Cisco Application :: Does ACE Service Module Support SHA2(256) Certificates
Sep 1, 2010
Does ACE service module support SHA2(256) certificates? I see that private key generation defaults to SHA1 and does not provide any option, also the cipher suites in SSL parameters map do not show SHA2 options. Can it handle SHA2 in any software release? I am currently running A2(2.3) build 3.00
I have an ACE10-6500-K9 (Application Control Engine service module for Catalyst 6500) but I can't access it because I lost the admin password.I would like to know how to perform a Password Recovery Procedure on this device.Is it similar to the password recovery procedure on an ACE 4700 appliance?
We have a situation where services are stopped on the real servers. The probes fail and we confirm the services are not running on the server. We cannot access the ports from the ACE directly. We can still however acces the VIP on the TCP port (L4 VIP class-map). So we can still telnet to the VIP on the port from thr Client side of the network.This is on ACE 20 Modules deployed in Routed mode. The version of software is A2(3.3).
Tried removing multi-match and loadbalance policies as well as class-map and re-applying then re-appyling the service policy to interface. Same behavior,This is a problem at another level as some services are being monitored by GSS via TCP keep-Alive and this obviuosly causes a problem as the service then never goes off-line.
I have some questions about the size of the certifcates in ACE module (ACE20). Reading the following link: [URL]
I can verify this text: 4096 (high security, level 4) - For software release A2(2.4) and later in the ACE module and software release A3(2.6) and later in the ACE appliance, you can use 4096-bit SSL certificates in chaingroups and authgroups. You can also import public certificates and keys that are 4096 bits in length.
We intend to use a certificate (CA) with keys of 4096 bits and according to the text of wiki, it's possible.
But if I check the guide [URL]
Somebody that already use certificates with 4096 bits in ACE20 module?
I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
I'm having an issue with intermediate certificates from GoDaddy when connecting from some browsers of mobile devices:Browser in Android 2.3.3;Safari in iOS 4.2.1;Chrome 18 in Android 4.0.In a PC there's no problem, only from the above mobile devices. The intermediate certificate isn't downloaded from the ACE 4710 resulting in a "SSL Certificate Not Trusted" error.Since GoDaddy has no instructions to resolve the issue from a Cisco ACE.
I am having issues (nothing new there) I have a bad IOS on a switch module, and the config is set to boot to that IOS, and as such I get a nasty boot loop, I am trying to figure out how to get into rommon but all the documentation I can find for this just says go into rommon and never tells me how to get there on a switch module that thinks it has a good IOS. (The IOS is for our normal service module but this one is an odd-ball switch)
I have some confusion about some hardware components. I watched the video datasheet of cisco routers and switches. In cisco 2901 and 2911 models of routers there is service module . What is meant by service module. what does it do ? If we buy a new 6500 switch, what are the components we get bydefault. Is there any special configuraton to be done for 6500 . like Sup engine config etc. What is the difference between ASIC and Sup engine ? In which slots, we need to insert Supervisor Engine ? does it vary with the model . (6503, 6505, 6509, 6513 etc).
I just got 2 Cat6504 Chassis and 2 ASASM pluged in them. show version from submodule ASA as follow:
SVC-APP-HW-3#show ver Cisco IOS Software, trifecta Software (trifecta-SP-M), Version 15.1(1)SY, RELEASE SOFTWARE (fc2)
I want to upgrade new OS for ASA to 8.5 (asa851-smp-k8.bin) but after copy this soft to the module, I can not "write" command or when I reload this box, everything was no changed. SVC-APP-HW-3#write startup-config file open failed (No such device)
Using the new SUP-2T, need to clarify one query. If we are using the new SUP-2T in VSS mode, will the new ASA service module and NAM-3 are supported? From Cisco site, ASA module FAQ:
Q. Will the ASA Services Module support the Cisco Catalyst Virtual Switching System (VSS) at FCS?
A. Yes, depending on which supervisor you use. The ASA Services Module supports VSS either as a single firewall or as a failover pair of firewalls, when used with the Supervisor 720-10G (VS-S720-10G-3C and VS-S720-10G-3CXL). Transparent and multi- context modes also work with the VSS in this configuration. However, though the SUP 720-3B (WS-SUP720-3B and WS-SUP720-3BXL) is supported by the ASA Services Module, it is not capable of supporting the VSS. No reference to Supervisor-2T.
we are planning to implement a VSS solution with a 6500 series switches with sup 2T. We also need to include an ASA service module on the design, however the budget is not enough to buy two asa service modules. So i want to know if is possible run a VSS cluster, whit only one ASA service Module. and also i would like know what happens if the single ASA service module fails? can the switch cluster continue operating just as if there is not a firewall installed?
