Cisco Application :: ACE 4710 SIP - Server Initiated Traffic?
Aug 7, 2012
I have a Cisco ACE 4710 A5(1.2). Scenario: Inbound call from PSTN to SIP Phone. Call comes into the VIP and then load balances to sip server, the server then routes the call out via WAN to the SIP phone as below:
PSTN SIP Providor >(router)> ACE4710 > sip_server(s) > ACE4710 > (router) >SIP Phone
Note: Router is Cisco 3925 with "ip nat service sip udp port 5060" and Port 5060 mapped to the VIP of the ACE.If I put the sip server directly behind the router it works fine. From behind the ACE:
If I turn on sip inspect on the VIP the call setup (INVITE) and termination (BYE) work fine but the audio loops on the PSTN side from the mic to the speaker.If I turn OFF sip inspect then the audio is fine and mapped correctly but the call terminaton (SIP BYE) hits the VIP from the PSTN but never reaches the sip server.For ease and dianostics, I have turned off all sip servers except one meaning the load-balancer has only one server to choose from.SIP Call_id sticky is setup and seems to work, though irrelevent with one server only on test.How do I get the ACE to accept 'server initiated traffic' with sip inspect so it knows about the pending BYE when it comes back from the IP phone via the VIP?Config below, image attached. Bridged mode (also get the same result in routed mode)
access-list everyone line 8 extended permit ip any anyaccess-list everyone line 16 extended permit icmp any any
probe sip udp 1 description SIP Health Monitor interval 30 expect status 200 200
rserver host server1 description Production SIP Server ip address 10.44.56.172 conn-limit max 980 min 980 probe 1 inservice
serverfarm host sip failaction purge probe 1 rserver server1 inservice
[code].....
View 7 Replies
ADVERTISEMENT
Apr 25, 2011
I have setup an ASA 5505 w/ Security Plus with three subnets. The subnets are as follows:
VLANSubnetWAN 10.0.0.80/29LAN192.168.1.0/24DMZ172.30.200.0/24 ]
The ASA is the gateway router at .1 for the LAN and DMZ networks. On the WAN network, the ASA occupies .85 and uses .86 as it's gateway to the Internet. Clients on the LAN are able to access the Internet without any troubles. I have a static NAT setup to map the DMZ server's 172.30.200.81 address to 10.0.0.81. I also have a general NAT that should allow other servers on that network to access the internet, but no machine at all on that network can route outside of 172.30.200.0/24. I used the packet tracer and had it trace traffic coming from the DMZ network to the Internet, and it did not show me any conflicts with any of the access lists or anything else. However, no matter what I do, I cannot initiate traffic from the DMZ and have it go out to the Internet successfully.I attempted to follow the directions in the article PIX/ASA 7.x and above: Mail (SMTP) Server Access on the DMZ Configuration Example; but I have obviously missed something, done something wrong, or perhaps the example assumes something about my configuration that I have not done. See the attached config file that I have scrubbed. I have removed VPN configuration information and other unnecessary parts of the config file to make it easier to read. I have setup an ASA 5505 w/ Security Plus with three subnets. The subnets are as follows: VLANSubnetWAN 10.0.0.80/29LAN192.168.1.0/24DMZ172.30.200.0/24 ]
View 4 Replies
View Related
Jul 23, 2012
I put multiple rservers in multiple server farms?
So for example rserver1 and rserver2 are put in serverfarm production1 and are in use with particular sticky and load balancing settings.
Can I then create serverfarm test_production and put both rserver1 and rserver2 in it? Then play around with the sticky and load balancing settings as a test without affecting the production serverfarm.
View 1 Replies
View Related
Jul 12, 2011
Can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time.
View 2 Replies
View Related
Jul 30, 2012
I have a requirement to bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .
View 1 Replies
View Related
Jan 1, 2013
I'm looking for a way to configure Cisco ACE4710 loadbalancer to bypass traffic that is initiated from server side to Internet?Are there any way to configure this, so that the loadbalancer will not maintain session for this bypass traffic to maximize throughput?
View 1 Replies
View Related
Jun 2, 2011
If we use an ACE4710 to load balance two real servers, obviously it will use health checks to determine if a server is down.When it detects a server is down, it will not send it any more traffic.But can we also have it take any other action? For example maybe email an admin, or send an SNMP trap? Or better yet, can we use a custom TCL script to do other things, like launch some custom activities?
View 2 Replies
View Related
Oct 3, 2012
configure Cisco Ace 4710 ?Note :- Just a testing face I need to access my one server(192.168.1.11 : 80) through VIP :- 10.13.77.10 , I have only one Cisco Router 2800 and One L2 Cisco Switch 2960 and Cisco Ace 4710 . So I already configured 2 Different VLANS in Switch (Vlan 10 & Vlan 100) and by router I given the ip address of that Vlans with Inter Routing Vlan. My Connectivity is like this :-- Router Ethernet 0/0 --- 10.13.77.1/24 with vlan 10) & Router Ethernet 0/1 ---- 192.168.1.1/24 with vlan 100 ) connected with switch after that I configured ACE LB and connect the ACE interface with switch Like that ---- Connect to ACE Interface 2/3 vlan10 with switch vlan10(Ethernet port 2-12) and Connect to ACE Interface 3/3 vlan100 with switch vlan100(Ethernet port 13-24) .Testing to access server from Switch Vlan10 to Vlan 100 where my server is there.
