Cisco Application :: How To Install SSL Certificate On Second ACE02 In HA Pair
Aug 20, 2012
how to install a certificate (.p7b and .crf) on my second ACE in a HA pair.
On ACE01 i generated a CSR and gave the details to our SSL provider, they provided the certificates and i imported them. All good there.
How can i install the same SSL on ACE02 if i haven't generated a CSR on my backup devicde, or do i generate a CSR and import the same certificate?
Since bringing the ACE's into HA all contexts have sync'd and the backup ACE is in 'hot standby' state. But one context fails the sync and i think this is because the SSL certificate is not installed correctly on the second ACE02.
View 5 Replies
ADVERTISEMENT
May 8, 2012
I have recently configured a pair of ACE 4710 appliances in a FT group. The ACE's are deployed in one-arm mode, using Source NAT, with all routing to and from being done by a pair of PIX firewalls.
My configuration does not include the use of an "alias" IP address on the data VLAN interface within each of my contexts.
My understanding is that the "alias" IP address is similar to a HSRP address and if the ACE is deployed in Routed mode the default gateway for the servers can be configured with the "alias" address so as this is always available even if a fail over occurs.
if this is a correct interpretation and of use of the "alias" IP address and if so whether it is required when using a one-arm mode topology?
View 3 Replies
View Related
Aug 17, 2011
I'm trying to configure Fault Tolerance on a pair of 4710s. I followed the doc, and configured int gi1/4 as the fault tolerance interface, using vlan 12. However the GUI is saying FT Vlan Down
The troubleshooting wiki said check the physical connectivity, but everything there looks good. Each ACE can ping it's own IP, but not the router on that VLAN, or the peer. They're connected to a dedicated VLAN in a switch, and I even tried a crossover cable to directly connect the two. [code]
View 8 Replies
View Related
Sep 13, 2011
How to install an SSL key + certificate on our SR520 from the CLI. I have found the following document.
[URL]
I basically have the following files that I need to install:
Key file:
domainname.key
Certificates file:
AddTrustExternalCARoot.crt
[Code].....
View 1 Replies
View Related
Mar 21, 2013
I have an ASA (8.4.5) configured with a connection profile that does AAA and Certificate authentication. Once I have the anyconnect 3.1 on a win Xp system, it works perfectly. When I do a web install, it goes through the normal download, log-in, re-download then says "Certificate Authentication Failure" If I change the profile to AAA only, it installs fine. I even get the error if I launch from the web after I have the client on the PC. Why this is not working?
View 3 Replies
View Related
Jun 2, 2012
We now have a new requirement . We are replacing existing pair of CSS with ACE 4710 appliances. The problem here is that I can see from the configuration that some SSL certificate installed in CSS .Is it possible to transfer the existing SSL certificate from the 11503 to the ACE? Or, do we need to generate a new key pair and CSR on the ACE? Is there any document available to know the steps for the same.
View 2 Replies
View Related
Dec 8, 2011
I am tasked to Configure an ACE 4700 for SLB. This has been done and working. Am also further tasked to create a secure communication between tha ACE and Exchange server. I need the breakdown of steps required to Import certificate from the exchange server, and how to verify that things are working.
View 3 Replies
View Related
Aug 29, 2011
During our recent pen test, it was discovered that the GSS appears to be running what could be considered a "weak" cipher:
"SSL Weak Cipher Suite Supported - The web servers tested supports the use of weak SSL ciphers."
I've logon to the GSS but was not able to find the directory where the apache confs were stored (/cisco/merlot/apache)
My question is, can the cert and private key on the GSS be replaced by a new cert and key with stronger encryption?
View 1 Replies
View Related
Nov 25, 2009
I have an environment with SSL termination and client authentication with a client certificate. Now, the backend server application needs to be informed of the client DN information present in the presented client certificate. Is it possible to tell the ACE to send specific client certificate fields to the backen server via insertion of an HTTP header or, to forward the entire client certificate in any way to the backend server ?
View 2 Replies
View Related
Nov 16, 2011
My customer has SSL certificate already installed on microsoft exchnage 2010 servers and now wanted to import that certificate to cisco ACE4710.
How to trace the exact procedure to import the SSL Cert to ACE from microsoft exchange server and how about the KEY, from where I should get the KEY to cross verify for SSL Cert?
