I have a problem, recently I can not telnet to the ACE 4710, the ACE version is A4(2.0). I can enter by web and console but not for telnet. I try to give more resource to the admin context but it doesnt work.
View 1 RepliesI have to load balance traffic between 2 servers sitting behind the LB. The webservices are on HTTPS/8443. I followed the end to end configuration guide for SSL. No success.
Here is my configuration -
rserver host nms1
ip address 10.29.36.31
conn-limit max 4000000 min 4000000
[Code].....
We have a rather strange issue, and I'm not sure it's really a problem with the ACE or not. We created an HTTP parameter map called "TCPreuse" and applied it to a virtual server. A show conn detail displays "[ conn in reuse pool : FALSE]" for all connections pertaining to this virtual server. The rserver in question is Linux(Ubuntu) + Apache.Next we applied the HTTP parameter map to another virtual server - this time IIS7 + Windows Server 2008. There are plenty of entries "[ conn in reuse pool : TRUE ]" when I do a "show conn detail".What could the web servers be doing differently that would cause the connection reuse to work on one virtual server and not the other?
View 1 Replies View RelatedI need to upgrade 2 active-standby cisco ACE4710, the issue is I cannot access FTP/TFTP/SFTP server via Admin context but can be accessible via other contexts.
Can I copy the ACE system software file from FTP/SFTP/TFTP server to image: directory durectly or need some other way around ? I could see the option is available to copy ftp: to image: via other context.
My customer they do not want change their real server IPs. So I need setup one interace (one armed) for them on ACE4710. Who had this sample configuration? (CSS has this but it seems to be not compitable with ACE)
View 4 Replies View RelatedI am attempting to configure an ACE4710 to perform SSL end-to-end confguration. i.e. SSL termination - load balance - SSL initiate to backend server.The configuration appears to work fine in a test lab using any old web server, however when I peform the same configuration in the production environment it does not work. It appeatrs from a capture run on the ace that the ace is reseting the tcp connections after communicating with the back end server. The main difference I can think of in this environment is that the cert and key pair the ace is using where exported from the backend server, i.e. both the ace and the backend server have the same certificates and keys. Is this allowed? how to troubleshoot why the ace resets the connection.
View 6 Replies View RelatedI have 2 ACE4710 in HA enviroment, they receive connection from Internet. What I need to configure is following:
The ACE have configured two URL, with the same port and VIP Address, for example:
URL-1: www.xxxxx.com
URL-2: www.xxxxx.com/Admin
VIP Address: 10.10.10.10
Port: 8443
All clients point to unique VIP and Port configured, I need to know if I can apply any filter or rule that allows me to distinguish when a customer goes to the URL1 or URL2.If any client try to access to URL-2, your traffic must be deny.In summary, from Internet I should be able to go only to URL-1.
I have to deploy the Cisco GSS in our 2 dataceters globally seprate IP ranges to loadbalance the exchange 2010 environment with Cisco ACE 4710 series SLBs. The scenario is to deploy one GSS + ACE on each datacenters and our nameserver will point to both GSS's IP addresses to get through. Incase primary site "site A" goes down name server will point the client's request to "site B".
What will be the physical setup of the GSS here and what configuration should on SLB ACE will make it work? Do GSS and ACE need to be in the same vlan? is this necessary to use Both interface of the GSS to get things working? How the GSS will check the health check on ACE if they both are on different vlans/ip range? Our ACE will be in routed mode do we need to assign the Real server default gateway as ACE inside interface with the server farm or just do the SNAT of the client IPs so the request can come back to ACE?
I have HA configuration for two ACE4710. FT between Ace's is configured as L2 (V LAN). Active ACE is sending heartbeats, but switch shows lot of 'input errors' on ingress and this is a major problem. FT is logically not working (there is no connection between these two Ace's over V LAN). There is only L2 configuration, with speed and duplex auto, no other special configuration. When I connect Ace's directly, FT is working without problem.
I can see lot of errors on input direction (from ACE) to switch port, that means, L1, or L2 problem, but direct connection (using the same Ethernet cable) is working. I tried 'shut/no shut' on both sides, set duplex/speed,... without success.
ACA IOS version is A4(1.x).
Do you know if it is possible in ACE 4710 appliance to configure a SIP TLS ?The SIP probe we have in the configuration guide it is only for clear text. for Lync 2013 we need to establish first a TLS session and then within it, send an SIP request..IS it possible in any version? I tried also to configure a HTTPS probe but it fails as it sends a GET which the Lync SIP server doesn't understand.
