Cisco Application :: ACE20 To ACE30 Migration - Restore All Not Restoring SSL
Nov 6, 2012
I've run into an interesting problem trying to migrate my production config from my redundant ACE20's (A2(3.4)) to the new ACE30's (Tried (A4(1.0) and A5(1.0)). Everything on the ACE30 is working fine with a base config, but when the restore all is run from the ACE20 backup (backup all), the SSL files are not restored and return errors. All the contexts are restored correctly, along with the startup-config, but the running config fails due to no SSL.
All the crypto certs/keys are exportable and are present in the backup .tgz file.
View 1 Replies
ADVERTISEMENT
Oct 25, 2011
Have a client with one ACE20 and now he needs a second one for redundancy.Since ACE20 is EOL, can I use an ACE30 with an ACE20 as a failover pair?
View 1 Replies
View Related
Feb 18, 2013
I would like to know if I can migrate the config from ACE20 to ACE30 (last software) without any issue.I don't have any ACE30 to test
View 3 Replies
View Related
May 9, 2013
How to migrate the following config from a CSM to and ACE20 module.
Currently we have a CSM configured as below:- 452 Client and 453 Server sharing the same Public vlan.
We require outbound access from groups of internal individual servers to external addresses.
CSM config
module ContentSwitchingModule 8
vlan 452 client
ip address 10.206.135.252 255.255.252.0
[Code].....
View 7 Replies
View Related
Dec 3, 2012
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
View 2 Replies
View Related
Jun 2, 2011
I have been trying to addACE20-MOD-K9 in ANM 4.2 (0) but when I try to import it times out and I get
""Failed to import ACE configuration: Device discovery failed: Connection timed out.""
I have double-checked credentialn and access rules on the module and they seem OK. I am trying to add the module with the Admin credentials and ssh/telnet access is permited.
Is this the right way or I'm missing something. Module version is A2(3.2a)
View 5 Replies
View Related
Sep 22, 2011
ACE20 module with A2(3.3)I have tried to config a NAT-pool with two adresses, but only one is used.
View 6 Replies
View Related
Jun 27, 2012
I want to route gre traffic through an ACE20, but it doesn't seem to work. The only thing I configured was an ACL with gre enabled, but the ACE20 seems to drop the gre packtes. The gre traffic is entering via the vlan 561 interface and should be send out via the vlan 472 interface. Source 10.94.32.212, destination 10.94.132.39. The tunnel control traffic on port tcp/1723 is working fine. In the service-policies is nothing configured for the gre traffic.
Code...
View 1 Replies
View Related
Nov 13, 2012
We are using an ACE engine module(ACE20-MOD-K9) provide loading balancing service for two WEB servers and configured cookie for stickness. Below is the current configuration and it seems working fine now.
The problem I was facing is before use parameter-map change the http header length to 8k the stickness doesn't really working properly. User complains that their working session constantly be kicked out and redirect them to login page. By tracing traffic from a client we found that sometime ACE fails or stop insert the configured cookie, after increase the header length ACE start getting work.
how does the header length setup effect ACE to insert a cookie? Will the cookie insert attmpt fail if the header is longer then the maximum length configured on ACE? [code]
View 1 Replies
View Related
Apr 26, 2011
I have a problem with the ACE 20 load balance
To start with following is our architectural request flow:
Load Balancer --> Webseal /(reverse proxy) --> HTTP Server --> Portal Server
We have Hardware Load Balancer Cisco ACE20. When we access our portal from Webseal server it works totally fine without any issue, but when we access the same application using ACE we face the following issues:
1) Some of the links on do not work. For eg: We have a link "subscribe" which points to [URL], whenever we click on this link, the request is directed to [URL] i.e homepage
2) URL redirection does not work We have some links which have a url forwarding or redirection for example when we open [URL] it forwards the requests to [URL] opendocument....., but this redirection fails and again the request is thrown to homepage i.e., [URL]
3) The response of the request and the overall portal when accessed via ACE is very sluggish and it takes 20 seconds for homepage to load, whereas the homepage loads in 4 secs when accessed via webseal.
