 Feedback
|
Table Of Contents
Release Note for the Cisco ACE 4700 Series Application Control Engine Appliance
New Software Features in Version A5(2.2)
Connections per Second (CPS)/Connection Rate
Bandwidth (For Real Server and VIP Levels)
Related SNMP Trap Configuration and Changes
Related SNMP Trap Configuration and Changes
Using the show tech-support brief Command for Critical Output
Monitoring and Displaying the Network Processor Buffer Usage (Switchover Option and NP Buffer Usage)
Displaying the NP Buffer Usage
Displaying Worry Thresholds for Show Command Statistics
Displaying Monitoring Parameters Using the Show Command
Controlling an ACE Outage Due to a DDoS Attack
Supporting Chunked Encoded HTTP(s) Responses from Real Servers
Enabling the TCP Retransmission Queue Debug Option
New Software Features in Version A5(2.1)
SSL Sticky Configuration in a Two-Tier ACE Deployment
Support for Radius IPv6 Load Balancing
Device Monitoring: Bandwidth, Total SSL Connections per Blade/Context, and NAT Pool Utilization
Bandwidth and Active SSL Connections
New Software Features in Version A5(2.0)
Buddy Sticky Groups that Enable Persistence Across Multiple Server Farms
One-to-One Association Application Example
Asymmetric Association Application Example
Many-to-One Association Application Example
Displaying Buddy Sticky Group Information
Support for Static NAT IPv4-to-IPv6 and IPv6-to-IPv4 Translation
Static Destination NAT and Dynamic Source NAT Mixed-Mode Application
Static Destination NAT and Static Source NAT Mixed-Mode Application
Support for DNS IPv4-to-IPv6 and IPv6-to-IPv4 Load Balancing with Inspection
Maintaining a Full Proxy Connection During a TCP Handshake Mismatch
Support for a Wildcard KAL-AP GSS IP Address
SSL Probe Configuration Option for Ignoring the Certificate Expiration Date
Support for Additional Syslog Logging Hosts
Support for SSL Session ID Stickiness
Using the Modified sticky Command for SSL Session ID Stickiness
Using the Modified policy-map type loadbalance Command for SSL Session ID Stickiness
Support for the ACE No Payload Encryption Software Version
ACE NPE Software Version CLI Changes
ACE NPE Software Version Device Manager GUI Changes
Support for A5(2.0)-Specific Features in ACE Appliance Device Manager GUI
Support for Creation of RDP Parameter Maps
Configuring an RDP Parameter Map
Defining a Description to the RDP Parameter Map
Enabling Routing Token Rebalance in the RDP Parameter Map
Associating the RDP Parameter Map with a Layer 3 and Layer 4 Network Traffic Policy Map
Ability to Enable Regular Expression Download Optimization
Support for NTPv3 Authentication
Configuring NTP Authentication
Extended Range of Supported Characters in a URL
Configuring an SNMP Peer Engine ID for the Standby ACE
Configuring an SNMP User Authentication Password for the Standby ACE
Ability for the ACE to Accept a User Account with an Expired Date
Addressing SSL Certificates With a Subject or Issuer That is Greater Than 256 Bytes
Accessibility of Device Manager GUI Troubleshooting Tools from the ACE Appliance CLI
Enabling the Device Manager GUI
Checking the ACE Appliance DM GUI Status
Creating a Lifeline Package from the ACE Appliance CLI
ACE Probes Use the Interface MAC Address as the Source MAC Address
Ordering an Upgrade License and Generating a Key
Performing ACE Appliance Software Upgrades and Downgrades
Supported Browsers for ACE Appliance Device Manager
Software Version A5(2.2) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
Software Version A5(2.2) Resolved Caveats
Software Version A5(2.2) Open Caveats
Software Version A5(2.2) Command Changes
Software Version A5(2.2) System Log Messages
Software Version A5(2.1) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
Software Version A5(2.1) Resolved Caveats
Software Version A5(2.1) Open Caveats
Software Version A5(2.1) Command Changes
Software Version A5(2.1) System Log Messages
Software Version A5(2.0) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
Software Version A5(2.0) Resolved Caveats
Software Version A5(2.0) Open Caveats
Software Version A5(2.0) Command Changes
Software Version A5(2.0) System Log Messages
Obtaining Documentation and Submitting a Service Request
Release Note for the Cisco ACE 4700 Series Application Control Engine Appliance
February 28, 2013
Note
The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to the following software versions for the Cisco 4700 Series Application Control Engine (ACE) appliance.
