Cisco VPN :: ACE-4710s To Setup Sticky Entries On Server Response Only
Aug 22, 2012
I've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only? Currently using ACE DM v4(1.0).
I've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only.Currently using ACE DM v4(1.0).
We've got ACE30s (active/standby) running A5(1.2), and a context that's front-ending one of our major applications, doing SSL termination on the client side and SSL initiation on the back side:
parameter-map type ssl FrontEndSSL-Param rehandshake enabled
parameter-map type ssl BackendSSL-param authentication-failure ignore [Code]...
I have a strange effect at my ACE 4710. I loadbalances normally reliable only 14 WEB-Services.
It's running on SW A3.25. Since several weeks I regognized a dramatical increase of Sticky entries. So when running in limitations (the stolen for reuse counter increased then) (show np 1 me-stats "-slb -v") gave more and more resources for sticky ... last it was at 65% and ran again into limits at round 650500 Sticky entries.
So I began to find out what of the services was affected with most sticky database entries and could Identify it. There were really to see round about640000 entries for that specific service.
The sticky for that service was defined to look at a specific cookie in the http header and the timeout defined is 120 minutes.
So round about 45000 Entries was to see with a "show sticky databse group Cookie_Sticky" with a time-to-expire value of zero in the database like the follwing examüple shows:
When I modified my Sticky definition with the command "timeout activeconns" all the Zero-Entries were kicked out and the rsources used for Stickywent back to 5% of usage...
We are using a sticky serverfarm with 2 real servers, one server was down for maintenance for an extended period of time. When it came inservice again it was not getting any connections. is it because all the connections had stuck to the other server ? we want sessions to be sticky but we also want to LB?I got it working by bouncing the server that had been online all the time. things started to LB then.BTW the ACE 4710 is running 4.2.1
I'm having issue with tacacs server(ACS 4.2), did the following test from the router:
Router1#test aaa group tacacs+ cisco cisco legacyAttempting authentication test to server-group tacacs+ using tacacs+No authoritative response from any server.I can ping the ACS server from this router though.
I connects to the wireless box and has full signal but an exclamation mark is present.I have run some tests and the IPv4 and IPv6 say they have no internet access.I also run a full test and everything passed except the ping test which failed and it said: no response:default gateway response: dhcp server it suggested disabling security firewall but i'm not sure if that's the correct thing to do or even how to do that!
Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
I am trying to recover a WRT54GS v1 router from a bad flash. The power light is blinking and would not accept pings. Since I figured it was already hopeless, I attempted shorting pin 15 and 16 which cause it to start receiveing pings. My problem is it won't accept the tftp flash, I've tried both cmd prompt and auto upgrade utility. Upgrade utility says "Unable to get response from the server" however it is still accepting pings. Cmd prompt TFTP says it can't read from local file. I am using windows XP. Code...
i've been using a VPN to connect to my home network from elsewhere for a few months. It's set up as follows:
PPTP Maximum Strength Encryption EAP-MSCHAP-v2 Authentication
Now I find out that MSCHAPv2 authentication has been broken and is no longer considered secure (even by Microsoft), so I want to change the protocol I'm using to make it secure.
However, I've spent 3 hours now researching this and I cannot for the life of me figure out how to use a better protocol on my Windows Server 2012 home server. I've tried setting up PEAP authentication (still PPTP) a la Microsoft's recommendation document, but it requires a certificate. I've created a self-signed certificate but it seems I can't issue certificates (via this method) without being a member of a domain, so I'm stuck. I can't even get started with L2TP since I can't find the option for it.
My question is this: Is there a way to setup a secure VPN server using Windows Server 2012 without a domain? If so, how do I do this?
I'm looking for some documentation I can share with a customer to explain why I can't configure them a back-up sticky server farm when we're not terminating SSL on the the ACE (we pass SSL from the client through to the rservers, sticking the client to the rserver by source IP address). I've not been able to find anything that addresses this particular scenario in my googling so far. I remember discussing this in my training class with the instructor, but I can't find any reference to it. Have any of you run into this and have a link they can share?
RV042 in Router mode.WAN1 preferred.With Smart Link it seems to work to a point.When WAN1 fails, it fails over to WAN2.But then it gets stuck on WAN2 and I have to manually switch to WAN2 preferred and then back to WAN1 preferred to get WAN1 connection to return.The test IP addresses should be just fine as set.
I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
We are using a ACE 4710 with A3(2.6) software release.I had to change our sticky load balancing method for HTTPS to cookie based.However while connections appear to work if I look at the show sticky database table I can not see or confirm sticky entries for the cookie based connections.Here or config snippets to show the config
The wlc config guide of Release 7.4 states that sticky key caching (usefull with apple devices) is supported at AP in local mode. [URL]I am testing the new WLC 8500 with 7.4.100.60.
AP mode = FlexConnect
The wlan i activated skc is centrally switched.I debugged the iPhone (4S) roaming.I think skc works at centrally switched vlan on flexconnect APs.
*apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Reassociation received from mobile on BSSID 00:16:9c:ba:a9:b6 *apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Global 200 Clients are allowed to AP radio *apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Max Client Trap Threshold: 0 cur: 23 *apfMsConnTask_1: Jun 14 14:15:17.069: 30:39:26:2c:d3:ee Rf profile 600 Clients are allowed to AP wlan
how a static entry under a "sticky" performs Configuring Static IP Address Sticky Table Entries Cisco Documentation Says When you configure a static entry, the ACE enters it into the sticky table immediately. Configuring the ACE Action on Server Failure failaction purge # The purge keyword specifies that the ACE remove the connections to a real server if that real server in the server farm fails after you enter the command. The ACE sends a reset (RST) to both the client and the server that failed. Cisco Documentation Says If you do not configure this command, the ACE takes no action when a server fails
a) Does the ACE let the connections to SERVER1 timeout(default behaviour) and then load-balance new connections coming in deom 192.168.12.15 to another server in SERVERFARM1
ORb) Does the ACE reset the connections to SERVER1 immediately and starts load-balancing new conenction coming in from 192.168.12.15 to other servers in SERVERFARM1 ?
ORc) Does the ACE just drop the current and new connections from 192.168.12.15 till SERVER1 comes back up ?
OR d) Is it dealt differently?
Question2 - Now what happens if the failed server(SERVER1) comes back up after some time?
e) Does the ACE reset any current connections from 192.168.1.15 and starts sending them to SERVER1 ?
ORf) Does the ACE leave the current connections from 192.168.1.15 to other servers in SERVERFARM1 as they are and send any new connections from 192.168.1.15 to SERVER1?
I'm having an issue with port-security on a cisco 2950 switch. The port-security is setup to user sticky mac-addresses and was working just fine. Recently when a computer was changed out and I needed to clear the security on the port it wouldn't let me.I would type clear port-security sticky int fa0/## and it would give me an error. The error would be that the sticky command doesn't exist.So I went back and type clear port-security ? and the only option was dynamic. Even if I try to take the port security off the switch it wont let me, it never shows the option for sticky.If I change the maximum number of mac-addresses allow the computer will work, but I can never clear the old addresses out.
Our customer has a Cisco ME3600X with the IOS me 360x-universalK9-mz.122-52.EY3.They are saying that is not possible to configure the "switchport port-security mac-address sticky" in the interfaces and want to know whether any additional license is needed.As far as I know there isn't any extra license to activate this feature and also I believe the ME3600 switch should have this feature with the universal IOS, isn't that right?
I've setup a NTP service by using Cisco 2811 routers. This works fine at the moment, but in the end there are some questions left.
1. I'm using two 2811 Routers, one for primary, which is resceiving the time from PUBLIC NTP 1, and one for backup, which is resceiving the time from PUBLIC NTP 2. Is it possible to compare these to times an check if the match? And if not, generate an alarm via e.g. SNMP
2. Is it possible to check via SNMP, if the routers are reaching PUBLIC NTP 1 and PUBLIC NTP 2 for sync?
I want to setup a quick and simple VPN server on my ASA. I want to do local authentication and, once authenticated, I want to allow all internal access. I only have 1 WAN IP. I'm finding a ton of conflicting info online. The ASA is already setup and is operational. I just need the correct commands to setup the VPN.
I have setup a VPN server on cisco 1841 and dialed through pc, it worked fine. But when I dial through another ISP it is not working. It can establish VPN but it can't pass traffic through VPN, what may be the problem. The configuration is same and I can access Internet through this ISP.
I am trying to setup syslog server on LMS 4.0.Everything seems to be working fine but I have a lot of stragne logs in my syslog.log file.Every single day I receive logs like :
I am trying to configure a Cisco 871 to act as a PPTP VPN server on my home network. I have referenced Cisco's documentation regarding this which I will include below as well as a copy of my current running configuration and terminal monitor information from when I attempt to establish a connection.
When I attempt to connect from a Windows machine I receive the following error: 'Error 807: The network connection between your computer and the VPN server was interrupted.' 'The remote device won't accept the connection.'When I attempt to connect VIA my mobile, I get 'The server has hung up'.The 871 does detect the incoming connection which can be seen from the terminal monitor output: url...
How would I set up my own anonymous proxy server with my own ip address without having to go on a proxy list site? I don't care how complicated or time consuming it may be, I'm a very fast learner and I do things extremely quickly.
I setup one acs v5.3 in one server in NYC and another acs v5.3 in SJC.I want to make the acs.nyc as primary and acs.sjc as the secondary, how do i setup it up?
I need to setup a syslog server for PIX w/ 6.2 and was hoping to get detailed instruction how to go about it. I would like exact syntax w/ an example on the pix and any configuration on the computer that will be receiving the log info. I have downloaded tftpd32 onto computer
we are having some trouble setting up our router (Cisco 861W) webserver on the LAN so that it can be accessed from outside (http via port 80). When we try to access it via the web address, we just get the login window of the Cisco router software?
I've made hotspot ad hoc and then my client try to connect my hotspot but it must setting manually...how to my client connect to my hotspot automatically not manually??? and how to install and setup dhcp server i windows 7...
show me the necessary steps and a type of hardware/software to buy to setup a network storage server that allows me and my family to access/share all files from anywhere thru the internet?