Cisco Application :: ACE30 Match Http Url Except Specific One
Feb 4, 2013
is it possible to construct the L7 HTTP class-map expression to match all URLs except one? I have 1 correct url, for example: /correcturl.* and want to redirect requests to all other possible URLs to this one, without the need to list them all in "possitive match" statements.
Is it all possible to use an ACE30 to RHI a VIP which acts as route for servers on LAN A to reach LAN B . We have 2xL2 WAN circuits between 2 sites used by only 4 servers for (different L3 subnets for the hosts). I`m considering using a VIP to load balance across 2 WAN circuits using L3 interfaces on the MSFC either side as rservers with a single VLAN in/out on the ACE where the VIP resides - simlair to using the Cisco design for firewall load balancing minus the inspections etc. Obviously we can do this entirely in the MSFC but considering options.
I have four rservers. I have found that if the first listed server in my serverfarm is off line, the entire farm quits working. How did I come to this conclusion? You see as part of "serverfarm host PORTAL-FARM" rservers "SISPOAS1 through 4". I can shut down any server except SISPOAS1 and all is well. The load balancer sees the probes have failed to that given server and continuses to load balance to the others. However, If I shut down SISPOAS1, nothing works. I confirmed this by eliminating SISPOAS1 from the configuration completely. After doing so, I could reproduce the exact same problem using SISPOAS2 since it is now the first rserver in the list after I removed SISPOAS1. I'm stumped! Looking at the configuration below, what am I missing???
access-list TRAFFIC line 8 extended permit ip any anyaccess-list TRAFFIC line 16 extended permit icmp any any probe tcp 389 port 389 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 636 port 636 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7777 port 7777 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7778 port 7778 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp 7780 port 7780 interval 2 passdetect interval 2 passdetect count 1 open 1probe tcp [Code]...
I am new to the ACE30. I a basic configuration from the CLI and I am trying to use the device manger. I am able to get to the web informational page rather then accessing the login page. I have rest the password for both the admin and www and still no go. my question is how to go into enabling the GUI access.
interface vlan 300 description CALLISTA Environment ipv6 enable ip address 2001:388:608c:8b8::fffd/64 alias 2001:388:608c:8b8::fffe/64 peer ip address 2001:388:608c:8b8::fffc/64 ipv6 nd ra interval 30
Notes:There is the primary subnet 22.214.171.124/26 and the secondary IP subnet 126.96.36.199/27?The nat-pool is configured to allow server initiated connections to their frontend VIP when necessary.We are noticing that when a server on the 188.8.131.52/27 subnet needs to communicate with a server on 184.108.40.206/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
We are noticing that when a server on the 220.127.116.11/27 subnet needs to communicate with a server on 18.104.22.168/26, albeit on the same VLAN, the destination server sees connections with a source IP of 172.16.25.231, which is the NAT address. Is this expected behavior, where connections between IP subnets, albeit on the same VLAN are NATed?
Am looking to upgrade the software on the ACE30 from: [code]. Any ACE30 guide that explains this. Have looked at the ACE30 configuration guide which I thought would cover this in the section "Managing The ACE Software", however everything else has been covered off except how to go about upgrading the software.
After upgrade from ACE20 with A2(3.5) to ACE30 with A5(1.2) I get failures in a number of server farm's, where before upgrade the number was zero. No drops in VIP and logs from applications do not notice any new errors.
I have a request to configure an ACE30 for Oracle Hyperion utilizing SSL termination at the SSL offloader(ACE30). Any sample configuration or template of some sort that could guide me through what needs to be configured. We have many applications on the ACE#) but this is the first time we are going to try SSL termination.
We currently have 6 admin context and they are all utilizing the same snmp engineid (Local SNMP engineID: 800000090441646D696E) which is causing issues as far as our monitoring/performance platform CA eHealth. Isn't the engineID, by default, the first interface on the device?
Doesn't seem to be the case on an ACE30.How is the SNMP engineID derived on the ACE30?
I saw a strange beaviour in the ACE30 today.We are configuring most of our VIP:s with "loadbalance vip icmp-reply active" and I haven't thought about it that much.I just assumed it would do what the command says.Today an Intel tech called and said that he had taken down the webservice on port 80 on both servers in a serverfarm and he could still ping the VIP.I had a look in the ACE and saw that the VIP was marked OUTOFSERVICE. But he could still ping it at that moment.What is the criteria for the VIP not to respond to ping with the above command set?
Last month I was reviewing following Cisco document, in which Cisco mentioned that ""To avoid possible memory fragmentation in the forwarding information base (FIB), Cisco recommends that the switch processor (SP) DRAM to a minimum of 1 GB ""
Since this document has been revised in Oct 2011 and, I can't no more find the above memory recommendations.
I want know if any one using WS-SUP720-3B with IOS SXI6 and Cisco ACE30 has gone for upgrading the SP DRAM from 512MB(default) to 1GB ?
we use ACE30 module, ver. A4(1.0) for access to intranet application. The https connection from client is terminated on ACE module, LB algorithm is used and new SSL connection is initiated to the server. Standard operation works without problems.