•
•
•
For information on the ACE appliance features and configuration details, see the ACE documentation located on www.cisco.com at:
http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html
This release note contains the following sections:
•
•
•
•
•
•
•
•
•
•
New Software Features in Version A5(2.2)
This section describes the new features associated with ACE software version A5(2.2). Software version A5(2.2) provides the following new features:
•
•
•
•
•
•
•
Performing Device Monitoring
ACE software version A5(2.2) generates a notification when the ACE resource usage exceeds or fails to meet the configured threshold. The ACE monitors the resource usage for a defined duration and notifies the Network Manager (NM) when the resources reach the maximum/minimum threshold. The notifications to the NM are sent through SNMP traps.
The ACE generates notifications when the usage of the following resources exceed or fail to meet the specified threshold limit:
•
•
•
•
•
The resource usage-threshold command configures the resource usage threshold limit at both the system level and context level. This command is configured in the configuration mode.
The following example shows how to use the resource usage-threshold command:
switch/Admin(config)# resource usage-thresholdswitch/Admin(config-resrc-thres)#
Note
CPU Utilization
The system-level command determines the resource usage threshold configured at the system level. The syntax of the system-level command is as follows:
system-level cpu-utilization high threshold_value watermark threshold_value
The following example shows how to use the system-level command to configure the threshold for CPU utilization:
switch/Admin(config-resrc-thres)# system-level cpu-utilization high threshold_value watermark threshold_valueThe keywords, arguments, and options in the above commands are listed in Table 1.
Memory Utilization
The system-level command determines the memory usage threshold of a resource which is configured at the system level. The syntax of the system-level command is as follows:
system-level memory-utilization high threshold_value watermark threshold_value
The following example shows how to use the system-level command to configure the threshold for memory utilization:
switch/Admin(config-resrc-thres)# system-level memory-utilization high 90 watermark 80The keywords, arguments, and options in the above commands are listed in Table 1.
Connections per Second (CPS)/Connection Rate
The following commands determine the connection rate per second at the system, context, real server, and VIP levels. The syntax of these commands is as follows:
system-level connection-rate high threshold_value low threshold_value watermark threshold_value
connection-rate high threshold_value low threshold_value watermark threshold_value
rserver rserver_name serverfarm serverfarm_name connection-rate high threshold_value low threshold_value watermark threshold_value
vip vip_ip policy-map policy-map_name class-map class-map_name connection-rate high threshold_value low threshold_value watermark threshold_value
The following examples show how to use the commands to determine the connection rate threshold in connections per second:
switch/Admin(config-resrc-thres)# system-level connection-rate high 90 low 50 watermark 75switch/Admin(config-resrc-thres)# connection-rate high 90 low 50 watermark 75switch/Admin(config-resrc-thres)# rserver rs1 serverfarm sf1 connection-rate high 90 low 50 watermark 75switch/Admin(config-resrc-thres)# vip 31.1.1.10 policy-map pm class-map VIP connection-rate high 90 low 50 watermark 75The keywords, arguments, and options in the above commands are listed in Table 1.
Concurrent Connections
The following commands determine the threshold for concurrent connections at system, context, real server, and VIP levels. The syntax of these commands is as follows:
system-level conc-connections high threshold_value low threshold_value watermark threshold_value
conc-connections high threshold_value low threshold_value watermark threshold_value
rserver rserver_name serverfarm serverfarm_name conc-connections high threshold_value low threshold_value watermark threshold_value
vip vip_ip policy-map policy-map_name class-map class-map_name conc-connections high threshold_value low threshold_value watermark threshold_value
The following examples show how to use these commands to determine the number of concurrent connections threshold:
switch/Admin(config-resrc-thres)# system-level conc-connections high 90 low 50 watermark 75switch/Admin(config-resrc-thres)# conc-connections high 90 low 50 watermark 75switch/Admin(config-resrc-thres)# rserver rs1 serverfarm sf1 conc-connections high 90 low 50 watermark 75switch/Admin(config-resrc-thres)# vip 31.1.1.10 policy-map pm class-map VIP conc-connections high 90 low 50 watermark 75The keywords, arguments, and options in the above commands are listed in Table 1.
