Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the Application Control Engine with Cisco expert Gilles Dufour. Gilles is a software engineer for the Level 4 to Level 7 switches in the Internet Systems Business Unit since January 2005. Prior to this position, he was a Technical Assistance Center (TAC) customer support engineer. During his first two years at Cisco Systems, Inc. he worked as a routing protocol expert. Later on, he worked as a network consulting engineer in Denver Colorado and as an engineer in the content networking team. He is a CCIE # 3878 in routing, switching and security.
Remember to use the rating system to let Gilles know if you have received an adequate response.
Gilles might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
ACE appliance is using user "DM" in syslog messeges when changes are made via web-interface. Is there any way to change this behaivior so the the user authenticated to the web-interface is mentioned in syslog messages ?
currently this is not possible, but there is a ddts open to track this feature request : CSCsu85286.
I believe the target is the next release A3(2.5).
With regards to the ACE module, we have a requirement to add a static ARP entry on the ACE. I am getting the following error message.
Error: Invalid MAC address
I'm trying to add a unicast IP address and a multicast mac-address so I'm wondering if unlike a 6509 whether or not the ACE just doesn't support it?
Are you able to say if this is supported on the ACE.
we do not support multicast mac-address on the ACE module.
This is a limitation of some hardware component used the build the board.
So there is no plan to support this in a future release.
This is true for the module.
However, I'm not 100% sure for the Appliance.
So if you can send me a sniffer trace with the type of BPDU you want to bridge, I can replay the trace in my lab and see if they go through.
I attached a config that I am soon going to implement in our ACE module. The class-map is configured to listen to ports 80 and 90. There are two probes in the server-farm, one probing port 80 and one probing port 90.
My question is, if one of the probes fails on port 80, will the probe take the server out of rotation even though the server is still listening on port 90. I have attached the config.
Yes, with your current config if one probe fails the server is put outofservice.
You can modify this behavior with the command "fail-on-all Fail reals when all probes fail" under the serverfarm.
You could also split the class-map in 2. One for each listening port and create a serverfarm for each port/probe as well so that you can dissociate both ports from each other.
I'm not sure what you mean by spliting the class-map in two. Can on class-map point to two different server-farms or would the two server-farms share the same name? Please provide an example.
match virtual x.x.x.x tcp eq 80
match virtual x.x.x.x tcp eq 90
rserver server1 80
rserver server1 90
policy type load first Pol1
policy type load first Pol2
policy multimatch SLB
load policy Pol1
load policy Pol2
First of all, thanks for all the great replies on NetPro. I'm somewhat of a newbie on ACE, so they definitely come in handy.
In terms of resource allocation, when configuring your resource-classes, are there any guidelines, best practices etc.? I know that it's recommended by Cisco not to let syslog gain maximum resource, but to restrict it.
I am not able to access the ACE module from the switch. Can you please assist me.
C6509#session slot 2 processor 0
Error: context name (id:0) cannot be determined.
What can i do now???
You can try the console.
If that does not work, you won't have any other choice but to reboot.
You should upgrade to A2(1.6a) to get the recent fixes in this area.
CSCsv98101 ACE blade failed to allow any logins and indicated sysmgr respawning
Thanks for your response. I am now able to login to ACE though switch but I am not able to run anything on the ACE.
1) When I run the cmd:
ACE/Admin# show users
Error: AAA tnrpc call failed to get context name
show tech cmd output nothing displays blankscreen....
Kindly let me know whts happening to my ACE its under production.. Thanks in advance.
this is the same known issue that prevented you to access it remotely as well.
There were many ddts related to these problems and they all have been fixed in version A2(1.6a).
There is no workaround except to reboot the device.
In the current state, the box should still be able to process traffic but most of commands will fail.
I'm glad you do appreciate the answers you're getting on this forum.
To answer your question, I would say you need to pay attention to some resources.
1/ management connection.
you don't want to set the min value too low ... otherwise you risk loosing access to the box or having the box not being able to send ping or arp request.
I would say try to set the minimum to 5%
2/ sticky resource.
Here the resource does not move between min and max like the others. It stays at the minimum value and if your sticky table is full, we will reuse an old entry.
So make sure to set a realistic minimum.... I would say at least 20% to being with and then increase it if necessary.
In general the most common mistake I see is that people tends to set a very very low minimum like 0.01%.
This usually leads to problem when one context start taking all the resources.
You should think about how many context you expect. Then divide 80% (not the full 100%) by the number of context and use this value as the default minimum.
Then monitor for any denies and increase/decrease where necessary.
yes this is due to software.
This is why I provided you with the ddts number and suggested to upgrade to A2(1.6a).
Can I upgrade my ACE module directly to A2(3.0)from my current version which is A2(1.0)??? Is this compatible ??
Also I assume that A2(3.0) has all bug fixes of A2 (1.X) release am i right???
Thanks in advance.
A2(3.0) is not an ace module version but an ACE appliance software.
They are not compatible.
The latest version for the module is A2(1.6a)
I need this feature i.e HTTP insert of SSL Session hence this is the only release in which I could found.
Kindly let me know does A2(1.6a) has this feature? if NOO then what option do i need to enable it???
Thanks in advance.
This is indeed the new software for the ace module ...so new I wasn't ready to see you referencing it :-)
So, yes this is fine for the module and you can upgrade directly without passing by another version.
There is a A2(3.0) version available from the download section. If this is only for the appliance then the site needs fixed.
Release Date: 12/Oct/2009
Catalyst 6500 Application Control Software for ACE Service Module
Size: 30786.49 KB (31525359 bytes)
this one is for the module.
I correct myself in a previous post.
Everything A2 is for the module.
I misread the version and thought it was A3... which is for the appliance.
do you want to catch any url that ends with a dot or just the one you showed ?
This is easy to catch the url with the dot, but the redirect is either a fix url or a url containing the old url. We can't reuse just part of the old url.
class-map type http loadbalance url-dot
match http url /support/index[.]
Then define the redirect rserver
rserver redirect HTTP-REDIRECT
serverfarm redirect SF_REDIRECT
You can then tie everything together in a policy-map
policy-map type http loadbalance first HTTP
But if you need to catch any url and remove the dot, this is not possible
Hi Gilles :-) !!! ,
in ACE, is it possible to make a L7 rule based on the domain-name of a HTTPS GET request???
If I have to enter the domain name like https://Sip.nestle.com , is it enough i use Sip\.nestle\.com in the commnad below "match http header Host"?
class-map match-any L7EDGE
2 match virtual-address VIP tcp eq https
class-map type http loadbalance match-all L7CLASS-ACCESS
2 match http header Host header-value Sip\.nestle\.com
class-map type http loadbalance match-all L7CLASS-WEB
2 match http header Host header-value Web\.nestle\.com
class-map type http loadbalance match-all L7CLASS-AV
2 match http header Host header-value AVE\.nestle\.com
policy-map type loadbalance first-match L7OCS443
policy-map multi-match POLICY
loadbalance vip inservice
loadbalance policy L7OCS443
loadbalance vip icmp-reply active
connection advanced-options TIMEOUT
appl-parameter http advanced-options HTTP_PARAM_CASE
nat dynamic XXX vlan 503