Configuration :---
ACE> client side Vlan10 (10.13.77.4/24) , VIP :- 10.13.77.10, SM-- 255.255.255.255
ACE> server side Vlan100 (192.168.1.5/24), Web server -- 192.168.1.11 with 80 port
ACE> Managment Vlan 1000 (172.16.6.5/24) ,
ip route 0.0.0.0 0.0.0.0 10.13.77.1
I already Configured in Routed mode but From Vlan10 ip subnet example like 10.13.77.12(Client or User PC) tried to access server 192.168.1.11 with VIP http://10.13.77.10 but not responding , if i access server with real IP then accessible (why boz there is inter vlan routing)?
View 22 Replies
View Related
Oct 30, 2012
Access Server through VIP (ACE 4710) but very slow
Accessing the server very slow.., check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version? without probe server will work but very slow.
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
[Code].....
View 2 Replies
View Related
Feb 2, 2012
Is there a way to rename a server farm, health probe, real server or virtual service without having to completely rebuild it? I'm running 3.0(A3).
View 2 Replies
View Related
Jul 7, 2012
We have two Cisco ACE 4710 and we want to install both of the devices in HA with load balancing mode.While i have done HA mode configuration between ACE 4710.But unable to configure load balancing configuration between them.i want to tell you connectivity between server,client & loadbalancer.Our Web servers are connected to VLAN 152 on the L3 (3750) switch.Which are alreday working in redundancy between other L3.And ACE 4710 it is also connected to vlan 150 which are connected to same L3 (3750) switches and users are also connected to vlan 6 on the same L3 itself.
View 2 Replies
View Related
May 24, 2012
Had setup my ACE ,to send traps to SNMP server .but dont see any logs on the SNMP server from ACE.
SNMP configuration on ACE
logging enable
logging buffered 6
logging host 10.12.40.12 udp/514
[code].....
View 1 Replies
View Related
Jun 25, 2012
I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?
View 5 Replies
View Related
Nov 2, 2011
We are using a sticky serverfarm with 2 real servers, one server was down for maintenance for an extended period of time. When it came inservice again it was not getting any connections. is it because all the connections had stuck to the other server ? we want sessions to be sticky but we also want to LB?I got it working by bouncing the server that had been online all the time. things started to LB then.BTW the ACE 4710 is running 4.2.1
View 1 Replies
View Related
Jan 26, 2013
I ma having issues trying to import a .PEM file into an ACE 4710. The original file was a PCKS12 file that was converted to a set of .PEM files as I have no access to any server to do a file transfer. This has worked in the past. the error I get is "Error: File not of recognized types - PEM, DER or PKCS12, import failed". I am not sure what is exactly failing. The cert was converted to a .PEM and the ACE imported that fine.
View 4 Replies
View Related
Nov 16, 2011
My customer has SSL certificate already installed on microsoft exchnage 2010 servers and now wanted to import that certificate to cisco ACE4710.
How to trace the exact procedure to import the SSL Cert to ACE from microsoft exchange server and how about the KEY, from where I should get the KEY to cross verify for SSL Cert?
View 2 Replies
View Related
Mar 27, 2013
my ACE 4710-K9
I cannot reach a web page when accessing my VIP on ACE, here is i paste my configuration
VIP at 10.49.30.223
RS1 at 10.49.30.221
RS2 at 10.49.30.221
[Code].....
View 8 Replies
View Related
Apr 6, 2013
Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru to backend web servers. This all works fine.
My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should a web server crash or become unavailable I need to redirect that backend connection to another web server.
Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point have all the connections forwarded to 2nd server.Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
View 1 Replies
View Related
Apr 27, 2013
I have configured the IPsec vpn between Cisco 877 and ISA server which is working fine and ok. But the issue is I have multiple subnet on the TMG "Treat Managmenet Gateway" side and only one subnet on the Cisco 877 side. I can only sending some subnet's traffics from Cisco 877 through the vpn tunnel to the other side which is TMG server and I have recieved teh timeout request for the rest of teh subnets.
However, if I initiated the ping from inside the ISA with different sources , I can reached the Cisco 877 and from then I can be able to send traffic.
So, the tunnel is up and active but it should be initated from ISA server to have a full connectivity.
Here is the IP sec configuration on Cisco side:
crypto isakmp policy 1
encr 3des
authentication pre-share
[Code].....
View 1 Replies
View Related
Oct 14, 2012
I've done a lot of ACE work over the years but this is the first time this has ever come up.
I have a request from an application group where I have 3 rserver in the server farm but they want all traffic to only go to the first server unless that server fails. If the first server fails, only then do they want traffic to go to the 2nd server instead and if that fails, then traffic goes to the 3rd.
