Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ASK THE EXPERT - APPLICATION CONTROL ENGINE

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to configure and troubleshoot the Application Control Engine with Cisco expert Gilles Dufour. Gilles is a software engineer for the Level 4 to Level 7 switches in the Internet Systems Business Unit since January 2005. Prior to this position, he was a Technical Assistance Center (TAC) customer support engineer. During his first two years at Cisco Systems, Inc. he worked as a routing protocol expert. Later on, he worked as a network consulting engineer in Denver Colorado and as an engineer in the content networking team. He is a CCIE # 3878 in routing, switching and security.

Remember to use the rating system to let Gilles know if you have received an adequate response.

Gilles might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through November 6, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

94 REPLIES
New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

HI Gilles,

ACE appliance is using user "DM" in syslog messeges when changes are made via web-interface. Is there any way to change this behaivior so the the user authenticated to the web-interface is mentioned in syslog messages ?

Best Regards

Carsten

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Carsten,

currently this is not possible, but there is a ddts open to track this feature request : CSCsu85286.

I believe the target is the next release A3(2.5).

Regards,

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Gilles

With regards to the ACE module, we have a requirement to add a static ARP entry on the ACE. I am getting the following error message.

Error: Invalid MAC address

I'm trying to add a unicast IP address and a multicast mac-address so I'm wondering if unlike a 6509 whether or not the ACE just doesn't support it?

Are you able to say if this is supported on the ACE.

Thanks

MJ

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

we do not support multicast mac-address on the ACE module.

This is a limitation of some hardware component used the build the board.

So there is no plan to support this in a future release.

Regards,

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Gilles,

Is it true, that ACE 4710 doesn't forward MST BPDU's.

Regards

Mats

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

This is true for the module.

However, I'm not 100% sure for the Appliance.

So if you can send me a sniffer trace with the type of BPDU you want to bridge, I can replay the trace in my lab and see if they go through.

Regards,

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Gilles,

I have used the NAM to sniff but I didn't manage to just filter out STP, so ther are some other traffic in the attachment.

Regards

Mats

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Giles,

I attached a config that I am soon going to implement in our ACE module. The class-map is configured to listen to ports 80 and 90. There are two probes in the server-farm, one probing port 80 and one probing port 90.

My question is, if one of the probes fails on port 80, will the probe take the server out of rotation even though the server is still listening on port 90. I have attached the config.

Regards,

Johnny...

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Yes, with your current config if one probe fails the server is put outofservice.

You can modify this behavior with the command "fail-on-all Fail reals when all probes fail" under the serverfarm.

You could also split the class-map in 2. One for each listening port and create a serverfarm for each port/probe as well so that you can dissociate both ports from each other.

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Giles,

I'm not sure what you mean by spliting the class-map in two. Can on class-map point to two different server-farms or would the two server-farms share the same name? Please provide an example.

Regards,

John...

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

class-map map1

match virtual x.x.x.x tcp eq 80

class-map map2

match virtual x.x.x.x tcp eq 90

serverfarm farm1

probe port80

rserver server1 80

ins

serverfarm farm2

probe port90

rserver server1 90

ins

policy type load first Pol1

class class-default

serverfarm farm1

policy type load first Pol2

class class-default

serverfarm farm2

policy multimatch SLB

class map1

load policy Pol1

class map2

load policy Pol2

G.

Bronze

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Gilles,

First of all, thanks for all the great replies on NetPro. I'm somewhat of a newbie on ACE, so they definitely come in handy.

In terms of resource allocation, when configuring your resource-classes, are there any guidelines, best practices etc.? I know that it's recommended by Cisco not to let syslog gain maximum resource, but to restrict it.

thanks

/Ulrich

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Gilles,

I am not able to access the ACE module from the switch. Can you please assist me.

C6509#session slot 2 processor 0

Error: context name (id:0) cannot be determined.

What can i do now???

Regards,

Sum

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

You can try the console.

If that does not work, you won't have any other choice but to reboot.

You should upgrade to A2(1.6a) to get the recent fixes in this area.

Like:

CSCsv98101 ACE blade failed to allow any logins and indicated sysmgr respawning

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Giles,

Thanks for your response. I am now able to login to ACE though switch but I am not able to run anything on the ACE.

1) When I run the cmd:

ACE/Admin# show users

Error: AAA tnrpc call failed to get context name

2)ACE/Admin#wr mem

Generating configuration....

3)ACE/Admin#show tech-support

show tech cmd output nothing displays blankscreen....

Kindly let me know whts happening to my ACE its under production.. Thanks in advance.

Regards,

Sum

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Sum,

this is the same known issue that prevented you to access it remotely as well.

There were many ddts related to these problems and they all have been fixed in version A2(1.6a).

There is no workaround except to reboot the device.

In the current state, the box should still be able to process traffic but most of commands will fail.

G.

