I configured cisco ace 4710 with ssl-proxy and it is not working,url..When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage". [code]
View 2 RepliesWe have Cisco ACE 4710 in our network.system image file: (hd0,1)/c4710ace-mz.A3_2_0.bin Device Manager version 1.1 (0) 20080805:0415
We are not able to connect to the device through HTTPS (GUI) , it used to work before. When we try access the GUI, it asks for user name and password.After that it shows blank screen.
I have ACE 4710 in context mode. I am doing internet browsing (Port 80) redirection to two proxy servers (Transparent Proxy) as well as I am using this ACE box for multiple other servers load balancing.
I have multiple policies applied on my LAN interface (VLAN 300) where all the users and servers are connected.
Now I am facing problem with one application (PLATTS) which is oil company related application. This application is working fine while directly connected with Internet (extrenal internet connection) or by giving explicit proxy in the user browser.
But In transparent proxy This application is not working and my company policy only allow the transparent proxy not explicit proxy.
Now if on my interface vlan 300 i will remove the service-policy input PM_MAIN_BCPROXY my application will start working but i cant redirect the port 80 traffic to my proxy servers which is also my requirement.
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
[Code]....
This application use multiple destinations for connectivity and I have even tried by passing the destination IP addresses by making bypass policy but still no luck.
I want this application to work as well as redirection of port 80. I even try re-ordering the policy sequence but no luck. this application to work as well as redirectino of port 80 for Internet.
I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
serverfarm host INHOUSE-EXCHANGE-OWA-vFARM
predictor response app-req-to-resp samples 4
probe 443
probe HTTP-PROBE
rserver INHOUSE-TEST-CAS01-SVR
inservice(code)
Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
I have a WRT160N that I used just once after purchase (my ISP gave me a wireless router). I could not remember the PW, so I reset. (The computer saw the old router name but I had no PW)When I run the software (CD that came with the product says 150N), it get to "configuring computer" and stops there.I tried downloading the software, but when I try to run it says "Application requested runtime to terminate in an usual way."When I go to the 192. URl and try to login using a bank user name and 'admin," it jsut keep bringing up the password box.
View 2 Replies View RelatedReport run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies View Relatedi'm looking for a recommendation for a setup guide including ft i've had a quick look a wiki and i can get basics but i'm not sure about if i need to setup additional contexts etc when i'm the only one using the appliance?
View 2 Replies View RelatedI have an issue with a customer that wants to update a server behind the ACE. The problem is that when the application wants to update the server it does it with the name.Doing some research I found that you can rewrite the record DNS based on the static NAT you set up on the ACE. The feature is called DNS inspection. Is the same feature as the ASA (DNS doctoring).I apply it to the outside interface and it did not work.
View 1 Replies View RelatedWhat are these ports used for? What can I do with them?
View 2 Replies View RelatedI am trying to configure sticky on an ACE 4710 and don't understand what the netmask part of the sticky ip-netmask netmask address {source | destination | both } name command.
Some examples use 255.255.255.255 and others use 255.255.255.0 but I don't know what the significance is or what it does?
I am going to configure for both source IP and destination IP (both).
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
or
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
I've just run the ACE 4710 and it seems that is booting up well but it stops when 'Setting up dynamic memory size' message appears.
INIT: version 2.85 booting
b4 lspci
1 Cavium device(s) found.
[Code]....
I've got a web app that the owners want to run over port 80, but also using SSL to secure private data in transit. The architecture is an ACE 4710 in SSL termination mode->Apache (port 2000)->Back-End app server.
I've got two VIPs set up already - one on port 443 and one on 2000 - both of which do the SSL termination quite nicely, but using the 3rd VIP set up on port 80, the connection steadfastly refuses to be HTTPS (i.e. doesn't show the padlock).
I've done all the set-up through the web interface so far, can this be done? If so, how?
I am currently running A3(2.6) and evaluate the possibility of upgrading to A4(2.1). The Instal & Upgrade Guide A4(2.0) mentions that A4(2.0) does not include all features of A4(1.1). Does this apply to A4(2.1)? The Release Notes mentions a list of features merged from A4(1.1) to A4(2.1) but does not clarify if there any features not merged.
[URL]
we configued An ACE 4710 with SSL termination on Oracle Aplication Server 10g (10.1.2.0.2) ,so that SSL termination is done on the ACE and HTTP reaches the Oracle Aplication Server 10g (10.1.2.0.2) then we configure the ACE to enabled client authentication with Pkcs#11 smart card token certificate and this don succfully my problem need do this client certificate authentication for only the [URL] not for all SSL proxy service how can do that.
View 3 Replies View RelatedI'm receiving a lot of these messages in a ACE4710 cluster. 192.168.100.1:80 is the VIP, 193.126.127.28:56380 is the client. Already tried to set the mss with this:
parameter-map type connection my map set tcp mss min 0 max 1380
policy-map multi-match L4_policymap
class vip_PRDWEB_http
loadbalance vip inservice
[code].....
But it doesn't work.
We have recently transitioned one of our Ecommerce products to a new data center, at which we now use a one-armed load balancing approach rather then the routed load balancing approach we used previously. This is casuing us some issues as we generally log the source IP address a user comes in on when he fills out an application. Now the logs only show the natted ip address recieved by the load balancer, which does us no good. Any way to log the source IP address when a new connection is created to a particular vip?