Bandwidth (For Real Server and VIP Levels)
The following commands determine the resource usage threshold configured at the real server and VIP levels. The syntax of these commands is as follows:
rserver rserver_name serverfarm serverfarm_name bandwidth high threshold_value low threshold_value watermark threshold_value
vip vip_ip policy-map policy-map_name class-map class-map_name bandwidth high threshold_value low threshold_value watermark threshold_value
The following examples show how to use these commands to determine the resource usage threshold:
switch/Admin(config-resrc-thres)# rserver rs1 serverfarm sf1 bandwidth high 95 low 10 watermark 90switch/Admin(config-resrc-thres)# vip 31.1.1.10 policy-map pm class-map VIP bandwidth high 95 low 10 watermark 90
Table 1 Command Keywords, Arguments, and Options
system-level
Specifies the parameters configured at the system level and can only be configured by the administrator.
rserver
Specifies the parameters configured at the real server level only.
rserver name
Specifies the name of the real server.
serverfarm
Specifies the server farm associated with the real server. The parameters configured under this server farm are monitored at each rserver level.
serverfarm name
Specifies the name of the server farm that is associated with the real server.
vip
Specifies the VIP associated with the real server. The parameters configured under this VIP are monitored at each VIP level.
vip ip
Specifies the IP configured for VIP and attached to the policy map.
class-map
Specifies the class map configured for VIP.
class-map_name
Specifies the name of the class-map configured for VIP.
policy-map
Specifies the policy map configured for VIP.
policy-map_name
Specifies the name of the policy map configured for VIP.
cpu-utilization
Configures the usage threshold for resource CPU utilization and can be configured at system level only.
memory-utilization
Configures the usage threshold for resource memory utilization and can be configured at system level only.
connection-rate
Configures the usage threshold for the connection rate.
conc-connections
Configures the usage threshold for concurrent connections.
bandwidth
Configures the usage threshold for the resource bandwidth at rserver and VIP levels.
high <3-100>
Indicates the highest value of the threshold defined. This value is configured as a percentage between 3 to 100 and is represented as the highest percentage of the maximum number of allocated resources. The ACE sends a notification/trap to the NM when the current resource usage exceeds the highest threshold value.
For CPU and memory utilization of a resource, the high value is configured as a percentage between 2 to 100.
low <1-98>
Indicates the lowest value of the threshold defined. This value is configured as a percentage between 1 to 98 and is represented as the lowest percentage of the minimum number of allocated resources. The ACE sends a notification/trap to the NM when the current resource usage is less than the specified lowest threshold value.
Note
watermark <2-99>
Indicates the defined watermark threshold. A watermark is configured as a percentage between 2 to 99 and is represented as the percentage of the maximum and minimum allocated resource. It is used to reset the high/low traps and to optimize the number of traps that are sent.
For CPU and memory utilization of a resource, the watermark value is configured as a percentage between 1 to 99.
Watermark Calculation
The high watermark value is calculated as follows:
high watermark value = watermark * maximum allocation/100The ACE sends a "Falling Watermark" notification when the current usage is below the high watermark value. See the "Related SNMP Trap Configuration and Changes" section for details.
The low watermark value is calculated as follows:
low watermark value = watermark * minimum allocation/100The ACE sends a "Rising Watermark" notification when the current usage exceeds the low watermark value. See the "Related SNMP Trap Configuration and Changes" section for details.
1 <= low < watermark < high <= 100
The resource usage threshold parameters are configured within this range.
Related SNMP Trap Configuration and Changes
SNMP notification traps are system alerts that the ACE generates when the resource usage exceeds or fails to meet the specified threshold. For background information about enabling SNMP notifications, see the "Enabling SNMP Notifications" section in the Administration Guide vA5(1.0), Cisco ACE Application Control Engine.
The following commands are used to configure SNMP traps at context, systems, real server, and VIP levels:
Systems Level Commands
switch/Admin(config)# snmp-server enable traps rate-limit system-level cpu-utilizationswitch/Admin(config)# snmp-server enable traps rate-limit system-level memory-utilizationswitch/Admin(config)# snmp-server enable traps rate-limit system-level connection-rateswitch/Admin(config)# snmp-server enable traps rate-limit system-level conc-connectionsContext Level Commands
switch/Admin(config)# snmp-server enable traps rate-limit conc-connectionsswitch/Admin(config)# snmp-server enable traps rate-limit connection-rateReal Server Commands
switch/Admin(config)# snmp-server enable traps rate-limit rserver-level bandwidthswitch/Admin(config)# snmp-server enable traps rate-limit rserver-level conc-connectionsswitch/Admin(config)# snmp-server enable traps rate-limit rserver-level connection-rateVIP Level Commands
switch/Admin(config)# snmp-server enable traps rate-limit vip-level bandwidthswitch/Admin(config)# snmp-server enable traps rate-limit vip-level conc-connectionsswitch/Admin(config)# snmp-server enable traps rate-limit vip-level connection-rateRelated SNMP Trap Configuration and Changes
The following objects are defined to generate a notification when the current usage exceeds or fails to meet the specified threshold:
•
Table 2 lists the subobjects included in the notification.
