Cisco Application :: ACE 4710 Farm Selection Based On Source IP?
Jul 5, 2011
I have a requirement to select a farm based on source IP address. I tried creating a match all class-map that matches on the virtual-address and source address but I get this message.LB01/Admin(config-cmap)# match source-address x.x.x.75 255.255.255.255 Error: Only one match virtual-address is allowed in a match-all class-map and it cannot mix with any other match type To me this is the only place where it makes sense to set the source match criteria.
View 2 Replies
ADVERTISEMENT
Feb 2, 2012
Is there a way to rename a server farm, health probe, real server or virtual service without having to completely rebuild it? I'm running 3.0(A3).
View 2 Replies
View Related
Aug 31, 2011
I have been tasked to provide SSL(HTTPS) access to a server farm that will be accessible from the internet. Is this the correct guide to follow?
[URL]
I am assuming I will need to purchase a certificate to import into the load-balance r as well.
View 1 Replies
View Related
Feb 27, 2012
ACE 4710 software A3(2.7) [code] Why is the fail-on-all option missing from the serverfarm that is of type redirect? This option is something that I would actually need in a certain situation.
View 1 Replies
View Related
Jun 12, 2011
I have a Cisco ACE with a server farm "intranet" with real servers rsrv1 and rsrv2 (round robin) and i have two sites A (IP Address A) and B (IP Address B) in the WAN. I want to that Site A conect to ACE 4710 via VIP, but this connection will be to srv1 and Site B conect to ACE 4710 via VIP, but this connection will be to srv2.
View 3 Replies
View Related
Mar 21, 2013
I've configured the ACE4710 to bring the logging to a syslog server! Here's the configuration
[...]
logging enable
logging fastpath
[Code]....
I saw to log with connection on the syslog server but It would be interesting to know the "source ip address" and my question is : It may be possible to configure for the logging a kind of "transparent pass through"?
View 2 Replies
View Related
Jul 22, 2012
I hav ACE 4710, I am trying to configure a policy in which when specific Client tries to access the specific Destination. ACE should not send the traffic to load balancing. It should directly send to the next Hop.
I configred the below but didnt able to achieve my object.
access-list source_IP line 8 extended permit ip host 192.168.146.123 host 198.xx.xx.2
class-map match-all CM_BYPASS_SOURCE 2 match access-list source_IP
policy-map type loadbalance http first-match PM_L7_BYPASS_SOURCE class class-default forward
But I am not able to reach to destination. MY source traffic is still diverting to the Load balancing server. I dont want it to redirect to LB server
View 17 Replies
View Related
Jul 30, 2012
I have a requirement to bypass some specific traffic (with particular source to specific internet destination) in ACE 4710.
All the webtraffic (http and https) is configured to loadbalance to my proxies , i need to configure some specific traffic with source and destiantion to internet to byepass from this loadbalancing and directly got to outside interface .
View 1 Replies
View Related
Oct 29, 2012
i don't know why cu need this feature, he want stickiness based on source ip and source port. Does CSS 11500 support stickiness based on source IP and source port?or is there any other method to support stickness based on source ip and sourceport?
View 12 Replies
View Related
Sep 6, 2012
Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
View 1 Replies
View Related
Apr 3, 2012
I have 2 basic questions I am having doubts about it and would love to have some clarifications:
1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below : [code] Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work: [code] So if I configure an interface as bridged in one Context, I cannot configure it in another context??
2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
View 1 Replies
View Related
Jul 23, 2012
We have ACE 4710, It is configured with IP based stickiness and working fine for a web application server (BMC Remedy). We tried configuring cookie based stickiness for the same server. Server application is having JSESSIONID.But after configuring cookie based stickiness, there is an issue that the first page is coming for entering login credentials and after entering it the page is blank or not responding. What is the pre-requirement for configuring cookie based stickiness in ACE for BMC Remedy web application and which type of cookie based stickiness is suitable or possible?
View 8 Replies
View Related
Nov 15, 2011
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
[Code].....
View 4 Replies
View Related
Aug 19, 2012
I have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
I cannot add any new service (http or ftp) to the server. Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?
