempt to route general traffic through the interface
I realise I could achieve this with multiple contexts but want to have a single context for various reasons - i.e. to have a kind of like for like CSS replacement using ACE 4710
I'm looking for some documentation I can share with a customer to explain why I can't configure them a back-up sticky server farm when we're not terminating SSL on the the ACE (we pass SSL from the client through to the rservers, sticking the client to the rserver by source IP address). I've not been able to find anything that addresses this particular scenario in my googling so far. I remember discussing this in my training class with the instructor, but I can't find any reference to it. Have any of you run into this and have a link they can share?
I have Ace 4710 version A4.1.1 and I am experiencing interesting problem with GUI and SSH reachability. I am unable to connect to management vlan3000. Interesting is that I can ping from ACE to network but unable to ping or SSH or HTTPS to ACE. Everything seems good. ARP is ok, switch is OK, line is up, protocol is up. Management is enabled for icmp, https, ssh to any.
When I do show interface I noticed line Config download failures : 9.
Hardware type is VLAN MAC address is 00:1e:68:1e:bc:db Virtual MAC address is 00:0b:fc:fe:1b:01 Mode : routed IP address is 10.168.0.18 netmask is 255.255.255.128 FT status is active Description:Management VLAN MTU: 1500 bytes Last cleared: never Last Changed: Mon Jan 21 16:48:54 2013 No of transitions: 5 Alias IP address not set Peer IP address is 10.168.0.19 Peer IP netmask is 255.255.255.128 Assigned on the physical port, up on the [Code] ....
I am configuring a load balancer from cisco, a ACE 4710.Load blancing is completely new to me, and i am unexpereinced in this field. It has to be configured for a customer that want to load balance HTTP and RTSP traffic over 4 application servers (Back-end),I searched alot on google for possible solutions, and got RTSP in some way to work, but http wont work says my customer.
I have two ACE-4710 in active/standby mode, running code A3(2.2). Four contexts are configured. Both devices were functional without problem, until I reload the standby unit. After reload, the standby unit completely lost its configuration with exception of the FT vlan and the FT peer configuration in the Admin context... Both units recognized each-other and I can still ping the primary unit on the FT vlan, but nothing else. Contexts are lost and interfaces are shutdown! Nothing changed at the software level, both devices run exactly the same image and the same licences are installed (it worked well before the reload).
So, I decided to reconfigure the basics on the standby unit in order to trigger a config sync from the primary. And here arrives the problem : I reconfigure the FT vlan, the FT peer, I check the peer state and everything is OK.
Then, I try to ping the primary unit from the standby unit with success :
switch/Admin# ping 192.168.16.1 Pinging 192.168.16.1 with timeout = 2, count = 5, size = 100 .... Response from 192.168.16.1 : seq 1 time 0.000 ms
Have two ACE 4710 in HA setup. We would like to setup HTTPS loadbalance(actually just a primary and standby configuration in the serverfarm). Initially this would be for Exchange OWA connections but may expand to more HTTPS connections later. I know there are several ways to do SSL with the ACE( client, server, end-to-end). I am just wanting to know the easiest way to deploy this? Is a certificate always needed on the ACE for each connection? In HA mode would a certificate be needed for both or does it replicate in some way to the other ACE?
I am currently stuck to setup an automated configuration backup for ACE Blades. I found a script to backup the ACE from the Cisco ANM box but unfortunately I am not very familiar with Linux. (script) in place, to "pull" the ACE config from a Microsoft system ?
When trying to view the status in the Monitor tab and the Config tab after you log in to the ACE 4710 Device Manager A5 (1.2) management GUI tool, I could not retrieve the status data and the following message appeared.
"Faild to upload Adimn configuration: There is error in loading configuration: Error in loading RMO config from DB:The given index XXXXXXXXX.bak does not match table index definition"
Other features include all normal, so I can get information by using the CLI.In addition, this configuration is redundant in the Primary / Secondary, this event occurs only on the Primary.
Other:-XXXXXXXXX.bak is a backup that you created in the checkpoint, and it does not already exist.
-When I'm logged on to the GUI, the above message is displayed in the status bar always.
-It was not recovered by ACE restart it.
-When I try to create the same configuration in a different environment, it did not reproduce.
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
I face an issue while creating source nat on cisco ACE. There is already a default source nat ip for the context. I created a new one for smtp traffic alone. Iam facing issues in prefixing the newly created nat-pool rule(nat-pool 100) above the default one (nat-pool 2257) on the external gateway interface as its not placing that on top ,due to which only the default snat ip is getting shown on all servers.
I Just deployed some of these new modules and running A4.x code. How to configure an ACE with the maximum context?
We run in tranparrent mode with 110 Contexts, we found that with a base config for each context(80 lines of code) this would only leave us with 7% of available RAM. The Device begins to shut down services @ 5%. like SSH and others.
So, Is this even possible to configure 250 contexts and still manage the device.
I need to upgrade 2 active-standby cisco ACE4710, the issue is I cannot access FTP/TFTP/SFTP server via Admin context but can be accessible via other contexts.
Can I copy the ACE system software file from FTP/SFTP/TFTP server to image: directory durectly or need some other way around ? I could see the option is available to copy ftp: to image: via other context.
I am desiging a topology with two Cat 6509 and Two ACE Module, one ACE per Catalyst. I am thinking to use bridge mode for the customer contexts, I would like to know if the Bridged mode is an Assymetric topology.
The server gateway is the ip address of the ACE or the Router?
i'm looking for a recommendation for a setup guide including ft i've had a quick look a wiki and i can get basics but i'm not sure about if i need to setup additional contexts etc when i'm the only one using the appliance?
I have an issue with a customer that wants to update a server behind the ACE. The problem is that when the application wants to update the server it does it with the name.Doing some research I found that you can rewrite the record DNS based on the static NAT you set up on the ACE. The feature is called DNS inspection. Is the same feature as the ASA (DNS doctoring).I apply it to the outside interface and it did not work.
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
I've got a web app that the owners want to run over port 80, but also using SSL to secure private data in transit. The architecture is an ACE 4710 in SSL termination mode->Apache (port 2000)->Back-End app server.
I've got two VIPs set up already - one on port 443 and one on 2000 - both of which do the SSL termination quite nicely, but using the 3rd VIP set up on port 80, the connection steadfastly refuses to be HTTPS (i.e. doesn't show the padlock).
I've done all the set-up through the web interface so far, can this be done? If so, how?
I am currently running A3(2.6) and evaluate the possibility of upgrading to A4(2.1). The Instal & Upgrade Guide A4(2.0) mentions that A4(2.0) does not include all features of A4(1.1). Does this apply to A4(2.1)? The Release Notes mentions a list of features merged from A4(1.1) to A4(2.1) but does not clarify if there any features not merged.