Cisco Application :: ACE10 Version A2(3.6a) - Activate XML API Management?
Sep 18, 2012
We are using several contexts for each customer in our ACE module.One of the customer contexts needs to activate XML API to control their services.I've tried to activate it, but cannot get any http response, what can be missing?ACE10 version A2(3.6a)
class-map type management match-any HTTP-ALLOW_CLASS
2 match protocol http source-address 10.110.0.0 255.255.254.0
3 match protocol http source-address 10.60.208.80 255.255.255.248
class-map type management match-any HTTPS-ALLOW_CLASS
2 match protocol https source-address 10.110.0.0 255.255.254.0
3 match protocol https source-address 10.60.208.80 255.255.255.248
I trying configure ASN traffic load balance, but doesn't works.I have one Cisco Catalyst 6509 and onde Cisco Ace10 module, in my context "PanWEB" i have the interfaces above: [code] If i try to establish a telnet session(telnet 10.96.202.10 80) i see the SYN packet passing through the ACE and going to the real server, but, the server do not response the SYN packet. I done a capture in the server using wireshark and could see that the IP address of the destination is the VIP and not the rserver ip address , this is a problem? Why can not I have the SYN + ACK from the server?
how a static entry under a "sticky" performs Configuring Static IP Address Sticky Table Entries Cisco Documentation Says When you configure a static entry, the ACE enters it into the sticky table immediately. Configuring the ACE Action on Server Failure failaction purge # The purge keyword specifies that the ACE remove the connections to a real server if that real server in the server farm fails after you enter the command. The ACE sends a reset (RST) to both the client and the server that failed. Cisco Documentation Says If you do not configure this command, the ACE takes no action when a server fails
Am trying to replicate the managment interface functionality of a CSS on ACE 4710 but have problem with it being treated as a general routed interface.
Scenario On ACE 4710 I have a front-end interface for client facing VIPS and a back-end interface facing a server farm, taking care of load balancing flows
Non load-balance system traffic for the back-end servers also flows through these two ACE interfaces, following a default route path (the back-ends use the ACE as default gateway) i.e. dns requests from the servers flow through the ACE egressing the front-end interface to hit a firewall and route to an internal dns server.
Issue If I add a "management interface" to the ACE 4710 and give it an IP address for management access, the interface by default assumes 'routed' mode and as the ACE treats this as a general interface it will route traffic out of it. For example if the IP address of this management interface is on the same network as the internal dns server, it breaks that connectivity. This as the ACE will see the "management" interface as best route to directly connected network and send traffic to dns server over that, however dns server response traffic will follow its defult route path via firewall and ACE front-end interface to get reply to back-end server. The firewall will block this traffic as traffic is asymmetrically routed and firewall not seen the initial dns request packet.
Question Is there a way of making an ACE interface a 'non routed' management only interface for out of band management use? That is ACE will not attempt to route general traffic through the interface
I realise I could achieve this with multiple contexts but want to have a single context for various reasons - i.e. to have a kind of like for like CSS replacement using ACE 4710
I am new to the ACE30. I a basic configuration from the CLI and I am trying to use the device manger. I am able to get to the web informational page rather then accessing the login page. I have rest the password for both the admin and www and still no go. my question is how to go into enabling the GUI access.
I would want to create an inband management (in case of we are a issue on OOB mgmt, i means to have a 2960 HS) on Nx7010 chassis without M1 card (only F1 cards - layer 2). I could create a interfce vlan but the status of the interface is down/down.
I have an other 2 x Nx7010 pair with M1 card ; for this pair, i can connect the interface ; the inband interfaces is up/up.I have also 2 x Nx5596 pair ; for these boxes, i can connect the interface ; the inband interfaces is up/up.Do you know a solution to get 1 interface vlan up/up on chassis 7010 without M1 card in order to have an inband connexion ?
We've got pairs of ACE30s in our data centers set up with active/standby FT. Some time yesterday the active ACE in one data center started refusing management traffic - it accepts SSH connections but fails authentication (local password, no RADIUS/TACACS is configured); and ANM reports it as down (no XML connectivity),We haven't opened a TAC case yet - someone's on his way over to see whether we can get in through the serial port first - but I'm wondering whether there are any other diagnostics we can gather (will resetting the module form the Sup force a coredump?) before we do.
I have an HA ACE deployment and all seemed to be working well until I tried to access the ACE via the management VLAN in the one non-system context, no go.The ACE is in one-armed mode with an Admin/System context and one user context (named Messaging). Source NAT has been set up in the user context. All VLANs are in a port channel back to the core switches.I can access the ACE via the Management VLAN in the system context, all OK. I can access the load-balanced servers via the VIP in the user/Messaging context, all OK. I CANNOT acccess the managment VLAN other than ping it (resonds to ping, but telnet, ssh, https, etc. fails).The system/Admin context has a default route to the Management VLAN on the core. The User/Messaging context has a default route to the core switches on VLAN 5, which is the VLAN where the VIP resides.If I change the default route in the User/Messaging context to the Management interface on the core switches then I can access both contexts for management, but then the load-balancing falls over and I cannot access the serverfarm (via the VIP). Traces on the rservers show that NAT is being hit on the ACE and the requests are coming from the real IP of the clients. Put the default route back to the User/Messaging VLAN on the core and NAT is back to what it would be expected to be, and then remote/management access to the ACE is gone.