View 1 Replies View RelatedACE 4710 deployment model. We'll be doing an eval later in the year, but I'm just looking to understand the architecture.We have a stack of 3750 switches with a single VLAN (10.1.1.0/24). Connected to that stack is a pair of web servers (10.1.1.5 and 6) that we want to provide load balancing/failover for. Some of the clients are located right there on that same VLAN. Other clients may be coming from other spots in the infrastructure.It sounds like I could put a pair of 4710s connected to that stack of switches, in a single arm deployment? And then the virtual IP and the real servers would all be 10.1.1.0/24. Maybe use an etherchanel to connect each 4710 to two 3750s?
View 9 Replies View RelatedI'm implementing and found out some issues are unresolvable on ACE4710. This network have been running on a server without LB. Now the second server comes up. We choosed to implement with Routed Mode.This network Peak @ 300Mbps. Now on we're doing the first context which is function as content web-farm. In near future, 2nd context which takes care of indexing web-farm when they buy more server.
From following diagrams.I browsed from internet into this service. "show service-policy" shown as '0' (counter was not running). I guessed that there is something wrong in FW configuration. So I isolated out FW. Then I plugged-in my PC into network 30 (192.168.30.X) in front of this LB, then browsed into LB's VIP (192.168.30.1). LB "show service-policy" came up BUT there is nothing return to my PC (client). "show conn" on LB as "SYNSEEN". What's SYNSEEN?! Some meaningful.
Then I tried to figure out with a PC running 'apache' and took the place of real server. "It works!" returned from LB/Server. "show conn" became 'Establish' Programmer guy said if I browse into web-farm (i.e. content web-farm) directly pkt will be redirected to indexing server. But they said it will be L7 redirection. Not LB/Network level.
We recently configured a setup to loadbalance 2 application server using ACE4710. Initially the configuration was to link two app servers directly to ACE4710 without connecting to a Switch, but later, it was advised that ACE4710 is not able to work without connecting to a switch.
1. ACE4710 is not able to link directly to APP/WEB server, but it must go through a network Switch.
2. If item-1 above is true. We used to have a older Cisco Loadbalancer which is able to link directly to WEB/APP servers. What is the reason or advantage of removing this feature?
On my ACE4710s I'm using least-loaded predictors monitoring Microsoft Windows CPU usage. There are times when the MS Windows CPU OIDs can change between reboots. Any way for the ACE to automatically adjust to the new CPU OIDs and continue to get accurate CPU usage values?
View 1 Replies View Relatedone of our 2 ACE boxes in FT group suddenly reboot-ed from active state and now it continuously reboots with the following error:
insmod: error inserting '/isan/bin/klm_octeon_device.klm': -1 No such deviceerror inserting /isan/bin/klm_octeon_device.klmDaughter Card Not Found. Rebooting..INIT: Sending all processes the TERM signal...
We have a CSS11503 that is currently being used to accept incoming HTTPS and SSH connections on a specific VIP and then PAT those client connections. I understand that it also PATs the server initiated connections. [code]
View 1 Replies View RelatedFor server load balancing, does the ACE4710 support custom protocols? We'll be using HTTP for server health monitoring, and to determine if a server is up or down. But the client/server application is custom, and includes a lot of non-standard ports. Can the server VIP handle generic TCP connections? For example client1 connects to the VIP on http, but then later client1 switches to using tcp842 (a custom protocol, not http).
View 5 Replies View RelatedI have a ACE4710 setup to load balance a couple of web servers. The real servers all show as inservice as do the propbes and serverfarms/virtual servers. If I ping the Virtuual server ip address I get a reply but it I try to access VIP via telnet or web browser. I get a connection could not be open error on the client.The question is how do i determine where the error is comming from so far I can not tell if the client is getting through the acl or not.I have used the trouble shooting guide and nothing has worked to determine the cause so far. show service-policy int479 detail does not show an increase in the hit count when I try to connect.show stats conn does not show an increase in failed or timed out connections when i try to connect. [code]
View 3 Replies View RelatedMy customer wants each ACE4710 (of a highly available cluster) to have its own, dedicated port for management purposes.