•
Table 3 lists the subobjects included in the notification.
•
Table 4 lists the subobjects included in the notification.
For more information about the SNMP notification (traps) supported by the ACE, see the "ACE SNMP Notifications (Traps)" section in the Administration Guide vA5(1.0), Cisco ACE Application Control Engine.
Using the show tech-support brief Command for Critical Output
Per CSCuc92716, a new command show tech-support brief is included as a part of debugging enhancement. This command captures the basic information such as, resource usage, NP commands, and crypto counters. The time taken by this command is lesser than the full show tech command.
The following example shows how to use the show tech-support brief command:
switch/Admin# sh tech-support briefMonitoring and Displaying the Network Processor Buffer Usage (Switchover Option and NP Buffer Usage)
Switchover Option
When the ACE encounters a heavy volume of traffic, the internal buffers of the Network Processors (NP) reach their maximum threshold. When this situation occurs, the ACE becomes unresponsive and requires a manual reload. If the buffer threshold reload configuration is used, ACE triggers an automatic reload when the maximum threshold is met.
Per CSCtz18287 and CSCuc83463, you can now set the threshold levels for NP buffers in the active and standby ACEs and the active ACE can switch over when the NP buffer reaches or exceeds the threshold. This process occurs when you enter the buffer threshold switchover command in configuration mode in the admin context.The ACE checks the status of the NP buffer usage at regular intervals of time (five seconds) and initiates the switchover action whenever the buffer usage exceeds the defined threshold. The syntax of this command is as follows:
buffer threshold active number1 standby number2 action switchoverThe keywords and arguments of buffer threshold switchover command are as follows:
•
•
•
–
–
For example, enter the following command to specify the active NP buffer utilization threshold as 88 percent, the standby NP buffer utilization threshold as 40 percent, and the action as switchover:
host1/Admin(config)# buffer threshold active 88 standby 40 action switchoverDisplaying the NP Buffer Usage
You can display the buffer usage of each NP by using the show np number buffer usage command in Exec mode. The syntax of this command is as follows:
show np number buffer usage
The number value specifies the number of the NP for which you want to display buffer usage statistics.
Displaying Worry Thresholds for Show Command Statistics
Per CSCuc50795, ACE software version A5(2.2) provides help strings and worry thresholds to display the following system statistics:
•
•
•
The worry thresholds defined for the show commands are as follows. The worry thresholds are system defined and cannot be configured.
•
–
–
–
•
–
–
•
–
Displaying Monitoring Parameters Using the Show Command
ACE software version A5(2.2) provides the show resource monitor-params command to display the monitoring parameters. This command is configured in the Admin mode only. The following example shows how to use the show resource monitor-params command:
switch/Admin# show resource monitor-params
Controlling an ACE Outage Due to a DDoS Attack
During a Distributed Denial of Service (DDoS) attack, multiple TCP connections and HTTP GET requests cause the ACE to exhaust all the available buffers that lead to an outage situation. Each client in the DDoS attack establishes a connection, sends an HTTP request to the ACE, and closes the connection at the client side. The ACE buffers the response from the web server. However, the client in the DDoS attack does not acknowledge the HTTP responses from the ACE and the ACE has to wait until the connection times out. When you enter the buffer threshold active active threshold standby standby threshold reload command and the buffer utilization increases (due to a DDoS attack), the buffer usage reaches the configured threshold value and causes the ACE to automatically reload and a switchover occurs.
For example: Consider the buffer threshold of two ACEs, ACE1 and ACE2 are 75% (active) and 50% (standby). When ACE1 reaches 75%, it checks if the utilization of ACE2 is less than 50% and reloads ACE1 making ACE2 active. After a short duration, ACE2 reloads due to the same buffer utilization issue which leads to outage.
Per CSCtz97775, inline buffer threshold checks are included in the Retransmission, Probing, and Reassembling expiry to reset the connection when the overall buffer utilization has crossed the configured threshold in the newly added parameter in the Connection Parameter map.
A new parameter is added in the Connection Paramter map to configure the buffer threshold.