I've read through the documentation but haven't figured out a way to do this. What to do this type of failover configuration?
View 4 Replies
View Related
Oct 26, 2011
I´m Trying to synchronize the clock with NTP server external, these ntp server only support NTP version 3.Can I change the NTP version in the ACE4710 Appliance to support the ntp server external?If is possible, How I can change it ?
This is the version:
Cisco Application Control Software (ACSW)
TAC support: [URL]
Copyright (c) 1985-2011 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
[code]....
View 1 Replies
View Related
Aug 31, 2011
I have been tasked to provide SSL(HTTPS) access to a server farm that will be accessible from the internet. Is this the correct guide to follow?
[URL]
I am assuming I will need to purchase a certificate to import into the load-balance r as well.
View 1 Replies
View Related
Feb 27, 2012
ACE 4710 software A3(2.7) [code] Why is the fail-on-all option missing from the serverfarm that is of type redirect? This option is something that I would actually need in a certain situation.
View 1 Replies
View Related
Oct 15, 2011
I want to use one arm infrastructure of ACE4710. But I remember it was problem for back end server can not get logging for which client/ip address access the web server.
View 3 Replies
View Related
Feb 26, 2011
I want to configure my ACE so that if a probe fails, it fails over to the backup rserver, BUT it won't failback to the primary rserver until manual intervention is complete. The problem is we don't want an rserver to fail and failover to secondary, then failback to primary, repeat... (flip-flopping). I want to be able to have time to get on the server and find out what may have caused the probes to fail before it fails back.
View 4 Replies
View Related
Jan 24, 2013
I have a web application behind a SSL-offloading CSS 11506 that may require the server to be able to use a SSL connection as soon as it is established. At least I'm troubleshooting a problem that is starting to look like this is a possibility.
The default behavior seems to be to not start the SYN/SYN-ACK sequence with the real server until the client starts talking first (such as send an http get request), even though the SSL termination part is done and ready.
Any way to change this behavior? The scenario is a webapp. Client side starts more than one SSL session to the server, but only uses one immediately. The client knows it has more than one connection and may have told the server so. Like a control plus data channel(s) arrangement. The client opens all the connections (full SSL handshake on all channels), starts using the control channel, and expects the server to start talking on the data channel. However, since the client hasn't sent anything down that TCP connection first... the server doesn't have it.
I don't think this would occur when the server is doing the SSL... as it should have all the TCP connections as soon as the SSL handshakes are done.
View 2 Replies
View Related
Sep 10, 2012
A company I work for has a number of CSM modules (WS-X6066-SLB-APC) installed in 6513 chasis switches. The CSM modules are running version 4.2(14)These CSM modules are configured to load-balance a number of vservers via serverfarms, each serverfarm containing multiple real servers.
Here is some example configuration:
vserver SITE
virtual 10.1.2.3 tcp www
serverfarm SERVERFARM
persistent rebalance
inservice
[code]....
The company is facing a problem with what seems to be related to return code checking. Every once in a while a server will suddenly not receive any traffic for 5 minutes. This always occurs right after the server has sent a HTTP 503 return code. However we cannot see in the CSM logs that the CSM module has actually disabled the real server. For other serverfarms which are running regular HTTP and/or ICMP health checks to real servers we can clearly see in the CSM logs when a real server has been temporarily disabled due to health check failures.
The return code checking is set to disable a real server for 300 seconds after the CSM has received five HTTP 503 responses from the real server. If we check the real server log however we cannot find more than that single 503 return code right before the server stops seeing any incoming traffic unless we move back at least hours in time.I have tried to figure out what time frame those 5 return codes must be received within for them to count towards the maximum allowed return codes, but nowhere in no documentation can I find any information about this time frame.For all I know the CSM could keep track of every incoming 503 forever, until the maximum of five 503's is reached, and then the server is disabled for 300 seconds.
View 4 Replies
View Related
Mar 27, 2013
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies
View Related
Feb 2, 2013
i'm looking for a recommendation for a setup guide including ft i've had a quick look a wiki and i can get basics but i'm not sure about if i need to setup additional contexts etc when i'm the only one using the appliance?
View 2 Replies
View Related
Aug 26, 2012
I have an issue with a customer that wants to update a server behind the ACE. The problem is that when the application wants to update the server it does it with the name.Doing some research I found that you can rewrite the record DNS based on the static NAT you set up on the ACE. The feature is called DNS inspection. Is the same feature as the ASA (DNS doctoring).I apply it to the outside interface and it did not work.
View 1 Replies
View Related
May 7, 2013
What are these ports used for? What can I do with them?
View 2 Replies
View Related
Feb 12, 2013
I am trying to configure sticky on an ACE 4710 and don't understand what the netmask part of the sticky ip-netmask netmask address {source | destination | both } name command.
Some examples use 255.255.255.255 and others use 255.255.255.0 but I don't know what the significance is or what it does?
I am going to configure for both source IP and destination IP (both).
View 2 Replies
View Related
Mar 19, 2012
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
or
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
View 1 Replies
View Related