According to documentation, IP addressing can be applied to VLAN interfaces, so in order to satisfy the requirement, I should make one port belong to an "access VLAN X", and then apply IP addressing to the corresponding "interface VLAN X". This should satisfy my customer´s requirement in an indirect way.
But... ¿ Can´t I just configure IP address on one of the 4 ethernet ports in order to save the work of building the aforementioned VLAN? I am asking this since I do not have access to a real box in order to verify.
I was trying to implement stickiness based on cookie. Server inserts a cookie and sends it to the browser. I learned from app team that this cookie is changing dynamically during the session, so stickiness based on server’s cookie doesn’t work.
Now I want to investigate into possibility of ACE to insert a cookie. My question is: ACE feature of “cookie insert”: does it add additional cookie into http header without removing server cookies or it deletes the cookie(s) that server put into http header and replaces them with its own cookie?
We have an ACE Appliance in a DMZ and the ACE Appliance's Admin Context IP is translated between ACE and ANM. The ANM Server does not get translated. It is just the opposite then in another Community discussion.
Our Problem: When adding the ACE4710 Appliance to the ANM imported Device List, we use the ACE's NATed Admin Context IP. Import works well, but ANM reflects the Admin Context IP with it's real configured IP. Polling the ACE Appliance does not work therefore.
Is there a possibility of telling the ANM, that the ACE has to be polled through a NATed IP? I could not find a field to set a NATed Mgmt IP.
Configured IP on ACE Admin Context: 192.168.0.10
NATed ACE Admin Context IP: 172.16.0.10
Imported ACE with IP 172.16.0.10 into ANM, but ANM polls for Rserver, Vserver, Probes, etc. via 192.168.0.10 - which is not reachable from the ANM.
I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). esterday I upgraded one of them to A4(2.3) now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok when i do a " sh telnet" comes back with
No Session Information is available
sh telnet maxsessions
telnet maxsessions 16
I have a pair of ACE 4710's that I am deploying within a datacenter. The primary and secondary ACE appliances have identical configurations except for the IP addressing and priorities for FT. The FT peer is going into a TL error state.
On the primary ACE appliance, I am able to ping and telnet from/to it without any issues. All of the routing works as it should and everything is seen in the ARP table as it should. The secondary appliance is able to ping everywhere, but telnet out of or into that appliance does not work.
I am able to see the IP addresses in the arp table and can successfully ping end to end from the secondary device, just unable to telnet into or out of it. When I try to telnet out of the secondary device, it reports that there is no route, even though the IP's I am trying to telnet to are directly connected and those interfaces are up and working (otherwise ping would fail). The exact same filters (access-lists, service-policies) are configured in the exact same format and applied to the exact same interfaces.
I tried removing all of the fault tolerance configurations and just created a Layer 3 vlan interface for management and I am still unable to telnet into or out of the appliance. This is not a complicated setup and I have to think there is something obvious that I'm missing, but I'm hung up on the fact that the config's are almost identical while one works exactly as intended and the other reports no route to host for a directly connected interface.
I am in the process of upgrading from v3.2.5 to v4.2.1, i have been follwing the upgrade/downgrade guide forv4(2.0) for my redunanant pair of ACE 4710.everything ok, following procedure after the standby is reloaded and comes up to standby-warm, Iget the license incompatabilty message on the primary.but I cannot telnet back into the standby, i can ping it ok though.I am loathe to go any further, and do the 'ft Switchover all' and reload the primary incase I cannot telnet back into the primary when it comes back up.
View 2 Replies View Relatedimplementation of the cisco CSS 11501 boxes available as spare on our site into production for an application evry thing worked as expected. i was able to telnet the active/master box and was able to console both master and backup box from the console port.however a week post the activity im faced with this weird problem where im not able to take console or the telnet access of my primary/active box.The boxes are working in BOX-to-BOX redundancy and now im not able to telnet or console my active/master box. The telnet and console window prompts me for username and password and after entering the credentials nothing happens. no prompt or no error message is displayed.