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Ulrich,

I'm glad you do appreciate the answers you're getting on this forum.

To answer your question, I would say you need to pay attention to some resources.

1/ management connection.

you don't want to set the min value too low ... otherwise you risk loosing access to the box or having the box not being able to send ping or arp request.

I would say try to set the minimum to 5%

2/ sticky resource.

Here the resource does not move between min and max like the others. It stays at the minimum value and if your sticky table is full, we will reuse an old entry.

So make sure to set a realistic minimum.... I would say at least 20% to being with and then increase it if necessary.

In general the most common mistake I see is that people tends to set a very very low minimum like 0.01%.

This usually leads to problem when one context start taking all the resources.

You should think about how many context you expect. Then divide 80% (not the full 100%) by the number of context and use this value as the default minimum.

Then monitor for any denies and increase/decrease where necessary.

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Giles,

Is this issue which I mentioned above is due to software?

Software running is A2(1.0)?

Thanks in advance.

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

yes this is due to software.

This is why I provided you with the ddts number and suggested to upgrade to A2(1.6a).

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Giles,

Can I upgrade my ACE module directly to A2(3.0)from my current version which is A2(1.0)??? Is this compatible ??

Also I assume that A2(3.0) has all bug fixes of A2 (1.X) release am i right???

Thanks in advance.

Regards,

Sum

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

A2(3.0) is not an ace module version but an ACE appliance software.

They are not compatible.

The latest version for the module is A2(1.6a)

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Giles,

I need this feature i.e HTTP insert of SSL Session hence this is the only release in which I could found.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/release/note/RACEA2_3_X.html#wp525497

Kindly let me know does A2(1.6a) has this feature? if NOO then what option do i need to enable it???

Thanks in advance.

Regards,

Sum

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

sorry...my mistake.

This is indeed the new software for the ace module ...so new I wasn't ready to see you referencing it :-)

So, yes this is fine for the module and you can upgrade directly without passing by another version.

Thanks,

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Thanks Giles for all the support on my queries.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

There is a A2(3.0) version available from the download section. If this is only for the appliance then the site needs fixed.

c6ace-t1k9-mz.A2_3_0.bin

Release Date: 12/Oct/2009

Catalyst 6500 Application Control Software for ACE Service Module

Size: 30786.49 KB (31525359 bytes)

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

this one is for the module.

I correct myself in a previous post.

Everything A2 is for the module.

I misread the version and thought it was A3... which is for the appliance.

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi,

How we do perform a redirect on the ACE if we want to redirect a URL as follows

http://www.sampleurl.com/support/index. (with trailing dot)

to

http://www.sampleurl.com/support/index (without trailing dot)

Thanks

Cisco Employee

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

do you want to catch any url that ends with a dot or just the one you showed ?

This is easy to catch the url with the dot, but the redirect is either a fix url or a url containing the old url. We can't reuse just part of the old url.

class-map type http loadbalance url-dot

match http url /support/index[.]

Then define the redirect rserver

rserver redirect HTTP-REDIRECT

webhost-redirection http://%h/support/index

inservice

serverfarm redirect SF_REDIRECT

rserver HTTP-REDIRECT

inservice

You can then tie everything together in a policy-map

policy-map type http loadbalance first HTTP

class url-dot

serverfarm SF_REDIRECT

class class-default

serverfarm ...

But if you need to catch any url and remove the dot, this is not possible

Gilles.

New Member

Re: ASK THE EXPERT - APPLICATION CONTROL ENGINE

Hi Gilles :-) !!! ,

in ACE, is it possible to make a L7 rule based on the domain-name of a HTTPS GET request???

If I have to enter the domain name like https://Sip.nestle.com , is it enough i use Sip\.nestle\.com in the commnad below "match http header Host"?

For example:

!

class-map match-any L7EDGE

2 match virtual-address VIP tcp eq https

!

class-map type http loadbalance match-all L7CLASS-ACCESS

2 match http header Host header-value Sip\.nestle\.com

class-map type http loadbalance match-all L7CLASS-WEB

2 match http header Host header-value Web\.nestle\.com

class-map type http loadbalance match-all L7CLASS-AV

2 match http header Host header-value AVE\.nestle\.com

!

policy-map type loadbalance first-match L7OCS443

class L7CLASS-ACCESS

sticky-serverfarm ACCESS_STICKY

class L7CLASS-WEB

sticky-serverfarm WEB_STICKY

class L7CLASS-AV

sticky-serverfarm AV_STICKY

!

policy-map multi-match POLICY

...

class L7EDGE

loadbalance vip inservice

loadbalance policy L7OCS443

loadbalance vip icmp-reply active

connection advanced-options TIMEOUT

appl-parameter http advanced-options HTTP_PARAM_CASE

nat dynamic XXX vlan 503

.....

2284
Views
68
Helpful
94
Replies