I've got basic connectivty to our ACE30 module and when I try connecting to the management IP address (attached to the Admin context), I see a very basic GUI which only lists the CSM to ACE config conversion tool. I don't see a GUI as detailed in the document: url...How do I get the ACE Applicance Device Manager GUI working so that I can then configure real servers, serverfarms etc rather than via the GUI?Having read through copious amount of documentation I can't seem to find a refrence that would ne useful here. This should be a fairly straight forward exercise - do I need to install some other software to get the full fledged GUI working?
I am new to the ACE30. I a basic configuration from the CLI and I am trying to use the device manger. I am able to get to the web informational page rather then accessing the login page. I have rest the password for both the admin and www and still no go. my question is how to go into enabling the GUI access.
In a cluster of redundant ACE-4710, version A5(1.2), the graphical Device Manager on the primary ACE cannot authenticate users. An error message is displayed :The strange thing is that the standby ACE Device Manager work correctly. Moreover, both ACE are perfectly synchronized :
CH01AC03/P-115-A# sh ft group summary
FT Group : 14 Configured Status : in-service Maintenance mode : MAINT_MODE_OFF My State : FSM_FT_STATE_ACTIVE My Config Priority : 200
When trying to view the status in the Monitor tab and the Config tab after you log in to the ACE 4710 Device Manager A5 (1.2) management GUI tool, I could not retrieve the status data and the following message appeared.
"Faild to upload Adimn configuration: There is error in loading configuration: Error in loading RMO config from DB:The given index XXXXXXXXX.bak does not match table index definition"
Other features include all normal, so I can get information by using the CLI.In addition, this configuration is redundant in the Primary / Secondary, this event occurs only on the Primary.
Other:-XXXXXXXXX.bak is a backup that you created in the checkpoint, and it does not already exist.
-When I'm logged on to the GUI, the above message is displayed in the status bar always.
-It was not recovered by ACE restart it.
-When I try to create the same configuration in a different environment, it did not reproduce.
We have an ACE Appliance in a DMZ and the ACE Appliance's Admin Context IP is translated between ACE and ANM. The ANM Server does not get translated. It is just the opposite then in another Community discussion.
Our Problem: When adding the ACE4710 Appliance to the ANM imported Device List, we use the ACE's NATed Admin Context IP. Import works well, but ANM reflects the Admin Context IP with it's real configured IP. Polling the ACE Appliance does not work therefore.
Is there a possibility of telling the ANM, that the ACE has to be polled through a NATed IP? I could not find a field to set a NATed Mgmt IP.
Configured IP on ACE Admin Context: 192.168.0.10 NATed ACE Admin Context IP: 172.16.0.10
Imported ACE with IP 172.16.0.10 into ANM, but ANM polls for Rserver, Vserver, Probes, etc. via 192.168.0.10 - which is not reachable from the ANM.
Is it all possible to use an ACE30 to RHI a VIP which acts as route for servers on LAN A to reach LAN B . We have 2xL2 WAN circuits between 2 sites used by only 4 servers for (different L3 subnets for the hosts). I`m considering using a VIP to load balance across 2 WAN circuits using L3 interfaces on the MSFC either side as rservers with a single VLAN in/out on the ACE where the VIP resides - simlair to using the Cisco design for firewall load balancing minus the inspections etc. Obviously we can do this entirely in the MSFC but considering options.
I have four rservers. I have found that if the first listed server in my serverfarm is off line, the entire farm quits working. How did I come to this conclusion? You see as part of "serverfarm host PORTAL-FARM" rservers "SISPOAS1 through 4". I can shut down any server except SISPOAS1 and all is well. The load balancer sees the probes have failed to that given server and continuses to load balance to the others. However, If I shut down SISPOAS1, nothing works. I confirmed this by eliminating SISPOAS1 from the configuration completely. After doing so, I could reproduce the exact same problem using SISPOAS2 since it is now the first rserver in the list after I removed SISPOAS1. I'm stumped! Looking at the configuration below, what am I missing???
access-list TRAFFIC line 8 extended permit ip any anyaccess-list TRAFFIC line 16 extended permit icmp any any probe tcp 389 port 389 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 636 port 636 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7777 port 7777 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7778 port 7778 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7780 port 7780 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp [Code]...
is it possible to construct the L7 HTTP class-map expression to match all URLs except one? I have 1 correct url, for example: /correcturl.* and want to redirect requests to all other possible URLs to this one, without the need to list them all in "possitive match" statements.
interface vlan 300 description CALLISTA Environment ipv6 enable ip address 2001:388:608c:8b8::fffd/64 alias 2001:388:608c:8b8::fffe/64 peer ip address 2001:388:608c:8b8::fffc/64 ipv6 nd ra interval 30
Notes:There is the primary subnet 18.104.22.168/26 and the secondary IP subnet 22.214.171.124/27?The nat-pool is configured to allow server initiated connections to their frontend VIP when necessary.We are noticing that when a server on the 126.96.36.199/27 subnet needs to communicate with a server on 188.8.131.52/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
We are noticing that when a server on the 184.108.40.206/27 subnet needs to communicate with a server on 220.127.116.11/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
Am looking to upgrade the software on the ACE30 from: [code]. Any ACE30 guide that explains this. Have looked at the ACE30 configuration guide which I thought would cover this in the section "Managing The ACE Software", however everything else has been covered off except how to go about upgrading the software.
