Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About KURT HILLIG
KURT HILLIG
Beginner
BASIC/GE635 1966
B.S Chemistry 1975
Ph.D. Physical Chemistry 1981
Router monkey since 1996
Recent Badges
Stats
Member since
09-19-2006
17
Posts
10
Helpful
0
Solutions
02-04-2014
02:58 PM
Is it possible to enable BFD on a Cat6500 VLAN interface in 12.2SXJ? We're looking at setting up anycast IP for our DNS resolvers, using exabgp on the servers to set up the peering with and inject the host route to the adjacent routers; we'd like to run BFD as well to allow for fast detection of connectivity failures - faster than the standard BGP timeout - using OpenBFDD on the servers. I've gotten this to work between the server and an irb interface on a Juniper MX router using single-hop BFD ( RFC 5881 - OpenBFDD doesn't support multihop BFD) ; but it doesn't appear to be possible to configure this on our 6500s. As far as I can tell, 12.2SXJ6 only does layer 2 BFD (configured on physical interfaces rather than VLAN interfaces), even though in the BGP configuration we can enable layer 3 BFD. I found another discussion from last fall that said this isn't supported in 12.2SXI but was in the works for the Sup720; can anyone tell me whether it will be added to 12.2SXJ, and if so when? Or will this only be supported in IOS 15?
... View more
Labels:
04-09-2013
11:56 AM
The answer is "no" - a rewrite rule won't work. According to RFC 3986 the '\' character is not permitted in URIs; Cisco updated the URI parser in 5.2.2 to be fully (or, at least, closer to fully) compliant with this RFC (bug CSCud39381). To revert to non-strict URI parsing, we had to create a parameter map: parameter-map type http NONSTRICT-PARSING parsing non-strict and apply this to the appropriate class in the interface policy map: policy-map multi-match global class BROKEN-APPLICATION-CLASS loadbalance policy BROKEN-APPLICATION-POLICY appl-parameter http advanced-options NONSTRICT-PARSING-PM
... View more
04-09-2013
08:28 AM
We've got an application that broke after upgrading our ACEs from A5(2.1) to A5(2.2); the problem lies in how the ACE handles URLs with embedded backslash characters in them - e.g.: https://servicename.umich.edu/give/page.aspx?pid=371&s-Tags\Value=x Prior to the upgrade the ACE would forward these to the back-end servers; after the upgrade the ACE resets the client connection. (We're doing SSL offload on the ACE; the back-end connection is HTTP over port 80, only the client-side traffic is over SSL.) Some browsers will convert these to percent-encoded form - i.e. https://servicename.umich.edu/give/page.aspx?pid=371&s-Tags%5CValue=x and things work for these; but other browsers won't do this. So I'd like to set up a rewrite rule in the ACE that will replace any (or at least the first) '\' with the string '%5C'. Just how to do this isn't clear from the command ref, and the config guide is a tad shy on similar examples. Is this possible? If so, can anyone help with the appropriate rule?
... View more
Labels:
12-19-2012
01:24 PM
r-ASBDC-A#show vlan access-map CAPTURE_TRAFFIC Vlan access-map "CAPTURE_TRAFFIC" 10 match: ip address ALL_TRAFFIC action: forward capture r-ASBDC-A#show vlan filter VLAN Map CAPTURE_TRAFFIC: Configured on VLANs: 782 Active on VLANs: 782 r-ASBDC-A#sho run int Te1/15 Building configuration... Current configuration : 177 bytes ! interface TenGigabitEthernet1/15 description IDS Box switchport switchport capture switchport capture allowed vlan 782 mtu 9216 load-interval 30 end r-ASBDC-A#sho int TenGigabitEthernet1/15 | inc put_ input flow-control is off, output flow-control is off Last input never, output 1d04h, output hang never Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 92321601 Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out I've tried adding "switchport capture allowed vlan all" to the interface config; this made no difference.