The syntax of a command using this parameter is as follows:
parameter-map type connection Param_map_name
set tcp buffer-threshold 50, 75, 77, 88, 95, 100
The following example shows how to use this parameter in a command:
switch/Admin(config)# parameter-map type connection CPMswitch/Admin(config-parammap-conn)# set tcp buffer-threshold ?100%50%75%77%88%95%ACE software version A5(2.2) provides a new TCP statistic Max buffer threshold reached which increments before resetting the connection due to the buffer threshold. The following example shows how to use this stat in a command:
switch/Admin# show np 1 me-stats -stcp | include "Max buffer"Max buffer threshold reached: 3009831 3666The existing reassembly timer is modified as a repetitive timer with a shorter duration. The 77% threshold check is added in the buffer management library.
Supporting Chunked Encoded HTTP(s) Responses from Real Servers
Per CSCtz78330, ACE software version A5(2.2) allows the health monitoring probes to support chunked encoded HTTP(s) responses from real servers.
The following flag needs to be enabled through CLI to use this feature:
=====================================switch/Admin(config)# ?Configure commands:aaa Configure aaa functions[...]hm-strict-parsing 1:Enable/0:Disable strict probe response parsing <<<<<<<<<<<<<<[...]switch/Admin(config)# hm-strict-parsing ?<0-1> Should be 1 for chunked response parsing=====================================
Note
•
•
Enabling the TCP Retransmission Queue Debug Option
Per CSCue25052, the ACE is provisioned to enable or disable the TCP retransmission queue debug option to get more information for the CSCty02827-NP ME hung issue. You can enable the debug-tcp-retrans-queue option in a parameter-map type connection and attach it under a VIP policy-map. This feature is included as resolution for CSCty02827 and you must enable this option to avoid the impact on the performance of the ACE.
The following example shows how to enable the TCP retransmission queue debug option:
switch/Admin(config)# parameter-map type connection xyzswitch/Admin(config-parammap-conn)# debug-tcp-retrans-queueNew Software Features in Version A5(2.1)
Software version A5(2.1) provides the following new features:
•
•
•
Configuring HTTP URL Rewrite
The HTTP URL rewrite feature enables the ACE to rewrite URI/URL pathnames in HTTP requests. When you request a certain URL, the server receives the request containing the URL modified by the ACE. This feature allows you to process application transactions on the backend real server/server farm in a unified manner. HTTP URL rewrite uses the rule-based rewriting engine (based on a regular-expression parser) to rewrite requested URLs instantly which provides a flexible and powerful mechanism for URL manipulation. These URL manipulations depend on various tests HTTP headers.
HTTP URL rewrite operates on the URLs and generates query string parts as the result. It effectively searches for the HTTP regex pattern on a URL and replaces the matched search pattern with the defined rewrite pattern.
You can rewrite the URL value in an HTTP request from a client using the url rewrite command in action-list modify configuration mode.
url rewrite url_regex replace new_url_regex
The keywords, parameters, and arguments of the url rewrite command are as follows:
•
•
•
In the following configuration example, the Layer 7 class matches any URL beginning with /foo/. Under the action-list, it then matches a more specific URL than the Layer 7 class and delineates two sections, which are saved as variables %1 and %2. The replace statement constructs the new URL using the %1, %2, and %h built-in variables.
class-map type http loadbalance match-any urlmatch2 match http url /foo/.*action-list type modify http Action_question1url rewrite "/index.html[?]ram=[?]cookie" replace "/test"Related CLI Changes
The new HTTP URL rewrite feature includes a set of statistics counters and error counters, and the following command line interface (CLI) commands have been modified:
•
–
–
–
The following example shows how to use the show stats http command:
switch/ctx1# show stats http--------------HTTP Statistics-----------LB parse result msgs sent : 2 , TCP data msgs sent : 2Inspect parse result msgs : 0 , SSL data msgs sent : 0sentTCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 1Drain msgs sent : 1 , Particles read : 21Reuse msgs sent : 0 , HTTP requests : 2Reproxied requests : 0 , Headers removed : 0Headers inserted : 0 , HTTP redirects : 0HTTP chunks : 0 , Pipelined requests : 0HTTP unproxy conns : 1 , Pipeline flushes : 0Whitespace appends : 0 , Second pass parsing : 0Response entries recycled : 0 , Analysis errors : 0Header insert errors : 0 , Max parselen errors : 0Static parse errors : 0 , Resource errors : 0Invalid path errors : 0 , Bad HTTP version errors : 0Headers rewritten : 1 , Header rewrite errors : 0URLs rewritten : 4 , URL rewrite errors : 0•
The following example shows how to use the show action-list command:
switch/ctx1# show action-listNumber of action-lists : 2Action-list : act1Type : ModifyHeader Insert Request : name: Host value: 31.0.0.248Header Insert Response :Header Insert Both :Header Delete Request :Header Delete Response :Header Delete Both :Header Rewrite Request :Header Rewrite Response :Header Rewrite Both :SSL Rewrite Location :URL Rewrite :Action-list : act2Type : ModifyHeader Insert Response :Header Insert Both :Header Delete Request :Header Delete Response :Header Delete Both :Header Rewrite Request : name: Host value: 41(.*)100 replace: 31%1249Header Rewrite Response :Header Rewrite Both :SSL Rewrite Location :URL Rewrite : url regex: /index.html replace: /test.htmlGuidelines and Restrictions
•
–
–
Optionally, you can use user-defined variables.