View 1 Replies
View Related
Jun 19, 2012
I am wondering if there is a method to redirect particular URLs to individual real servers in a server farm.Scenario: We have an url which is setup on our ACE4710s (A3 2.4) to load balancer to a particular server farm as per standard setup i.e.Customers access [URL] on an external VIP, this is then load balanced to a server farm "SF_WEBSITE" consisting of 2 real servers "Server_A" and "Server_B". Nothing difficult in this set up. However, I have eeen asked if it is possible to redirect certain urls to individual servers within the server farm "SF_WEBSITE": e.g.
Action 1 - Customers access [URL] is redirected to "Server_A" only
Action 2 - Customers access [URL] is redirected to "Server_B" only
Default Action - Customer access [URL] anything else is redirected to server farm "SF_WEBSITE" and is load balanced between "Server_A" and "Server_B"
The Standard Class Maps and Policy would be something like:
policy-map type loadbalance first-match SLB_WEBSITE
class class-default
serverfarm SF_WEBSITE
Where I thought I would need something like:
class-map type http loadbalance match-all CMAP_AREA1
description CMAP used to capture specific URL for area 1
2 match http url /area1
class-map type http loadbalance match-all CMAP_AREA2
description CMAP used to capture specific URL for area 2
2 match http url /area2
[code]...
I think the above method is ok for 1 instance, but if it test successfully, my company would want to to roll this out across dozens of server farm configurations each consisting of numerous real servers, which will make the administration and implementation time overheads massive, not to mention complicating and lengthening the configuration.
View 7 Replies
View Related
Jan 9, 2013
I am using Cisco 7609 IOS15.0(1)S1 and Cisco 3600 IOS 15.1(2)EY.I am trying to provision VPNs over MPLS network.All I found in the documentation is how I attach a whole interface to a VRF.However, I need to be able to attach a VLAN (or any other matching criteria, for that matter) to a VRF.In other words, I want to be able to attach port 1/1 vlan 100 to VRF-A and port 1/1 vlan 200 to VRF-B.
View 1 Replies
View Related
Jul 25, 2011
A customer has an ASA5520 and 2 ISP routers with one WAN link each, and wants to split the load over both routers based on source IP ("natted" IP on ASA). I found this excellent doc on the topic: {URL}. Using PBR to achieve this is an option I was looking at, but I have come across a possible loop doing this with 2 routers. Setup:
-----------CE-1---------ISP-1
| |
| |
ASA55020---- HSRP |
| |
| |
-----------CE-2---------ISP-2
Both Routers receive default routes via BGP, and customer networks are propagated via BGP as well (i.e. the customer can specify the return path for the traffic). The ASA5520 forwards traffic to a HSRP virtual IP for redundancy purposes. If one router or ISP fails, all the traffic should use the other router/ISP. The customer wants to specify which traffic is sent over which link, by defining nat rules on the ASA. e.g. traffic sourced from the network 10.10.1.0/24 will always use ISP 1, and traffic sourced from the network 10.10.2.0/24 will always use ISP 2.
My problem: if I use route-maps on both routers (CE-1 and CE-2), sending part of the traffic to the other, and one ISP link fails, in my opinion I have a loop, since part of the traffic will get sent back to the router it came from. Is there any other was to achieve my goal without using PBR? I have looked at CEF and GLBP, but I cannot seem to find a way to load share via source IP.
View 8 Replies
View Related
Dec 20, 2012
I have a customer with a Sonic wall that I want to replace with a 521.He currently has port forwaring setup so that only 3 ip addresses can access the port forward. Everyone else is dropped. Is there a way to do something similar?I can make it work for a single one via the DMZ tab with a source ip address. but there is not a way I can find to add the allow for the other two remote connections.
View 1 Replies
View Related
Jun 6, 2011
I am looking for a config, as per the attached diagram, if the traffic comes from FE01 it should go via FE03 for the internet and when the traffic comes from FE02 it should go via FE04 for the internet.
View 1 Replies
View Related
Jan 21, 2013
2 ISP's connected to a 4507, both with seperate public IP blocks. Based on some source IP addresses on the LAN they would either use ISP-A or ISB-B's connection based on what I define.