I am currently installing a NM-AIR -WLC 6 wireless module in a 2811 and its giving me the follwing errors below and status.I have checked the trouble shooting pdf and says might be possible hardware error. [code]
we have approx. 70 Cisco 1941W routers deployed in our company. I used to be able to console into the internet wireless AP by issuing the below command:
service-module wlan-ap0 session
However lately this hasn't been working and AP just simply refuses connection. Here is what I have for Status. I have tried reseting the Service Module to no avail.
Router#service-module wlan-ap0 status Service Module is Cisco wlan-ap0 Service Module supports session via TTY line 67 Service Module is failed Service Module reset on error is disabled Service Module heartbeat-reset is enabled Service Module is in fail open Service Module status is not available
I am taking an introduction class to CCNA and we are focusing on the Application Layer,and I'm having some difficulty in understanding what is an Application Layer Service. Is the Application Layer Service the same as Application Layer Software?
I m planning to implement VSS in core but want some inputs on IOS as i have FWSM as a service module Core :- Ii am running 12.2(33)SXH2a on my Core 6509 and i checkd cisco sites and Fwsm release notes but it states only I-Train of IOS while mine is H-Train so can I directly upgrade to I-Train or I was thinking of SXH8b IOS.
I can access the ACNS with this config. The issue is that it will not cache anything when I enable WCCP on both ends. I am unable to set the gateway to the IP (even when static) to the WAN interface IP with the error Network Unreachable by content engine. If I address it within the 192.168.2.X network and gateway to 2.1, it locks up when cache is enabled. 192.168.0.5 (the external wan int) is unreachable as a gateway.
I've tried the unnumbered ip on the internal interface but then the service module won't accept an IP stating that the router side must have an IP set.
I had WCCP attempting to cache but timing out on everything without caching a thing. I want/need to understand the IP routing before I get ahead of myself.
I'm migrating from a failover pair of FWSM modules across to a failover pair of ASA Service Modules. In order to avoid a "big bang" switchover I intend to migrate subnets from one to the other over a protracted period.With that in mind, whether there is any restriction on having FWSM and ASASM modules in the same chassis? A trawl of the relevant documentation hasn't revealed anything.In this specific case it is Catalyst 6509E VSS chassis pairs with Sup-2T.
i have two CSS-11503 in redundant mode running 8.20 code. We had an incident in our network where a layer 2 loop caused some high traffic through the CSS' and had to shutdown some network gear(including the CSS) to clear the problem. When the CSS' were powered back up, the SSL service was suspended, why this would occur? There rest of the config appeared normal. I am the only person on these boxes, the configs were written, and I have never had a reason to suspend the ssl service.
I recently installed the license ACE-SSL-05K-K9 on ACE10 with multicontext solution.The license provides 5000 Maximum number of SSL transactions per second (TPS).The customer would like to track this to find out the correct size and in the case of services https upgrade licenses.Can I do it so through particular output or it's necessary monitoring with snmp service? In the second case, can you tell me the oid string to use?
In case the module should receive a higher number of connections to that provided by the license, what's the issue for new https connections?
We are using a Ace module running version 3.0?We do have a service which can now be reached by a url like https://www.xxx.com/yyy/ < notice the last /This is running via the Ace which terminates SSL and so on..
So now our client wants an url like https://www.yyy.com . The backend realservers and place of virtual dirs on IIS stays the same.
So now /yyy/ needs to be added to the backend realserver request, so the correct virtual dir is used. Therfore I need to add this Uri towards the realserver.
some misconfiguration (?) may be the reason for an undesired behaviour we are experiencing with our Cisco CSS 11501s. Balancing mechanisms work fine, however if a service transitions to the "down" state, the corresponding flows remain "alive" leading to a temporary outage of our service. Subsequent client requests are still being sent to the "down" frontend which is unresponsive.
I have an ACE4710 with a few basic farms running and it works great however I now need to implement an SSL proxy service for the first time. The requirement is that clients who are already using FQDN's need to be sent to diffent real server IP addresses as each client will have their own VM. All the clients will use the same global IP address with different A records.
I Just deployed some of these new modules and running A4.x code. How to configure an ACE with the maximum context?
We run in tranparrent mode with 110 Contexts, we found that with a base config for each context(80 lines of code) this would only leave us with 7% of available RAM. The Device begins to shut down services @ 5%. like SSH and others.
So, Is this even possible to configure 250 contexts and still manage the device.