... View more
12-18-2012
11:00 AM
As I said, we only have one SPAN available - since the FWSM sucks up one - and we need two independent monitor sessions. We use the one available SPAN for the sniffer - since with this we can sniff an interface, or a VLAN, or receive a remote SPAN from another switch in the data center. The IDS only needs to look at VLAN traffic, so VACL capture (if we can make it work) is appropriate for this.
... View more
12-18-2012
08:59 AM
We've got Cat6500s in our data centers, each with both ACE and FWSMs installed. Our security folks want to have an IDS attached to each 6500 monitoring all traffic on selected networks; we (the network folks) want to have a sniffer available on each box for troubleshooting. The 6500 only allows for two simultaneous SPAN sessions, and the FWSM uses one of them, leaving only one left for the IDS and sniffer to share; but these are independent boxes and one SPAN isn't sufficient, hence we're trying to set up VACL capture instead, to direct "interesting" traffic to the IDS. Conceptually this is pretty simple: ip access-list extended ALL_TRAFFIC permit ip any any vlan access-map CAPTURE_TRAFFIC 10 match ip address ALL_TRAFFIC action forward capture vlan filter CAPTURE_TRAFFIC vlan-list 782 interface TenGigabitEthernet1/15 description IDS Box switchport switchport mode access switchport capture switchport capture allowed vlan 782 mtu 9216 load-interval 30 There's plenty of traffic on this network: r-ASBDC-A#show interface Vlan782 | include rate Queueing strategy: fifo 5 minute input rate 917000 bits/sec, 885 packets/sec 5 minute output rate 19492000 bits/sec, 2729 packets/sec But the IDS box isn't receiving any traffic, and we're seeing lots of output drops: r-ASBDC-A#show interface TenGigabitEthernet1/15 TenGigabitEthernet1/15 is down, line protocol is down (monitoring) Hardware is C6k 10000Mb 802.3, address is 0021.a0ef.6d56 (bia 0021.a0ef.6d56) Description: IDS Box MTU 9216 bytes, BW 10000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 10Gb/s Transport mode LAN (10GBASE-R, 10.3125Gb/s), media type is 10Gbase-SR input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:14:48, output hang never Last clearing of "show interface" counters 00:15:17 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 5008317 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out This router is a 6509E/Sup720-PFC3CXL running 12.2(33)SXJ; the 10GE line card is a WS-F6700-DFC3C. We've got this working successfully on outher 6500s where the outbound interface is GE, but haven't had any luck doing this out 10GE ports. What are we missing?
... View more
Labels:
Created by
KURT HILLIG
in VPN and AnyConnect
in VPN and AnyConnect
09-19-2012
10:41 AM
09-19-2012
10:41 AM
We have an ASA5550 running 8.2(5) that we're using as a VPN terminator; it died yesterday when we had a power glitch in the data center, and we're temporarily installing a spare 5510 (we don't have a spare 5550) until it's replaced. But the RSA keys on the spare don't match the ones on the old firewall, so when we try to install the old cert it fails: ERROR: Keypair cannot be found for trustpoint UMVPN3-INCOMMON-MAY2020. The old ASA is dead, so we can't do a straight export/import - all we have to work with is what's in yesterday's config backup... I gather there's no way to extract the original keys from this; is there any way to recover in this case? Or must we export the certs from the ASAs with a "crypto ca export" and save copies of these in a secure location?