•
•
•
url rewrite "/index.html[?]ram=cookie" replace "/test.html"SSL Sticky Configuration in a Two-Tier ACE Deployment
ACE software version A5(2.1) allows you to optimize multiple SSL sticky entries associated with the Tier-1 of a 2-tier ACE deployment into a single SSL sticky entry. The SSL stickiness feature in a two-tier ACE deployment ensures persistent SSL connections across multiple server farms and helps reduce multiple sticky entries.
By default, SSL Session ID reuse is disabled in the ACE. If you intend to configure a two-tier ACE deployment, enable the SSL session ID reuse feature and configure the response sticky with 4 byte SSL ID parsing in the one-tier ACE.
The following example shows tier-one response sticky with four byte SSL ID parse configuration:
sticky ssl SSLlength 4serverfarm sf1response stickyEach SSL connection is uniquely identified by its SSL session ID and uses the unique four bytes of the first burned-in MAC addresses of a two-tier ACE. These four bytes are used by the one-tier ACE to parse the session ID and to identify the corresponding sticky entries in the two-tier ACE deployment.
Figure 1 shows the deployment architecture of one-tier and two-tier ACE.
Figure 1 Two-Tier ACE Deployment Architecture
For more information about configuring stickiness, see the "Configuring Stickiness" chapter in the Server Load-Balancing Guide vA5(1.0), Cisco ACE Application Control Engine.
Support for Radius IPv6 Load Balancing
ACE software version A5(2.1) supports load balancing of RADIUS IPv6 with session persistence (stickiness) on the ACE. It is applicable to mobile wireless deployments. In such a deployment, the ACE load balancing is requested from Cisco GGSN (Gateway GPRS Support Node) to Cisco Content Services Gateway (CSG). The GGSN ensures that a prefix is assigned to one end user only. The ACE load balances the RADIUS requests and creates the sticky entries based on the framed IPv6 prefix. The sticky lookup based on the source IP address for IPv6 end user packets match the sticky entries created by the RADIUS packets.
The sticky replication message is modified to include an additional 64 bit field because the support for RADIUS IPv6 load balancing requires the sticky hash key to be 128 bits.
For background information about creating a RADIUS-attribute sticky group, see the "Creating a RADIUS-Attribute Sticky Group" section of the Server Load-Balancing Guide vA5(1.0), Cisco ACE Application Control Engine.
Related CLI Commands
New CLI Commands
ACE software version A(2.1) provides the new CLI command enduser-v6-prefix-length to configure the prefix length of end user packets from the radius sticky configuration mode. The ACE uses the end user prefix length to mask the source ip address of the end user packets during the sticky lookup for IPV6 packets.
The sticky radius framed-ip command allows you to access the radius sticky configuration mode. The only syntax for the enduser-v6-prefix-length command is:
enduser-v6-prefix-length prefix_length_value
The enduser-v6-prefix-length command is used to configure prefix length for end user packets from the radius sticky mode. The valid prefix range is 1 to 128 bits. The default prefix length is 64 bits.
The following examples show how to use the enduser-v6-prefix-length command to define a prefix length of 112:
host1/Admin# confighost1/Admin(config)#host1/Admin(config)# sticky radius framed-ip fip-farm-v6host1/Admin(config-sticky-radius)# enduser-v6-prefix-length 112Use the no form of this command to remove the prefix length for end user packets from the configuration.