Below is the ACE details.
Hardware Product Number: ACE20-MOD-K9 Card Index: 207 Hardware Rev: 2.3 Feature Bits: 0000 0002 Slot No. : 7 Type: ACE
Software loader: Version 12.2[120] system: Version A2(1.4) [build 3.0(0)A2(1.4) adbuild_11:54:12-2009/03/05_/auto/adbu-rel2/rel_a2_1_4_throttle/REL_3_0_0_A2_1_4] system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_4.bin installed license: ACE-SEC-LIC-K9
View 3 Replies
View Related
Jan 6, 2013
I have ACE 30 module which is runing on SW 6500 in VSS mode, Vr. 15.0.2 with enugh power avilable ( 2550 W ) , i have insert the module at slot number 7 , the issues am facing it's desribe below :
7/0 ACE Expansion Card 1 ACEMOD-EXPN-DC 1.1 PwrDown
7/1 ACE Expansion Card 2 ACEMOD-EXPN-DC 1.1 PwrDown
And if i take out the blade and insert it again it's work for some time then goes down . here is the consle messages before it goes down :
.ACE platform with 2097152 Kbytes of main memory
.Loading disk0:c6ace-t1k9-mz.A4_1_0.bin. Please wait ....
Uncompressing Linux...
Starting the kernel...
[Code].....
View 2 Replies
View Related
Oct 26, 2011
Is it all possible to use an ACE30 to RHI a VIP which acts as route for servers on LAN A to reach LAN B . We have 2xL2 WAN circuits between 2 sites used by only 4 servers for (different L3 subnets for the hosts). I`m considering using a VIP to load balance across 2 WAN circuits using L3 interfaces on the MSFC either side as rservers with a single VLAN in/out on the ACE where the VIP resides - simlair to using the Cisco design for firewall load balancing minus the inspections etc. Obviously we can do this entirely in the MSFC but considering options.
View 1 Replies
View Related
Jun 28, 2011
I have a ACE20 module with a performance of 4 Gbps. I want to upgrade the performance from 4 Gbps to 8 Gbps. Is correct the following SKU for the upgrade?
ACE30-UPG-08-K9=ACE10 or ACE20 to ACE30 Upgrade for 8 Gbps Throughput
And if i want to upgrade the performance to 16Gbps is correct the sku?
ACE30-UPG-16-K9=ACE10 or ACE20 to ACE30 Upgrade for 16 Gbps Throughput
I noticed that the price list of both codes is the same....
Is it right for the SKUs listed I get the new module with the performance ACE30 requested?
View 2 Replies
View Related
Oct 26, 2011
I would like to add a vlan to a second context on a pair of redundant ACE modules. As soon as I open up that shared vlan box we will expose ourselves to mac conflicts until the shared-vlan-hostid commands can be implemented and the module reloaded. Adding the commands is not a big deal but I may not be able to schedule a reload until next week. What I would like to do is confirm the mac pools in use by each module right now. My hope is that they grabbed unique pools when they last booted and a conflict will not be a concern now.
View 3 Replies
View Related
Sep 5, 2012
I have an ACE20-MOD-K9 with version A2_3_6a, and i am having problems in cookie persistency. the setup contains 4 servers using round-robin algorithm and cookie persistency and that receive http traffic on port 9090. I have been receiving complains that the users are getting disconnected randomly while accessing the web application through ACE. Below is part of the config, when setting the timeout of the cookie to default or something equal to hours, the disconnection/complains gets worse.
View 1 Replies
View Related
Jul 18, 2012
We have a pair of ACE20-MOD-K9 in Fault Tolerant mode. They are running multiple contexts and we have a problem with one particular context which is running SSL off-loading. Despite the config being identical on both (accept for the peer addresses obviously) and both having the same SSL Key and Cert files loaded on both, the configuration will not sync between them. [code] All the Crypto files are identical as I copied them from one ACE to the other.
View 2 Replies
View Related
Mar 18, 2012
I see several code versions that seem to support on ACE30.Is A2.3.4 Or A2(3.5) that latest version for ACE20-MOD-9?Will the version 4 or 5 run on ACE20?I currently user A2(3).