... View more
Created by
KURT HILLIG
in Application Networking
in Application Networking
09-11-2012
07:12 PM
09-11-2012
07:12 PM
Interesting; sure would be nice if some of this explanation made it into the config guide... ;-) I don't have packet captures, but the apache logs (as explained to me - I'm a router monkey, not a webmaster) show traffic that looks to me like it's misdirected. For example, for one user over a 10-second period we saw this (anonymized - sorry about the lengthy excerpt) on the server "tigra": 141.211.14.186 - USERNAME [09/Sep/2012:21:50:39 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 66466718-3e38-4997-8394-ad9875fa280e.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:42 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 6933ba51-14a9-4483-8255-b7687453a1f5.tahoe Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:42 -0400] "GET /access/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 302 - 6933ba51-14a9-4483-8255-b7687453a1f5.tahoe Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:42 -0400] "GET /sakai-login-tool/container HTTP/1.1" 302 - 63c77009-9ced-493c-ac88-02f776cbc503.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:42 -0400] "GET /access/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 302 - 63c77009-9ced-493c-ac88-02f776cbc503.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:42 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 63c77009-9ced-493c-ac88-02f776cbc503.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:45 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 a76046e0-0796-47b3-94f9-96c79726ecc3.tosca Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:46 -0400] "GET /access/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 302 - a76046e0-0796-47b3-94f9-96c79726ecc3.tosca Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:46 -0400] "GET /sakai-login-tool/container HTTP/1.1" 302 - bc76df11-0446-499c-b58a-cf975d8950cb.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:46 -0400] "GET /access/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 302 - bc76df11-0446-499c-b58a-cf975d8950cb.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:46 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 bc76df11-0446-499c-b58a-cf975d8950cb.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:49 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 53dd9763-0ef2-47b0-9de2-fb28b26dbba5.townsman Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:49 -0400] "GET /access/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 302 - 53dd9763-0ef2-47b0-9de2-fb28b26dbba5.townsman Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:49 -0400] "GET /sakai-login-tool/container HTTP/1.1" 302 - 875a9afe-e830-4811-95d9-a074aed71217.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:49 -0400] "GET /access/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 302 - 875a9afe-e830-4811-95d9-a074aed71217.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 141.211.14.186 - USERNAME [09/Sep/2012:21:50:49 -0400] "GET /access/require?ref=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf&url=/content/group/594942ee-15be-4705-9e90-e5252110fd0e/Lecture%20Slides/F12-Chem-260-L03_Classical_Waves.pdf HTTP/1.1" 416 391 875a9afe-e830-4811-95d9-a074aed71217.tigra Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1 71.238.68.166 If you look at the text right before the "Mozilla" on each line, you'll see the names of several other servers - townsman, tahoe, tosca, maybe a few others. Also, in none of these do I see anything that looks like one of the cookies that the ACE should be inserting ("Rnnnnnnnnn"); but as I said this isn't my area of expertise. The folks running this application have had a number of complaints about this ever since classes started and load picked way up; it may be that it was just not noticed before, or wasn't reproducible enough to be diagnosed. But they say that they haven't identified any obvious commonalities among the users having this problem. Which doesn't mean that it isn't a client/browser problem, just that I don't know either way... And how do we extract cookies from a pcap when the traffic is encrypted?
... View more
Created by
KURT HILLIG
in Application Networking
in Application Networking
09-11-2012
03:05 PM
09-11-2012
03:05 PM
...I forgot to include this: ACE30-ASBDC-1/TL-PROD-ASB# show stats sticky +------------------------------------------+ +----------- Sticky statistics ------------+ +------------------------------------------+ Total sticky entries reused : 0 prior to expiry Total active sticky entries : 21 Total active reverse sticky entries : 0 Total active sticky conns : 0 Total static sticky entries : 21 Total sticky entries from Global Pool : 0 Total insertion failures due to lack of resources : 0
... View more
Created by
KURT HILLIG
in Application Networking
in Application Networking
09-11-2012
02:49 PM
09-11-2012
02:49 PM