I am looking at management (backup of the configuration) of the ACE 4710 running A4.1, the management software is Cisco Cirrus. The question I have is around the management of the context's, I have a backup of the Admin but would like the user context's also, how this is completed.
I have a problem configuring URL redirect on ACE 30 (Version A4(1.0)).When a user enters IP address or a name of a service [URL], the ACE module should redirect him to the page [URL]. Here is my non-working config:
access-list OUTSIDE line 8 extended permit tcp any any eq https access-list OUTSIDE line 16 extended permit tcp any any eq www access-list OUTSIDE line 24 extended permit icmp any any probe http Test_HTTP_1 port 80 interval 60 passdetect interval 30 passdetect count 2 request method head url /index.html expect status 200 200 open 1 rserver redirect URL_Redirect_01 webhost-redirection [URL] 302 inservicerserver host S1 ip address 10.0.0.2 inservicerserver host S2 ip address 10.0.0.3
it works, ACE load balances to rservers. Of course, user must enter full url.With redirection configured, user recieves HTTP url redirect message with correct address [URL], but his browser does not display the page. Even directly entered full url does not display it while redirection is configured.Alternatively, does ACE30 already support url rewrite?
Source--- Router 1 ( ip 188.8.131.52) --ACE---router---cloud---customer---router--destination( ip 184.108.40.206). Traceroute from client to destination shows the following: traceroute 220.127.116.11 traceroute to 18.104.22.168 (22.214.171.124), 30 hops max, 40 byte packets 1 126.96.36.199 (188.8.131.52) 1.10 ms 1.78 ms 2 184.108.40.206 (220.127.116.11) 1.01 ms 1.97 ms 2.511 ms 3 18.104.22.168 (22.214.171.124) 2.01 ms * 126.96.36.199 (188.8.131.52) 2.330 ms
So on this, the destination is 184.108.40.206.The first hop is the default gateway, which is 220.127.116.11.After that, the next step is the Cisco ACE.After that there are several hops to the destination.Looks like for some reason the Cisco ACE is not recording his ip.( For any destination traceroute result is the saame.ICMP is allowed in the access list and also ther is ICMP inspect in my config. access-list ICMP line 10 extended permit icmp any
class-map type management match-any abc 201 match protocol ssh source-address X.X.0.0 x.x.0.0 class-map match-all ICMP_allow 2 match access-list ICMP
I am installing the Demo version of ANM 4.3 on a virtual machine.The install was successful, however when i try to import the demo licence from my laptop to the server it does not allow me to tftp the file to the server.[URL]
I have a CAS array for Exchange 2010 configured to loadbalance on my Cisco ACE 47XX. My question is: Can I run a mixed VMware cluster version 3.5 and 4.1 on my ACE? I am experiencing is dropped RPC connections and I was wondering if that could be the cause of it or maybe I am misconfigured something on the ACE
Another question:Should I seperate the two cluster versions on their own serverfarm and than loadbalance the farms? What I mean is serverfarm 3.5 and serverfarm 4.1 and than loadbalance them.
I´m Trying to synchronize the clock with NTP server external, these ntp server only support NTP version 3.Can I change the NTP version in the ACE4710 Appliance to support the ntp server external?If is possible, How I can change it ?
This is the version:
Cisco Application Control Software (ACSW) TAC support: [URL] Copyright (c) 1985-2011 by Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license.
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
I want to load balance between two webservers using ACE10 working in bridging mode, but when putting the VIP in the url i'm getting page not found, tried many configurations but didn't work, here is the latest one
logging enable logging buffered 7 access-list ALL line 8 extended permit ip any any
i have loaded a temporary 4 weeks license on a Cisco 887 router running 15 software.The license appears under temporary licenses, but the enable license is grayed out, so the sslvpn configuration section is unavailable.
What i got was a price of paper paying gratitude for purchasing a license and a CDROM with a video on Electrostatic discharge and copies of the user agreement in several languages. How do i actually activate and use this license? The router is already setup for the SSL vpn. It just doesn't connect. I am assuming it is because i have no license installed?
I have a new asr9010 that I want to upgrade from 4.2.0 to 4.2.1 sofware. When i try to run the "install activate isk0:asr9k-mini-p-4.2.1 sync" it fails and complains that the 2 files below or equivalent must be active.
iosxr-infra V4.2.0 iosxr-fwding-4.2.0
When do a show version i can see files are loaded and on the asr9010. Attached is a show tech
A while back my faithful old IBM ThinkPad became very slow under the weight of too many applications and updates so I replaced it. Now I have decided I would like to revive it mainly as a games machine for my young grandson, so I wiped everything off it and reinstalled Windows XP Home Editon (it previously had XP Pro). It used to access the net via a wireless LAN card (IEEE802.11b/g) and this worked fine. I am now having difficulty reinstalling this device. I thought XP would just pick it up but it doesn't. I tried downloading a driver onto a memory stick using my new laptop but that doesn't work either.