View 2 Replies
View Related
Dec 3, 2012
I am performing a deployment, in which i require clarity on the following. Our setup has DC and DR , in each site we have two devices for HA.We have received One SSL Certificate from Public CA, Kindly clarify the following doubts i have on thisIn Doc, i found Cert.pem and key.pem is required to generate the pair ,do i receive both Cert.pem and key.pem from the CA or we can generate key.pem from Cert.pem ?SSL Offloading is planned for the X application, and it is running in both DC and DR ( Considering each having their own Public IP address ) , do i need to have two different public certificates or a single certificate can i use in both DC and DR.Load Balancing IssueIs it possible to configure in ACE to access the service in Business hours and in non Business hours to display HTML page showing this is available only during these hours ?In DC we have Three Web Servers ( only in One physical server the service is active, other two are backup ), and these three servers are under cluster and shares one cluster IP , In ACE we have created the VIP and Pointed to only Cluster IP ( like pass through only ). The issue we face is if active web server is down, even then ACE is sending the traffic to that webserver only instead of sending it to the new Active web server. let us know if any solution is there to overcome this issue ?as per my understanding instead of giving cluster IP as real server IP we can issue the three physical servers. now i dont require load balancing between three servers instead require failover king like if first server is down then it should forward to Second server ?
View 4 Replies
View Related
Sep 6, 2012
I generated a wildcard certificate for my company type *. [URL] in a CSS 11501. For the site [URL] worked fine, for the site [URL] didn't worked. I read on the web that should generate a wildcard certificate with subject alternative names. Is it possible in CSS? how can I do it?
View 5 Replies
View Related
Feb 2, 2013
i'm looking for a recommendation for a setup guide including ft i've had a quick look a wiki and i can get basics but i'm not sure about if i need to setup additional contexts etc when i'm the only one using the appliance?
View 2 Replies
View Related
May 12, 2012
I am going to install two new Cisco Prime LMS 4.1 servers application in a Master and Slave Deployment, and how many bandwidth is consumed between the servers.
View 1 Replies
View Related
Sep 18, 2011
I am installing the Demo version of ANM 4.3 on a virtual machine.The install was successful, however when i try to import the demo licence from my laptop to the server it does not allow me to tftp the file to the server.[URL]
View 1 Replies
View Related
Mar 11, 2012
We have a pair of N7K distribution switches connected to a pair of N7K Aggregation switches.We run vPC on both pairs of n7k's.
-n7k-d1 has two interfaces in a Port-Channel connecting to n7k-a1 & n7k-a2. (PC1)
-n7k-d2 also has two interfaces in a Port-Channel connecting to n7k-a1 & n7k-a2. (PC2)
My problem is that Spanning-Tree is blocking PC2 and all traffic from n7k-d2 is traversing the Peer-Link before reaching the Aggregation layer. Is this the best design for connecting two pairs of n7k's with vPC or if a better design would be to connect all 4 links into the same Port-Channel and vPC?
View 7 Replies
View Related
Dec 28, 2011
I've got a router on which I run a backup/media/print server, a couple of computers and a voip box. My router has only four ethernet lan sockets which are thus all occupied by the above, but I need to attach at least one further device b
Secondly, could a splitter such as >> this one << do the job? I'm guessing this basically split a single 4-pair ethernet connection into two 2-pair ethernet connections.
View 2 Replies
View Related
Jan 30, 2012
There is ASA with remote access VPN and users are authenticated using third party signed certificates (CA is not local in ASA).When user certificate expires i can see it in syslog messages. For example:
%ASA-3-717009: Certificate validation failed. Certificate date is out-of-range, serial number: (...)
I would like to know if there is an opportunity to view user's certificate expiry date beforehand, say, 3 days before?
View 3 Replies
View Related
Oct 19, 2012
i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
would it be the change on GUI? So now where i can import the CA certificate to ISE?
View 5 Replies
View Related
Dec 3, 2012
Everytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
View 2 Replies
View Related
Apr 20, 2013
We would like to install a pair of ACS 5.4 apliance as primary /backup in our two datacentres.I have some question regarding degin.
1- We have 800+ network device to monitor , can we install by range of address instead of instlling one by one in device host database ?
2- Do We have to install all 800 device first on Primary and then again on backup or Primary will replicate to backup server?
3- We do not have real IP address yet, so if we built with dummy address and make them pair and all the database sync, then when we change their IP address, will the distributed primary pair will have any issue with backup ACS server?