We've got ACE30s (active/standby) running A5(1.2), and a context that's front-ending one of our major applications, doing SSL termination on the client side and SSL initiation on the back side: parameter-map type ssl FrontEndSSL-Param rehandshake enabled parameter-map type ssl BackendSSL-param authentication-failure ignore parameter-map type http UP-ContentParseLength persistence-rebalance set header-maxparse-length 32767 set content-maxparse-length 32767 parameter-map type connection WEBAPPS_TCP_P set timeout inactivity 180 set tcp timeout half-closed 180 ssl-proxy service SSL_PSRVICE_CTOOLS key ctools.key cert ctools.crt chaingroup COMODO-INSTANTSSL ssl advanced-options FrontEndSSL-Param ssl-proxy service backend-ssl ssl advanced-options BackendSSL-param class-map match-any ctools-https 3 match virtual-address 192.168.234.10 tcp eq https policy-map type loadbalance first-match ctools_l7_policy class class-default : ssl-proxy client backend-ssl policy-map multi-match ctools_ssl_l4_policy class ctools-https loadbalance vip inservice : nat dynamic 72 vlan 72 appl-parameter http advanced-options UP-ContentParseLength ssl-proxy server SSL_PSRVICE_CTOOLS connection advanced-options WEBAPPS_TCP_P (It's running in one-arm mode with source NAT, and using RHI to inject a host route for the VIP so we can do IP anycast across multiple data centers for high availability; but we do this for other services that are working OK so I don't think this is the problem...) We need to stick clients to the back-end server that they initially connect to, but don't want to do it based on client IP address (we sometimes have many clients sitting behind a single NAT address); and we know that stickiness based on SSL session ID isn't a good idea. So we've set this up to use cookie insertion: serverfarm host CTOOLS predictor response app-req-to-resp probe HTTPS_PROBE rserver tahoe 443 conn-limit max 500 min 490 inservice rserver tavera 443 conn-limit max 500 min 490 inservice : : sticky http-cookie CTcookie CTOOLS-sticky cookie insert browser-expire replicate sticky serverfarm CTOOLS backup Outage policy-map type loadbalance first-match ctools_l7_policy class class-default sticky-serverfarm CTOOLS-sticky insert-http DEST_Port header-value "%pd" insert-http DEST_IP header-value "%id" insert-http SRC_Port header-value "%ps" insert-http I_AM header-value "SSL_INIT" insert-http X-Client-IP header-value "%is" ssl-proxy client backend-ssl policy-map multi-match ctools_ssl_l4_policy class ctools-https loadbalance vip inservice loadbalance policy ctools_l7_policy loadbalance vip icmp-reply active loadbalance vip advertise active nat dynamic 72 vlan 72 appl-parameter http advanced-options UP-ContentParseLength ssl-proxy server SSL_PSRVICE_CTOOLS connection advanced-options WEBAPPS_TCP_P The ACE shows cookies for this group: ACE30-ASBDC-1/TL-PROD-ASB# show sticky cookie-insert group CTOOLS-sticky Cookie | HashKey | rserver-instance ------------+----------------------+----------------------------------------+ R2536245497 | 5183849923197467535 | CTOOLS/tahoe:443 R2274919243 | 1819252748455616984 | CTOOLS/tavera:443 R3735812906 | 4189234711381892064 | CTOOLS/tempest:443 R2985606557 | 13173125335060717162 | CTOOLS/terrain:443 R3002567455 | 9439662962898967148 | CTOOLS/tigra:443 R1961897160 | 14710369893090908424 | CTOOLS/titan:443 R499081919 | 6217826711974382744 | CTOOLS/tornado:443 R442350102 | 16043823351255228140 | CTOOLS/torrent:443 R3040870402 | 15912262023226993721 | CTOOLS/tosca:443 R508933855 | 4513105838401809319 | CTOOLS/townsman:443 R1259946260 | 3311717765801371676 | CTOOLS/tracker:443 R3378012421 | 4759463036538773497 | Outage/RedirectOutage:0 And we've got lots of connections: ACE30-ASBDC-1/TL-PROD-ASB# show serverfarm CTOOLS serverfarm : CTOOLS, type: HOST total rservers : 11 state : ACTIVE DWS state : DISABLED --------------------------------- ----------connections----------- real weight state current total failures ---+---------------------+------+------------+----------+----------+--------- rserver: tahoe 192.168.0.201:443 8 OPERATIONAL 93 1999973 126183 rserver: tavera 192.168.0.135:443 8 OPERATIONAL 115 1954862 115132 rserver: tempest 192.168.0.207:443 8 OPERATIONAL 94 342550 17205 rserver: terrain 192.168.0.209:443 8 OPERATIONAL 91 337468 18796 rserver: tigra 192.168.0.202:443 8 OPERATIONAL 91 2074019 125814 rserver: titan 192.168.0.155:443 8 OPERATIONAL 97 629418 36974 rserver: tornado 192.168.0.203:443 8 OPERATIONAL 111 2084020 121127 rserver: torrent 192.168.0.208:443 8 OPERATIONAL 102 357320 19392 rserver: tosca 192.168.0.136:443 8 OPERATIONAL 125 2145770 126751 rserver: townsman 192.168.0.204:443 8 OPERATIONAL 101 2111449 128722 rserver: tracker 192.168.0.205:443 8 OPERATIONAL 95 1980421 120746 But the sticky database for group CTOOLS-sticky is empty: ACE30-ASBDC-1/TL-PROD-ASB# show sticky database group CTOOLS-sticky ACE30-ASBDC-1/TL-PROD-ASB# And the Apache logs on the back-end servers are showing that clients are *not* getting stuck. What am I missing here?