View 3 Replies
View Related
May 16, 2012
We are currently running a ACE20 with 11 contexts. Recently we have seen that one of the contexts is being 'starved' of resources, especially Concurrent Connections, Bandwidth and Throughput.
Whilst we know how to address this situation by reallocating resources from less busy contexts, I was wondering if there was a more scientific way of looking at the resources being used and calculating the best way to allocate them across the ACE other than just looking at the 'show resource usage' and 'show resource allocated' commands?
Has Cisco or any other 3rd party developed a handy tool to monitor the the ACE resources which will possibly assist with calculating the optimum resource allocations across all contexts?
View 3 Replies
View Related
Jul 15, 2012
I have 2 Cat 6509-E switches in VSS configuration with 2 ACE modules. One in each Cat6k.
The ACE modules are running the following:
Software
loader: Version 12.2[120]
system: Version A2(3.2a) [build 3.0(0)A2(3.2a)]
We have only 2 contexts, the Admin and another one that we redirect traffic to WAAS equipment. The ANM soft running is only used for stats about the ACEs. It is version 5.2.
Since last week, the standby ACE module reboots on it own. It rebooted between 10 and 15 times until we had to leave the module PwrDown due to the constant reboots.
I tried to find any bug in the soft but I could not find anything related to that.
View 7 Replies
View Related
Jan 27, 2012
I tried to create a L7 class-map for blocking the clients with ciphes strength less than 128 in ACE20 running with Software version A2(2.3).But there were no command inside the L7 class-map called cipher for matching the cipher strength 128. Command Tried to issue was host1/Admin(config-cmap-http-lb)#match cipher less-than 128 So I want to know whether this is possible on ACE 20 and SW version A2(2.3). Kindly suggest a way to acheive this.
I have seen some other configuration using the parameter-match, But I dont know the Cipher Names which to allow. I want to drop all the connections with less than 128 bits cipher strength.
View 5 Replies
View Related
Jul 12, 2012
I have a pair of ACE30 in Active/Standby mode. I can ssh to all active contexts. I can also ssh to all standby contexts except one.
View 6 Replies
View Related
Jan 16, 2013
We did a faulty ACE30 module swap in a HA pair. Both the ACEs have stopped syncing since then. Below is the error message I see:
FT Group ID: 1 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_CONFIG
Context Name: Admin Context Id: 0
Running Cfg Sync Status:Failed to convert/transform configuration to peer version
Both ACE modules are running 5.2 with the same license.sh ft peer status from both active and standby show the same results.
Peer Id : 1State : FSM_PEER_STATE_COMPATIBLEMaintenance mode : MAINT_MODE_OFFSRG Compatibility : COMPATIBLELicense Compatibility : COMPATIBLEFT Groups : 15
Am I missing something here?
View 5 Replies
View Related
Jan 27, 2013
I have four rservers. I have found that if the first listed server in my serverfarm is off line, the entire farm quits working. How did I come to this conclusion? You see as part of "serverfarm host PORTAL-FARM" rservers "SISPOAS1 through 4". I can shut down any server except SISPOAS1 and all is well. The load balancer sees the probes have failed to that given server and continuses to load balance to the others. However, If I shut down SISPOAS1, nothing works. I confirmed this by eliminating SISPOAS1 from the configuration completely. After doing so, I could reproduce the exact same problem using SISPOAS2 since it is now the first rserver in the list after I removed SISPOAS1. I'm stumped! Looking at the configuration below, what am I missing???
access-list TRAFFIC line 8 extended permit ip any anyaccess-list TRAFFIC line 16 extended permit icmp any any
probe tcp 389 port 389 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 636 port 636 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7777 port 7777 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7778 port 7778 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7780 port 7780 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp [Code]...
View 4 Replies
View Related
Jul 14, 2011
is there a way to reset/clear a particular context's configuration?
I see there is a 'wri erase' within a context, but no reload/reset - neither from the context itself nor from the Admin... puzzling...
I dont want to reload an entire blade just to clear one of the context's configs.