The telnet primary authentication is via tacacs and secondary is via local. however for console im not using any method for primay authentication and local for secondary authentication. however i can successfully console my backup box. below are my obsrvations 1. the left and right status LED on the active CSS box is OFF.- it means my CSS 11501 failed and has no power. 2. upon firing the rcmd command with show line command on backup box i see that the telnet sessions and console session is established with the master box3. the redundancy state of the active box says it is master and has not changed state since my last activity, no application issue reported, all the services are active on the active box and also i can ping the active box ip address from my backup box over which box to box redundancy is established. This confirms the active box is functioning well 4. i initially thought the telnet sessions are not getting cleared, however the show line cmd with the rcmd cmd on the backup box confirms this is not happening. now im stuck as the active box cannot be accessed at all via console or telnet. i was thinking of below steps to be carried out.1. to failover the boxes and make the backup as master2. then try to take the faulty box off the network and troubleshoot (are there any other commands that i should use to troubleshoot)3. if nothing works try rebooting the box and check
NOTE: the software running is version 7.20.30.3 with standard feature set. we are not using cvdm or the CSS GUI. we could access the css initially on CSS gui and that is also not working now.
disable telnet for ACS 1120 Appliance version 5.0.0.21 .is there anway to do it , not able to login via telnet and ssh it says wrong credentials but webgui is working fine with same user and password.
View 1 Replies View RelatedWe are having issues with our Cisco ACE 4710, it suddenly stopped to telnet admin context.We are able to telnet another context from the same appliance, but unable to telnet the admin context. Is possible to pings the gateways from the other contexts, but we are not able to ping the gateway from the admin context.Actual we have 5 context with the minimum allocation is 10%.ACL and policy map allowing telnet and etc are enable and configured on the interface.
View 1 Replies View RelatedEverytime I make a config change to one of the contexts on our ACE20, I get this message: Config Application in Progress. This command is queued to the system
If I run show download info, I get:
context : context1
Interface Download-status
--------------------------------------------------------------
187 In Progress
199 Pending
Regex download optimization status : Couldn't get status[TNRPC Timed out]
It eventually seems to complete, but it takes a very, very long time. We are running Version A2(3.5) [build 3.0(0)A2(3.5)].
Report run via Individual Web server URL’sThe report takes less than 20 minutes (average 15 minutes) to fetch and return the data. This is observed 9 out of 10 times.Report run via ACE Load Balanced URLThe report keeps on running for more than 20 minutes and never completes. The front end keeps showing report is running.The data in general when tested directly by running queries against the database (bypassing the platform) completes in 15-18 minutesThe network connectivity for each and every ports involved (Loadbalancer/Servers) have been throulgly checked.
View 6 Replies View RelatedCannot connect to ACS device using telnet IP: port 1812? Seems it is using this port config by default.Is it because of the port it's trying to use? Is there a way of changing the port? If so, where does one do this in the ACS device?I have two 4400 series WLC's one is on the same network segment as the ACS, I can authenticate through the ACS on this one. The other WLC at a different location, cannot authenticate through the ACS.
View 2 Replies View RelatedI have a 891 router I have been testing some things on. I have been able to successfully telnet to it in the past with no problems. Just yesterday I was trying to set an interface to have an IP of 10.10.10.2 which I realized was an IP I had forgot to exlcude from DHCP and it was handed out to the computer I was using to telnet in. So I wrote in the exlcude commands and did an ipconfig -release ipconfig -renew on my PC that had the 10.10.10.2 IP. After the renew I was given 10.10.10.7 (put in a few more excludes).However the release dropped my telnet connection and afterwards I was completely unable to telnet in, getting the error that says I cannot open the connection on port 23. I had made some changes to my entire config beforehand which had it switch to use a new public IP. I never saved the changes and did a hard reset by unplugging the router to get my old config back and see if I could telnet after that. Still could not get in, same error. Well I went through and remade my entire config to use the new public IP. My 10.10.10.7 PC can access the internet, DNS, ping the router, all just fine. Still can't telnet. I remade my line/vty config and made sure it matched up with a config I had on another router. Still can't telnet. Last thing I did was go in and manually clear all open line connections. All that is left is an idle 0 con 0 line that it wont let me close. Still can't telnet.What the **** is going on with this thing? I am completely at a loss to explain why I cant telnet. It must be something in my ACLs that I am missing?
View 2 Replies View RelatedI have a cisco 3750 switch and i given 2vlans (40, 118). 40 is local and 118 is public.I given the public ip for vlan 118. now i am able to telnet from same vlan (118 only) but i am not able to ping and telnet as globally. [code]
View 5 Replies View Related1.SCP Not Working on my Linux Box (Fedora release 7 (Moonshine))to Fedora fc11.i686 running box[CODE]
View 5 Replies View Related