A customer just bought 2 new CAG's and is trying to use them thru a CSS. The CAG VPN and website is very flaky, the VPN connects then disconnects etc. The web site running on them displays the "under construction" page, but when you go to it directly it works, it goes to a log on page. I am not sure what to look for here, the flows on the CSS look correct. The traffic from the internet to the CAG's get a PAT address of 172.27.106.x, the CSS, CAG VIP and real addresses are all on the same internal subnet as the PAT. So in bound traffic gets a PAT of 172.27.106.x --> Vip Address 172.27.106.x --> CAG server real address --> 172.27.106.x, the CAG responds back to the 172.27.106.x address which proceeds back out the firewall. I wondered if the CAG's have an issue with the source traffic being Pat'd. Anyone have any experience with these CAG devices?
I don't have experience with the CAG servers you mentioned, but, on the CSS, most of the connection instability issues are related to a flow timeout. The CSS will time out connections after 16 seconds of inactivity, and after a session has been timed out, it can be closed any time.
One quick thing you could try would be configuring a bigger timeout for the affected content rules with the "flow-timeout-multiplier " command. This command takes a parameter a number that will get multiplied by the default 16 seconds to get to the final timeout value. I would recommend you to set the multiplier to 450, which would give you a 2 hour inactivity period before, and then see if the situation improves.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...