View 7 Replies
View Related
Apr 17, 2013
I have 2 5508 that are currently running as active with 150 licenses each. I want to go to HA SSO can 100 of the licenses be relicensed to the primary since it only requires 50 licenses to convert an active license 5508 to standby HA SSO?
View 3 Replies
View Related
Oct 31, 2012
i am trying to setup a failover pair on Cisco asa 5520 - need a state full failover. Do i need two ports dedicated to obtain the above - one for LAN based failover and one for state full fail over ? also do i need a switch in between to connect them ?
View 11 Replies
View Related
Mar 27, 2013
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies
View Related
Feb 7, 2013
For some weeks I have been trying to pair my Samsung Galaxy S2 with my Lenovo Thankpad SL500. The consistent message is "Unable to pair with [laptop]. Incorrect PIN or PASSWORD.
Well which is? PIN? or PASSWORD? - or does the system not know, so it's taking a guess? If it doesn't know, how can I possibly know?
Having read many articles about his on the www, I am still none the wiser as to what is causing this. What's wrong with the PIN or PASSWORD - is it too hot, or too cold? Wrong font face, colour or size? Wrong latitiude, longitude or elevation? Wrong time of day or month? Are the auspices in general not favourable? Am I facing in the wrong direction as I type? Have I chosen the wrong weight/color of paper for my printer? Is my body odor unacceptable? Is the length of grass in my lawn not quite right? Oh, the number of options is so large - where does one start?
Oh, and before I forget - assuming I can find what constitutes a correct PIN or PASSWORD, where does one set it? btw pairing this phone with the media player in my 10 year old car works immediately and flawlessly!
View 10 Replies
View Related
Jan 14, 2013
Is it possible to run a large LAN over copper twisted pair cables?This is to connect 41 PC's that monitor fire systems on a large hospital site.I am trying to use the existing cable that is wired in a loop all round the site.
View 2 Replies
View Related
Oct 31, 2012
I have a long 2 pair cat 5 cable which I want to use to connect a ADSL modem to my desktop (located in a different room). I took the cable to few local computer dealers but none of them could connect an RJ-45 connector to it. They can only connect a 4 pair cat 5 cable. Connect a 2 pair cat 5 Ethernet cable to a RJ-45 connector. Kindly use simple language. I have attached an image of the cable for your reference. [URL]
View 5 Replies
View Related
Oct 30, 2011
My colleague wants to use our load balancers for VPN. We are coming off 3030s which are serving remote access IPSec as well as terminating LAN to LAN tunnels for like 7 sites.I want to secure the 5540s behind our front end 5585Xs when we move prod to the new dc.We have no immediate need for clientless but need to support osx lion and IPSec client does not. Thats all that's driving this effort currently. I already reminded mgmt that the 3030 and the IPSec client are end of life.I just think anyconnect is the better solution based on current skillset and the popularity of the solution.
View 2 Replies
View Related
Apr 15, 2013
I have a running ASA5520 in my network and recently we plan to add a failover pair as a standby unit for the running asa. Both of the ASA have the same specs and software. the only thing that the soon to be secondary ASA does not have is the AnyConnect Essential license. is it still possible for the unit to be the standby unit?
below is the license capture from both of the unit.
Running ASA:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
[Code].....
View 3 Replies
View Related
May 3, 2012
I already know that there is an option using Patton Copper Link Ethernet extender to interconnect a remote LAN with this device. Do you know if this is possible using Cisco 888-K9 or any other Cisco Device ?
View 2 Replies
View Related
Mar 20, 2012
We have recently got 2 of our Cisco ASA 5520 firewalls through RMA. These are supposed to run in a Active/Active Failover Pair. There was only 1 RMA request that was opened for both the firewalls. We have received only 1 Activation key for this RMA request for both the firewalls. Just want to check with you if this Activation key will work on both firewalls or do we need a get a seperate one for the other box.
View 1 Replies
View Related
Feb 6, 2011
I'm trying to set up remote access IPsec VPN on a pair of ASA 5540 without much success. I can connect with a client on the outside, and when I try to ping something on the inside I can see the ping requests reach the target but the answers don't come back to the VPN client. I've tried with different NAT rules without success.
View 3 Replies
View Related
Oct 30, 2012
I want to clear the keys on a 2821 and generate new ones using the command crypto key zeroize command but I don't see this command available as an option. Below is the output of the available options..
ROUTER#crypto key ?
lock Lock a keypair.
unlock Unlock a keypair.
[Code]....
View 1 Replies
View Related
