Syed, as far as I can tell, yes you will need a GEO DB per device. They are not transferrable between devices (actually you can transfer and install without error, but they dont work). If you are commissioning you will need to contact Cisco licensing ( licensing@cisco.com ) with your PAK number and serial number to get a new license generated. Matthew ... View more

Charles You need to sit down and determine what traffic you  want to permit into the device. There is an implicit "deny ip any any"  at the end of each acl. The access-lists below permit - anyone external to reach the vips for https - anyone local (ie: vlans 701 & 702) to reach the vips for https - anyone local to initiate ssh/https to anyone remote access-list ACL_701 line  8 extended permit tcp  10.22.7.0 255.255.255.224 any eq ssh access-list ACL_701 line 16 extended permit tcp  10.22.7.0 255.255.255.224 any eq https access-list ACL_702 line  8 extended permit tcp  10.22.7.32 255.255.255.224 any eq ssh access-list ACL_702 line 16 extended permit tcp  10.22.7.32 255.255.255.224 any eq https access-list ACL_700 line  8 extended permit tcp  any host 10.22.7.2 eq https access-list ACL_700 line 16 extended permit tcp  any host 10.22.7.34 eq https Not  sure if the following lines are required to permit the return traffic  for local to remote ssh/https. Don't have lab access to test. access-lisy ACL_700 line 24 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224 access-lisy ACL_700 line 32 extended permit tcp any eq ssh 10.22.7.0 255.255.255.224 access-lisy ACL_700 line 40 extended permit tcp any eq https 10.22.7.32 255.255.255.224 access-lisy ACL_700 line 48 extended permit tcp any eq https 10.22.7.32 255.255.255.224 Apply ACL_700 to vlan 700 in etc. When you implement the changes, make sure that you have independent access to the console in case you block yourself. http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/security/guide/acl.html Matthew ... View more

You'll probably need to open a tac case so someone can check the css & tac configs and you'll probably need to get concurrent traces either side of the ace (and maybe css for comparison). Are both css and ace configured for the same behaviour. I had a ticket recently where the css was configured for http and https to forward to the rserver, the ace rediected http to https and the browser re-acted differently. Matthew ... View more

Charles, I would do this with the interface access-list. You will need to explicitly permit the traffic to be load balanced, mgmt traffic and all https/ssh and deny everything else. Matthew ... View more

Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew ... View more

Nishchay, Probably best to open a tac case to troubleshoot the issue. It should be able to work (it is working at other customers). My guess is that you might have sticky issues. Matthew ... View more

Looks like defect CSCtr63776 "Interface config got wiped off while configuring HTTPs kal" which was duplicated to defect CSCtr63776 "Interface config got wiped off while configuring HTTPs kal". This is fixed in 4.1.3.2. Release notes indicate that reload without saving config should resolve. Symptom: partial config loss on platform.cfg leads to box not accessible state. Conditions: This has been observed in couple of box, where partial loss of running.cfg/platform.cfg which leads to box not accessible condition, as platform key data's like ethernet, ssh, telnet ...etc are been wiped off, bringing the running box to down state. multiple thead or process accessing  to platform.cfg leading to config loss state. Workaround: Reload the box with out saving the current configuration when it asks during reload. Matthew ... View more

The ace cannot do this as there is no fixup available. Matthew ... View more

If a real goes down (fails probe) then the csm will remove it from service and not send connections to it. The entry will also be removed from the sticky table. When it comes back, it will receive new connections when it is elgible. If all incoming connections match existing sticky entries then it will take time to gather load. If you configure "predictor leastcons" under the serverfarm and limit the sticky life, then it will allow the failed real to recover load quicker. Matthew ... View more

I don't think you can. What about the XML interface http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/administration/guide/xml.html Matthew ... View more

No. ... View more

Joel, I checked internally and only located one case raised against ACE and Exchange 2013. The issue was resolved via defect CSCuc98599 "ACE randomly resets POST requests with SSL offloading". Use A5.2.2 or apply workaround (increase maxparselen to 65k). Matthew ... View more

Do you still have this issue ? Would it be possible to share the logs or open a tac case ? Matthew ... View more

Can you drop me a mail offline with your phone number and time zone ( mwinnett@cisco.com ). Matthew ... View more

William, Is the IBM5822 also doing dlsw ? My assumption is that it has a dlsw peer to the 2600 and is also converting sdlc to dlsw. Any chance of opening a tac case so we can make a webex and take a look at what is happening. Matthew ... View more