Modified CLI Commands
The following CLI show commands are modified to include IPv6 statistics:
•
The following example shows the show stats loadbalance radius command:
switch/Admin# show stats loadbalance radius+-------------------------------------------------++--------- Radius Loadbalance statistics ---------++-------------------------------------------------+Total requests received : 0Total responses received : 0Total retry packets received : 0Total header parse results received : 0Total body parse results received : 0Total data parse results received : 0Total packets sent out : 0Total sessions allocated : 0Total sessions deleted : 0Total username sticky added : 0Total calling-station sticky added : 0Total framed-ip sticky added : 0Total framed-ipv6 sticky added : 0Total v6 end-user pkt sticky success : 13Total v6 end-user pkt sticky failure : 0Total end-user packet sticky success : 0Total end-user packet sticky failure : 0Total Acct-On/Off requests received : 0Total Acct-On/Off responses received : 0Total Acct-On/Off with no rules : 0Total Acct-On/Off req processing done : 0Total NULL packet received errors : 0Total parse errors : 0Total invalid proxy mapper entries : 0Total sticky addition failures : 0Total proxy mapper alloc failures : 0Total stale packet errors : 0Total Radius sessions failures : 0Total proxy mapper lookup failures : 0•
The following example shows the show sticky database detail command:
switch/Admin# show sticky database detailprocessor (0/3): 0results index: 1 of 1sticky group: fip-farm-v4sticky type: RADIUSrserver: v4-rs-01realPort: 0timeout (secs): 86400sticky-entry: 0x2002000000000000 0000000014110000internal entry-id: 0x200003time-to-expire (secs): 26025sticky-hit-count: 3active-conn-count: 0in-use reference count: 0static entry: FALSEreverse entry: FALSEactive entry: TRUEtimeout-active-conns: FALSEcreated-from-HA-peer: FALSEHA-replicated-at-least-once: TRUERadius Wait-For-Ack: FALSETotal Sticky Entries: 1•
The following example shows the show sticky database command:
switch/Admin# show sticky databasesticky group : fip-farm-v4type : RADIUStimeout : 1440 timeout-activeconns : FALSEsticky-entry rserver-instance time-to-expire flags---------------------+--------------------------------+--------------+-------+0x2002000000000000 v4-rs-01:0 26021 -0000000014110000Guidelines and Restrictions
•
•
•
Device Monitoring: Bandwidth, Total SSL Connections per Blade/Context, and NAT Pool Utilization
ACE software version A5(2.1) generates a notification when the ACE resource usage exceeds or fails to meet the configured threshold. It allows the ACE to monitor resources and notify the Network Manager (NM) when the resources reach the maximum/minimum threshold. The notifications to the NM are sent through SNMP traps.
The ACE generates notifications when the usage of the following resources exceed or fail to meet one of the following specified threshold limits:
•
Bandwidth and Active SSL Connections
You can configure the ACE to issue SNMP traps and syslog messages when resource usage by the ACE or a specific context breaches the specified thresholds (high, low, and watermark) for the following monitored resources:
•
•
Related CLI Configuration and Changes
ACE software version A5(2.1) provides the new CLI command resource usage-threshold to configure the resource usage threshold limits at both system level and context level. This command is configured in the configuration mode.
Note
The resource usage-threshold command is used to configure the resource usage threshold. The following example shows how to use the resource usage-threshold command:
switch/Admin(config)# resource usage-thresholdswitch/Admin(config-resrc-thres)#The system-level command determines the resource usage threshold configured at the system level. The syntax of the system-level command is as follows:
system-level {bandwidth | active-ssl-conn} high threshold_value low threshold_value watermark threshold_value
The following example shows how to use the system-level command to configure threshold for bandwidth and active SSL connections:
switch/Admin(config-resrc-thres)# system-level bandwidth high 90 low 50 watermark 88switch/Admin(config-resrc-thres)# system-level active-ssl-conn high 98 watermark 95The keywords, arguments, and options in the above commands are as follows:
•
•
•
•
•
•
Watermark Calculation
The high watermark value is calculated as follows:
high watermark value = watermark * maximum allocation/100The ACE sends a "Falling Watermark" notification when the current usage is below the high watermark value. See the "Related SNMP Trap Configuration and Changes" section for details.
The low watermark value is calculated as follows:
low watermark value = watermark * minimum allocation/100The ACE sends a "Rising Watermark" notification when the current usage exceeds the low watermark value. See the "Related SNMP Trap Configuration and Changes" section for details.
•
1 <= low < watermark < high <= 100
Note
•
•
•
Related SNMP Trap Configuration and Changes
SNMP notification traps are system alerts that ACE generates when the resource usage exceeds or fails to meet the specified threshold. For background information about enabling SNMP notifications, see the "Enabling SNMP Notifications" section in the Administration Guide vA5(1.0), Cisco ACE Application Control Engine.