View 5 Replies
View Related
Sep 9, 2012
Facing issue with ACE module Part#ACE20-MOD-K9 having NP failed error message and module got restarted.
Module software currently# c6ace-t1k9-mz.A2_1_6a.bin
We have studied the Support Community document and got the BUG id's information having impact on this module, BUG id's: CSCsv92321, CSCsx25981, CSCsq38638
Software version to upgrade for the ACE module having no impact on this ACE module by these BUG id's having parity error symptoms.
View 3 Replies
View Related
Jan 18, 2012
We are using an ACE20 module running version A2(3.2).I have a question regarding IP stickyness and the timeout parameter.I found this in the "Server load balancing configuration guide" (in a section entitled: "Configuring a Timeout for IP Address Stickiness"):
"The sticky timeout specifies the period of time that the ACE keeps (if possible) the IP address sticky information for a client connection in the sticky table after the latest client connection terminates. The ACE resets the sticky timer for a specific sticky-table entry each time that the module opens a new connection or receives a new HTTP GET on an existing connection that matches that entry."
The parts in bold seem to point to the fact that the timeout is an "inactivity timeout" as the counter is reset on every new connection.The next section in the documentation is entitled: "Enabling an IP Address Sticky Timeout to Override Active Connections" and says:
"By default, the ACE ages out a sticky table entry when the timeout for that entry expires and no active connections matching that entry exist. To specify that the ACE time out IP address sticky table entries even if active connections exist after the sticky timer expires, use the timeout activeconns command."
This seems to contradict the previous statement.So my question is: is the IP stickyness timeout an "inactivity timeout" or not?
View 1 Replies
View Related
Oct 27, 2011
My ACE module rebooted itself and after the reboot it lost all the config and it has been booted with factory default setting.
[code]....
I would like to know the reason for the same. Is this due to firmware bug? or with the Hardware? I am bit dissatisfied that all of my config vanished without any reason after the reboot of ACE.
View 3 Replies
View Related
Mar 5, 2013
I have an HTTPS probe that sometime fail, sometimes does not fail.
[code]....
The probe that sometimes fails is the TEST-HTTPS. The TCP_443 probe works perfectly well.The ACE is configured in bridge mode.Is it possible to capture the PROBE traffic on the ACE side?
View 7 Replies
View Related
Jun 11, 2012
I am new to the ACE30. I a basic configuration from the CLI and I am trying to use the device manger. I am able to get to the web informational page rather then accessing the login page. I have rest the password for both the admin and www and still no go. my question is how to go into enabling the GUI access.
View 1 Replies
View Related
Feb 4, 2013
is it possible to construct the L7 HTTP class-map expression to match all URLs except one? I have 1 correct url, for example: /correcturl.* and want to redirect requests to all other possible URLs to this one, without the need to list them all in "possitive match" statements.
View 6 Replies
View Related
Aug 25, 2012
We have a subnet setup on the ACE as follows:
interface vlan 300
description CALLISTA Environment
ipv6 enable
ip address 2001:388:608c:8b8::fffd/64
alias 2001:388:608c:8b8::fffe/64
peer ip address 2001:388:608c:8b8::fffc/64
ipv6 nd ra interval 30
[code]....
Notes:There is the primary subnet 130.194.13.0/26 and the secondary IP subnet 130.194.19.192/27?The nat-pool is configured to allow server initiated connections to their frontend VIP when necessary.We are noticing that when a server on the 130.194.19.192/27 subnet needs to communicate with a server on 130.194.13.0/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
View 1 Replies
View Related
Aug 25, 2012
We have a subnet setup on the ACE as follows:
interface vlan 300
description CALLISTA Environment
ipv6 enable
[Code].....
We are noticing that when a server on the 130.194.19.192/27 subnet needs to communicate with a server on 130.194.13.0/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
View 1 Replies
View Related
Nov 28, 2011
Am looking to upgrade the software on the ACE30 from: [code]. Any ACE30 guide that explains this. Have looked at the ACE30 configuration guide which I thought would cover this in the section "Managing The ACE Software", however everything else has been covered off except how to go about upgrading the software.
View 1 Replies
View Related