View 3 Replies View RelatedIf we use an ACE4710 to load balance two real servers, obviously it will use health checks to determine if a server is down.When it detects a server is down, it will not send it any more traffic.But can we also have it take any other action? For example maybe email an admin, or send an SNMP trap? Or better yet, can we use a custom TCL script to do other things, like launch some custom activities?
View 2 Replies View RelatedI am new to the 4710 appliance.Apart from the 4 GE 'data' ports, there are 2 Ethernet 'management' ("console") ports. I find the description in the "quick start guide"somewhat confusing. URL, Is a first-time serial connection (at least to run the initial config. script) mandatory? Or can you obtain the same result via one of the 2 Ethernet management ports and using a default ip address (192.168.1.10 ? When running the initial config. script (only possible from the serially connected console i suppose), you have to select your management port. Why does the system in step 5 proposes you 4 ports, and not just 2? I suppose the intended port for management is one of the 2 management ports, not one of the 4 data ports?
View 1 Replies View RelatedI have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). esterday I upgraded one of them to A4(2.3) now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok when i do a " sh telnet" comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
ACE# sh script code NORDICID_PROBE.Error: Called API is invalid or non-existant.Hardware is ACE-4710-K9 and software A3(2.7)The probe itself is functioning ok according to show probe detail.However show script script_name probe_name -counters all remain at zero for some reason. This wasn't the case on the previously use ACE software.To my recollection the command show script code has worked successfully before on the same ACE software. Not 100% sure though, but it definitely worked on the previous software we ran on the ACE.
View 2 Replies View Relatedthe ACE 4710 is running 3.2.5 and I need to put it in another environment.Is there a way to reset its settings?
View 3 Replies View RelatedAny document that details the steps to change the FT ip addresses of a pair of Cisco 4710 whilst they are running in a production environment without causing an outage?
Would the steps be:
On the secondary unit:
hbs-syd04-lb01ft interface vlan 417 ip address 172.30.254.221 255.255.255.252 peer ip address 172.30.254.222 255.255.255.252
Then on the primary unit:
hbs-syd04-lb01ft interface vlan 417 ip address 172.30.254.221 255.255.255.252 peer ip address 172.30.254.222 255.255.255.252
Or Vice Versa?
Is this normal to have millions of current connections within an ace 4710? There is only 3 current connections but shows a high number?
View 3 Replies View RelatedI have a pair of ACE 4710's running software version A3(2.0). I intend to upgrade to version A5(1.2). Can I go straight to version 5 or do I need to go to version 4 and then version 5?
View 1 Replies View RelatedWe have two pairs of ACE 4710s, one pair running A3(2.4) and the other pair A3(2.0). We plan to upgarde the second pair so that they are running the same image as the first pair (we know they are not the latest, but this is the first step in a larger rollout plan, and to aid some troublshooting for a major issue we are seeing.)
I have details of the upgrade steps, but my question is with regards to the licenses which are now enforced after (2.0). We currently have the following on the first pair, but are these part of the default licenses for (2.4) or would we need to purchase these as well?
ACE-AP-500M-LIC
ACE-AP-C-100-LIC
ACE-AP-OPT-50-K9
ACE-AP-SSL-05k-K9
Am trying to verify performance figures for a CSS 11503 EOL replacement using ACE 4710
Trying to comapre apples with apples (is a CSS SSL TPS the same as a ACE 4710 TPS etc...)
Pulling figures from data sheets, release notes etc I have only come up with the following
Is there any further figures available for the ACE 4710 to fill in the blanks in table?
Am sure that ACE 4710 smokes the CSS but have to do the due diligence
<TR style="HEIGHT: 30pt" mcestyle="height: 30pt;">
<TD style="WIDTH: 170pt; HEIGHT: 30pt" height=40 width=226 mcestyle="width: 170pt; height: 30pt;"> Metric</TD>
[Code].....
What exactly happens when the SSL connection rate is exceeded. Is the connection dropped, queued or what ?
Defined as the SSL TPS. In our case 1000 but upgradeable to 5000
I need to use the Ace 4710 to distribute a Proxy PAC file, e.g. [URL] which will be configured in client browser using an AD group policy. Is it possible for the ACE to host and serve a file in this way?
View 3 Replies View RelatedCan the Nat Pool be on a different network that the load balanced vip? My current design uses nat pool on the same network, but the archatect wants the NATs on seperate VLAN.I will be developing on ACE MOD20, but the final configuration will be on 4710.
View 3 Replies View RelatedI configured ACE 4710 for HTTP traffic. All applications are running through real server. But when I run the same applications from virtual IP i.e through ACE. some applications are not running. Particularly applications having XML.
Is it ACE issue or Application issue. If it is ACE issue then how to troubleshot.
i have ACE 4710 appliance that terminate SSL and the connection to the servers is http.
The ACE (one Armed) is load balancing between two web servers and i am using stickness in order to take the connection on the same server based on cookie.I can access the website either by http or https., where on the web page there is a login credential to access using username and password.
When i access the website using https everything works fine and i can login to my account in https mode.When i access the website through http and login to my account the URL is redirected to https...normal because i am using action-list to rewrite the http into https. But when i exit the browser and access the website again using http it is not redirected to https(although i see that i am still login into my account i can see all the inforamtion in my account).
The customer wants the connection to be https even when i exit the browser and access the website again (within short time before the cookie exipres)