View 3 Replies
View Related
Mar 27, 2013
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies
View Related
Oct 20, 2012
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies
View Related
Dec 27, 2011
I have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies
View Related
Apr 2, 2011
Hardware version: A1
Firmware version: 1.01
Basically, I cannot connect to any game servers when I am connected through this router. I used my Android to tether into 3G internet and was able to connect without any issues so it's not OS-side at all. I've tried many settings arbitrarily one at a time, checking each time to no avail. Is there a particular setting that is screwing with this game? I've got the ports (27000-27100 TCP/UDP) forwarded and I've used a Port Checker tool to verify that they are open. Obviously it's something in the router that is blocking the connection..but what else is there to try?
Should I finally flash the 1.13NA firmware?
View 1 Replies
View Related
Jun 13, 2011
I am not able to find information of how to configure a balance in CSS11500 depending of the IP source. I want to do the next:
Site A : 192.168.1.0/24
Site B : 192.168.2.0/24
Both sites access to the same VIP: http://vip_balnace_IP but depending of the source the should be balanced to diferentes servers.
Site A -> VIP_balance -> server1
Site A -> VIP_balance -> server2
how to do that?
View 2 Replies
View Related
Jun 26, 2011
I'm not sure if my terminology is correct when using hairpinning but i was wondering if there is any special config needed when you try to access a content rule VIP from a server that's configured as a member of a source group on the same CSS?
So say i have a content rule with a VIP 20.20.20.20 and i also have two servers 192.168.1.1 and 192.168.1.2 that are part of a source group with VIP of 20.20.20.21. My problem at the moment is if from the servers 192.168.1.x i try to ping the other VIP 20.20.20.20 that's configured on the same CSS then it doesn't work and ping fails. The same happens with HTTP traffic to the 20.20.20.20 VIP.
I would have thought that the NAT of the source group would happen before the routing so the 192.168.1.x IP's would be natted to 20.20.20.21 and then passed over for routing where the CSS would see that the VIP 20.20.20.20 is local and it would send it on it's way.
I thought it might be ACL related but i increased the verbosity of acl logging and couldn't see anything in the logs.The source group works fine on it's own and from the CSS itself i can ping the 20.20.20.20 VIP fine. It just seems that from the source group members i can't ping the VIP.
View 1 Replies
View Related
Jan 28, 2012
ACE A2(3.4). Is it possible to set a rate-limit connections per sec from any source IP. For example, if a client is trying to GET a web page 10 time per sec I will send a reset or drop that connection.
View 1 Replies
View Related
Feb 2, 2013
i'm looking for a recommendation for a setup guide including ft i've had a quick look a wiki and i can get basics but i'm not sure about if i need to setup additional contexts etc when i'm the only one using the appliance?
View 2 Replies
View Related
Aug 26, 2012
I have an issue with a customer that wants to update a server behind the ACE. The problem is that when the application wants to update the server it does it with the name.Doing some research I found that you can rewrite the record DNS based on the static NAT you set up on the ACE. The feature is called DNS inspection. Is the same feature as the ASA (DNS doctoring).I apply it to the outside interface and it did not work.
View 1 Replies
View Related
May 7, 2013
What are these ports used for? What can I do with them?
View 2 Replies
View Related
Feb 12, 2013
I am trying to configure sticky on an ACE 4710 and don't understand what the netmask part of the sticky ip-netmask netmask address {source | destination | both } name command.
Some examples use 255.255.255.255 and others use 255.255.255.0 but I don't know what the significance is or what it does?
I am going to configure for both source IP and destination IP (both).
View 2 Replies
View Related
Mar 19, 2012
With the current (A5) ACE 4710 lic setup, does the "X gigabit per second appliance throughput" that is licensed affect: -
A) Only "appliance" i.e. load balancing traffic, any other normal routed traffic is not included in the limit
or
B) Is it an overall throughput limit on the interfaces i.e. includes all traffic not only load balancing traffic but also normal routed traffic crossing the appliance
Looking at a scenario where the lic size I need for HTTP load balanacing would be one size if A) but would need to be much larger is B) to accomodate out of hours routed backup traffic crossing the ACE 4710
View 1 Replies
View Related
Aug 27, 2012
I've just run the ACE 4710 and it seems that is booting up well but it stops when 'Setting up dynamic memory size' message appears.
INIT: version 2.85 booting
b4 lspci
1 Cavium device(s) found.
[Code]....
View 2 Replies
View Related