... View more
- Tags:
- ace
- ssl
- stickyness
Labels:
Created by
KURT HILLIG
in Application Networking
in Application Networking
09-10-2012
10:05 AM
09-10-2012
10:05 AM
We've got pairs of ACE30s in our data centers set up with active/standby FT. Some time yesterday the active ACE in one data center started refusing management traffic - it accepts SSH connections but fails authentication (local password, no RADIUS/TACACS is configured); and ANM reports it as down (no XML connectivity): Desktop > ssh -a admin@ace-macc-1 Password: ******** Password: ******** Password: ******** admin@ace-macc-1's password: ******** Received disconnect from 192.168.255.100: 2: Too many authentication failures for admin r-MACC-A#show module 8 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 8 1 Application Control Engine Module ACE30-MOD-K9 SAL1549XG39 Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 8 e05f.b9a1.fb4c to e05f.b9a1.fb53 1.0 ace2t_main_d A5(1.2) Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 8/0 ACE Expansion Card 1 ACEMOD-EXPN-DC SAL1549XAA9 1.1 Ok 8/1 ACE Expansion Card 2 ACEMOD-EXPN-DC SAL1549XA9G 1.1 Ok Mod Online Diag Status ---- ------------------- 8 Pass 8/0 Pass 8/1 Pass r-MACC-A#session slot 8 processor 0 The default escape character is Ctrl-^, then x. You can also type 'exit' at the remote prompt to end the session Trying 127.0.0.80 ... Open ACE-MACC-1 login: admin Password: ******** Login incorrect ACE-MACC-1 login: Login timed out after 60 seconds. [Connection to 127.0.0.80 closed by foreign host] However it's still load-balancing traffic properly, and log messages (mostly health probe failures) are still showing up in the Sup720 syslog; and the standby ACE seems to be perfectly happy: ACE-MACC-2/Admin# show ft gr br FT Group ID: 1 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: Admin Context Id: 0 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 2 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: UM-AAA Context Id: 5 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 3 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: AIGWEB Context Id: 1 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 4 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: UMCE-MAILSVCS Context Id: 7 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 5 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: UMCE-DNSTEST Context Id: 6 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 6 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: IAM-NONPROD Context Id: 2 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 7 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: TL-PROD-MACC Context Id: 4 Running Cfg Sync Status:Running configuration sync has completed FT Group ID: 8 My State:FSM_FT_STATE_STANDBY_HOT Peer State:FSM_FT_STATE_ACTIVE Context Name: TL-NONPROD-MACC Context Id: 3 Running Cfg Sync Status:Running configuration sync has completed We haven't opened a TAC case yet - someone's on his way over to see whether we can get in through the serial port first - but I'm wondering whether there are any other diagnostics we can gather (will resetting the module form the Sup force a coredump?) before we do.