But when user generates a .xls od .pdf report in the application, it should open in a new popup window. Problem is, that it does not (but on the server, the report is generated and stored). The PC and browser are configured fine, when accessing the application from the same PC directly (bypassing the ACE module), the popup window appears.
I`ve seen quite a lot of posts regarding SSH issues and the above SSH error. However the fix mainly involves upgrading clients but in this instance the client is are Cisco routers 3845 / 2811 - which we use for out and inband management.Connectivity / routing etc is proven. Using SSH v2 the actual 6500 chassis where the ACE is physically located works fine. Configuring SSH v1 on the ACE module allows connections via the 3845/2811`s but we cannot use this.Both have the following IOS Version 12.4(24)T4. I have tried various key sizes on the ACE module. [code]
We've got pairs of ACE30s in our data centers set up with active/standby FT. Some time yesterday the active ACE in one data center started refusing management traffic - it accepts SSH connections but fails authentication (local password, no RADIUS/TACACS is configured); and ANM reports it as down (no XML connectivity),We haven't opened a TAC case yet - someone's on his way over to see whether we can get in through the serial port first - but I'm wondering whether there are any other diagnostics we can gather (will resetting the module form the Sup force a coredump?) before we do.
is there a possibility to get a load balancing across two rservers so: when client sends http://vip/ and it goes to rserver1 then url is sent without change when client sends http://vip/ and it goes to rserver2 then url is modified to http://vip/xyz/
Or maybe load balancing can be done across two serverfarms ?
I've got basic connectivty to our ACE30 module and when I try connecting to the management IP address (attached to the Admin context), I see a very basic GUI which only lists the CSM to ACE config conversion tool. I don't see a GUI as detailed in the document: url...How do I get the ACE Applicance Device Manager GUI working so that I can then configure real servers, serverfarms etc rather than via the GUI?Having read through copious amount of documentation I can't seem to find a refrence that would ne useful here. This should be a fairly straight forward exercise - do I need to install some other software to get the full fledged GUI working?
I've run into an interesting problem trying to migrate my production config from my redundant ACE20's (A2(3.4)) to the new ACE30's (Tried (A4(1.0) and A5(1.0)). Everything on the ACE30 is working fine with a base config, but when the restore all is run from the ACE20 backup (backup all), the SSL files are not restored and return errors. All the contexts are restored correctly, along with the startup-config, but the running config fails due to no SSL.
All the crypto certs/keys are exportable and are present in the backup .tgz file.
ACE version is A5_2_1.the transfer was carried out by the following procedures.1) C6509 vlan set2) client and serverfarm vlan svclc vlan-group not included.3) ACE configuration. - FT vlan 999 - Client vlan 20 - Serverfarm vlan 154) ACE services enable
Problem occurs, I know why I do not know.
Was configured as follows.
======>> MSFC Configure (C6509#1 and C6509#2) svclc autostatesvclc multiple-vlan-interfacessvclc module 4 vlan-group 150svclc vlan-group 20 999 C6509#1interface Vlan20 ip address 172.16.20.2 255.255.255.0 no shutdown ip route 192.168.15.0 255.255.255.0 172.16.20.100 [Code]....
I created several rules to balance on a specific server somes apps. Everythings works great in http but no in https.In my example, i would like [URL] to be redirected to my server2 but it's always using the default rules instead of the L7CLASSSrv2. Today [URL] is well redirected. All other apps are correctly loadbalance with the stickyness effect but I can't handle the https connections.
class-map match-all L4-WEB-IP 2 match virtual-address xxxx tcp eq www class-map match-all L4-WEBHTTPS-IP 2 match virtual-address xxxx tcp eq https class-map type http loadbalance match-any L7CLASSSrv1
We are in the situation we have a active configuration with ACE30 doing normal load balancing in routed mode, we have tons of rservers going out on a VIP.we now had to add a new private network to a provider that strangely enough does not want to see our public or private addresses. we need to loadbalance towards him on a priovided subnet (still rfc1918) (IOS VRF bug? is that correct?)I have two options, add the network (new interface) to the active loadbalancers (contexts) and then tie in new policies to the active serverfarms or make a new context just to load balance towards this provider.(preferred)Now - If I do this, the rservers see the client source addresses from this new provider. as the loadbalancer does not "hide" the client IP's. I would then have to add static routers toward the new context - I would want to skip that.
is there a way, to make the loadbalancer hide the client addresses towards the rservers ? perhaps I'm just needing the correct search term to find the config example.
I am trying to get documentation on how to integrate an ACE30 module in a service chassis design integrated with the Nexus 7000 in routed mode. Only documentation I could find shows this design with the ACE30 module in a one arm mode. Any documentation that shows this implementation of this design?
What are the maximum number of real servers, server farms and virtual servers i can configure on ACE30 module,Is there any documentation available on cisco site where i can check this? Does it depend on the hardware or does it depend on the software version?