After upgrade from ACE20 with A2(3.5) to ACE30 with A5(1.2) I get failures in a number of server farm's, where before upgrade the number was zero. No drops in VIP and logs from applications do not notice any new errors.
I have a request to configure an ACE30 for Oracle Hyperion utilizing SSL termination at the SSL offloader(ACE30). Any sample configuration or template of some sort that could guide me through what needs to be configured. We have many applications on the ACE#) but this is the first time we are going to try SSL termination.
We currently have 6 admin context and they are all utilizing the same snmp engineid (Local SNMP engineID: 800000090441646D696E) which is causing issues as far as our monitoring/performance platform CA eHealth. Isn't the engineID, by default, the first interface on the device?
Doesn't seem to be the case on an ACE30.How is the SNMP engineID derived on the ACE30?
I saw a strange beaviour in the ACE30 today.We are configuring most of our VIP:s with "loadbalance vip icmp-reply active" and I haven't thought about it that much.I just assumed it would do what the command says.Today an Intel tech called and said that he had taken down the webservice on port 80 on both servers in a serverfarm and he could still ping the VIP.I had a look in the ACE and saw that the VIP was marked OUTOFSERVICE. But he could still ping it at that moment.What is the criteria for the VIP not to respond to ping with the above command set?
Last month I was reviewing following Cisco document, in which Cisco mentioned that ""To avoid possible memory fragmentation in the forwarding information base (FIB), Cisco recommends that the switch processor (SP) DRAM to a minimum of 1 GB ""
Since this document has been revised in Oct 2011 and, I can't no more find the above memory recommendations.
I want know if any one using WS-SUP720-3B with IOS SXI6 and Cisco ACE30 has gone for upgrading the SP DRAM from 512MB(default) to 1GB ?
we use ACE30 module, ver. A4(1.0) for access to intranet application. The https connection from client is terminated on ACE module, LB algorithm is used and new SSL connection is initiated to the server. Standard operation works without problems.
But when user generates a .xls od .pdf report in the application, it should open in a new popup window. Problem is, that it does not (but on the server, the report is generated and stored). The PC and browser are configured fine, when accessing the application from the same PC directly (bypassing the ACE module), the popup window appears.
I`ve seen quite a lot of posts regarding SSH issues and the above SSH error. However the fix mainly involves upgrading clients but in this instance the client is are Cisco routers 3845 / 2811 - which we use for out and inband management.Connectivity / routing etc is proven. Using SSH v2 the actual 6500 chassis where the ACE is physically located works fine. Configuring SSH v1 on the ACE module allows connections via the 3845/2811`s but we cannot use this.Both have the following IOS Version 12.4(24)T4. I have tried various key sizes on the ACE module. [code]
We've got pairs of ACE30s in our data centers set up with active/standby FT. Some time yesterday the active ACE in one data center started refusing management traffic - it accepts SSH connections but fails authentication (local password, no RADIUS/TACACS is configured); and ANM reports it as down (no XML connectivity),We haven't opened a TAC case yet - someone's on his way over to see whether we can get in through the serial port first - but I'm wondering whether there are any other diagnostics we can gather (will resetting the module form the Sup force a coredump?) before we do.
is there a possibility to get a load balancing across two rservers so: when client sends http://vip/ and it goes to rserver1 then url is sent without change when client sends http://vip/ and it goes to rserver2 then url is modified to http://vip/xyz/
Or maybe load balancing can be done across two serverfarms ?
I've run into an interesting problem trying to migrate my production config from my redundant ACE20's (A2(3.4)) to the new ACE30's (Tried (A4(1.0) and A5(1.0)). Everything on the ACE30 is working fine with a base config, but when the restore all is run from the ACE20 backup (backup all), the SSL files are not restored and return errors. All the contexts are restored correctly, along with the startup-config, but the running config fails due to no SSL.
All the crypto certs/keys are exportable and are present in the backup .tgz file.
ACE version is A5_2_1.the transfer was carried out by the following procedures.1) C6509 vlan set2) client and serverfarm vlan svclc vlan-group not included.3) ACE configuration. - FT vlan 999 - Client vlan 20 - Serverfarm vlan 154) ACE services enable
Problem occurs, I know why I do not know.
Was configured as follows.
======>> MSFC Configure (C6509#1 and C6509#2) svclc autostatesvclc multiple-vlan-interfacessvclc module 4 vlan-group 150svclc vlan-group 20 999 C6509#1interface Vlan20 ip address 172.16.20.2 255.255.255.0 no shutdown ip route 192.168.15.0 255.255.255.0 172.16.20.100 [Code]....