... View more
- Tags:
- ace30
Labels:
Created by
KURT HILLIG
in Application Networking
in Application Networking
11-30-2011
10:29 AM
11-30-2011
10:29 AM
This is the only http keepalive we have configured with a non-default configuration (i.e. the only one with a keepalive uri and response code); we have others that also use non-standard ports, and these work - e.g.: lb-1# sho keepalive AUTO_calliope-8080 Name: AUTO_calliope-8080 Index: 7 State: Alive Description: Auto generated for service calliope-8080 Address: 141.211.229.202 Port: 8080 Type: HTTP:HEAD:/ WebNS version? I hope you mean the SW on the box, this is the first time I've heard of "WebNS"... It's running 08.20.2.01 Dr. Kurt Hillig UMNet Administration I always tell the Fax (734)763-4050 University of Michigan absolute truth, Phone (734)647-8778 Ann Arbor, MI 48105-3640 as I see it. EMail khillig(at)umich.edu > Computers were invented to help people waste more time faster <
... View more
Created by
KURT HILLIG
in Application Networking
in Application Networking
11-30-2011
07:18 AM
11-30-2011
07:18 AM
I recently "inherited" a CSS 11503 - I've only used ACEs before - and I want to get HTTP keepalives working. To start, I created a test service: lb-1# show run service sunbird-http-7025-test !************************** SERVICE ************************** service sunbird-http-7025-test port 7025 ip address 141.211.229.168 keepalive type http keepalive uri "/render.userLayoutRootNode.uP" keepalive http-rspcode 302 active And verified that the server is indeed returning a 302 response: lb-1# llama lb-1(debug)# icp probe service sunbird-http-7025-test "/render.userLayoutRootNode.uP" Probing 141.211.229.168:7025(-) Probing via HEAD IP Address: 141.211.229.168 Port: 7025 URL: /render.userLayoutRootNode.uP HTTP Version: 1.1 Server Model: Not Present Server Date: Wed, 30 Nov 2011 15:05:22 GMT HEAD Response: 302 Moved Temporarily Location: http://141.211.229.168/Login HEAD Support: Yes Persistence: Yes Keep-Alive: Yes Request Depth: 100 TBR: 5 Connect Time: 4 ms Rqst/Rsp Time: 1 ms Pipeline: No SSL: No but the service won't come up: lb-1# show service sunbird-http-7025-test Name: sunbird-http-7025-test Index: 26 Type: Local State: Down Rule ( 141.211.229.168 ANY 7025 ) Session Redundancy: Disabled Redirect Domain: Redirect String: Keepalive: (HTTP-7025:HEAD-302:/render.userLayoutRootNode.uP 5 3 5 ) Keepalive Error: General failure Any/all assistance would be appreciated!
... View more
Labels:
10-11-2010
11:18 AM
We've got 6509/Sup720 routers in three data centers, each with an ACE module; we're using RHI on the ACEs to inject a static anycast route into the MSFCs (i.e. the same route in each data center) for our RADIUS servers, redistributing these into OSPF so clients only need to be configured with a single server address and failover between servers happens through the routing protocol. This works fine, except for one peculiarity: the metrics seen in OSPF are not the ones that I've explicitly configured! For example: Router A (a chassis containing an ACE module) has this configuration (simplified): router ospf 211 area 0.0.0.51 nssa redistribute static subnets route-map static-to-ospf network 0.0.0.0 255.255.255.255 area 0.0.0.51 ip prefix-list AAA-ANYCAST permit 10.0.0.240/30 le 32 route-map static-to-ospf permit 10 match ip address prefix-list AAA-ANYCAST set metric 10 set metric-type type-1 set tag 4445181 and the ACE module in it has this config (simplified): policy-map multi-match POLICY_MM-AAA_DISTRIBUTION class CLASS-AAA_RADIUS_ANYCAST loadbalance vip inservice loadbalance vip icmp-reply active loadbalance vip advertise active loadbalance vip advertise metric 10 (note that the loadbalance vip advertise metric command really specifies the administrative distance, not the route metric!) and sees this static route: router-A>show ip route 10.0.0.240 Routing entry for 10.0.0.240/32 Known via "static", distance 10, metric 0 Redistributing via ospf 211 Advertised by ospf 211 subnets route-map static-to-ospf Routing Descriptor Blocks: * 10.0.0.226, via Vlan25 Route metric is 0, traffic share count is 1 So far, so good - the static route has the expected metric of zero. Router B is directly connected to A through a VLAN where the OSPF cost is explicitly set to 2: interface Vlan2349 ip address 10.8.11.165 255.255.255.254 ip ospf cost 2 So B should see the route to 10.0.0.240/32 with a metric of 10 (static-to-OSPF redistribution on A) + 2 (link cost) = 12. This is what it actually sees: router-B>show ip route 10.0.0.240 Routing entry for 10.0.0.240/32 Known via "ospf 211", distance 110, metric 32 Tag 4448081, type NSSA extern 1 Last update from 10.8.11.164 on Vlan2349, 3d23h ago Routing Descriptor Blocks: * 10.8.11.164, from 10.11.255.240, 3d23h ago, via Vlan2349 Route metric is 32, traffic share count is 1 Route tag 4448081 Where is the additional cost of 20 coming from? I know that if I redistribute into OSPF without explicitly setting the metric then the default metric will be 20. It looks here like the explicit metric is being added to the default, rather than being used instead of the default. Or am I overlooking something obvious? As an aside, can anyone tell me what 'radius-server source-ports 1645-1646' does? It's in all of out 6500 configs, but I can't find it in the IOS docs; deleting it breaks AAA, and trying to change it to use the real RADIUS port numbers (1812-1813) isn't allowed...
... View more
Labels:
02-04-2014
Is it possible to enable BFD on a Cat6500 VLAN interface in
12.2SXJ?We're looking at setting up anyc...
04-09-2013
The answer is "no" - a rewrite rule won't work.According to RFC 3986 the
'\' character is not permit...
04-09-2013
We've got an application that broke after upgrading our ACEs from
A5(2.1) to A5(2.2); the problem li...
12-19-2012
r-ASBDC-A#show vlan access-map CAPTURE_TRAFFICVlan access-map
"CAPTURE_TRAFFIC" 10 match: ip address...
12-18-2012
As I said, we only have one SPAN available - since the FWSM sucks up one
- and we need two independe...
12-18-2012
We've got Cat6500s in our data centers, each with both ACE and FWSMs
installed. Our security folks w...
Created by
KURT HILLIG
in VPN and AnyConnect
09-19-2012
09-19-2012
We have an ASA5550 running 8.2(5) that we're using as a VPN terminator;
it died yesterday when we ha...
Created by
KURT HILLIG
in Application Networking
09-11-2012
09-11-2012
Interesting; sure would be nice if some of this explanation made it into
the config guide... ;-)I do...
Created by
KURT HILLIG
in Application Networking
09-11-2012
09-11-2012
...I forgot to include this:ACE30-ASBDC-1/TL-PROD-ASB# show stats
sticky+---------------------------...
Created by
KURT HILLIG
in Application Networking
09-11-2012
09-11-2012
We've got ACE30s (active/standby) running A5(1.2), and a context that's
front-ending one of our majo...
Created by
KURT HILLIG
in Application Networking
09-10-2012
09-10-2012
We've got pairs of ACE30s in our data centers set up with active/standby
FT. Some time yesterday the...
Created by
KURT HILLIG
in Application Networking
11-30-2011
11-30-2011
This is the only http keepalive we have configured with a non-default
configuration (i.e. the only o...
Created by
KURT HILLIG
in Application Networking
11-30-2011
11-30-2011
I recently "inherited" a CSS 11503 - I've only used ACEs before - and I
want to get HTTP keepalives ...
Public Statistics
| Date Registered | 09-19-2006 07:51 AM |
| Date Last Visited | 08-18-2017 03:56 AM |
| Total Messages Posted | 17 |
| Total Helpful Votes Received | 10 |