The following commands are used to configure SNMP traps at context and system levels:
switch/Admin(config)# snmp-server enable traps rate-limit system-level bandwidthswitch/Admin(config)# snmp-server enable traps rate-limit system-level active-ssl-connswitch/Admin(config)# snmp-server enable traps rate-limit bandwidthThe following objects are defined to generate a notification when the current usage exceeds or fails to meet the specified threshold:
•
Table 5 lists the subobjects included in the notification.
•
Table 6 lists the subobjects included in the notification.
For more information about the SNMP notification (traps) supported by the ACE, see the "ACE SNMP Notifications (Traps)" section in the Administration Guide vA5(1.0), Cisco ACE Application Control Engine.
NAT Pool Utilization
As a part of the show nat-fabric CLI command, the nat-pool-utilization parameter has been added in the ACE software version A5(2.1) to provide information on Network Address Translation (NAT) pool utilization. The NAT pool utilization information in the show command output has the following details: User Pool ID, NP Utilization, Lower/Upper Ip Addresses fields, and Context name.
Enter the following command to display the NAT pool utilization:
switch/Admin# show nat-fabric nat-pool-utilizationThe following example shows how to use the show nat-fabric command to determine NAT pool utilization:
switch/Admin# show nat-fabric nat-pool-utilization------------------------------------------------------------------
Note
New Software Features in Version A5(2.0)
This section describes the new features associated with ACE appliance software Version A5(2.0). The information presented in this section builds on the information available in the documentation set for ACE software Version A5(1.0), which you can find at the following URLs:
•
http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html
•
ACE software Version A5(2.0) provides the following new features:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Buddy Sticky Groups that Enable Persistence Across Multiple Server Farms
ACE software version A5(2.0) allows you to create buddy sticky groups that enable persistence to a real server or real server group across multiple server farms. Prior software releases allow you to configure stickiness within a single server farm only using sticky groups.
You use the buddy sticky group feature for the following applications:
•
•
•
Note
To use the buddy group feature, you perform the following steps while configuring the ACE for load balancing:
1.
You make a real server a member of a real server buddy group by using the new buddy command in the server farm host real server configuration mode. The command syntax is as follows:
buddy group_name
where group_name is the name of a new or existing real server buddy sticky group. Enter 1 to 64 alphanumeric characters.
Examplehost1/admin(config)#serverfarm sfarm1host1/admin(config-sfarm-host)#rserver rserv12host1/admin(config-sfarm-host-rs)#buddy blue2.
You make sticky server farms part of a member of a buddy sticky group by using the new member command in sticky configuration mode. The command syntax is as follows:
member group_name
where group_name is the name of a new or existing server farm buddy sticky group. Enter 1 to 64 alphanumeric characters.
Examplehost1/admin(config)#sticky ip-netmask 255.255.255.255 address both stick-carthost1/admin(config-sticky-ip)#serverfarm httphost1/admin(config-sticky-ip)#member alphaThis section includes the following topics:
•
•
•
•
Guidelines and Restrictions
•
•
•
•
•
•
•
–
–
•
•
–
–
•
•
One-to-One Association Application Example
In a one-to-one buddy sticky group association, you create a buddy sticky group that sticks the client to the same physical server instances in two different server farms. In the network example shown in Figure 2, the ACE is configured with the following server farms, their associated real servers, and the buddy sticky groups that group both items:
Figure 2 Buddy Sticky Groups: One-to-One Association
The ACE is configured to load balance HTTP requests to server farm http using either real server 1nx1:192.168.1.11:80 or 1nx2:192.168.1.12:80. The ACE is also configured to load balance HTTPS requests using server farm https and either real server 1nx1:192.168.1.11:443 or 1nx2:192.168.1.12:443. The buddy groups allow the ACE to stick a client to the same real server (for example, 1nx1) while building a shopping cart using HTTP requests and then checking out using HTTPS.
In this example, the client hits VIP 172.16.1.100, destination port 80 with an HTTP request to begin to build a shopping cart. The ACE load balances the request to server farm http, real server 1nx1:192.168.1.11:80 and creates a sticky entry based on the corresponding sticky group (for example, source IP address) that sticks the client to the real server while the client builds their shopping cart. When the client moves to the secured connection (port 443) for checkout, it hits the VIP with destination port 443 and the ACE sends the client to server farm https. The ACE finds an existing sticky entry with real server Inx1:192.168.1.11:80 and directs the client to 1nx1:192.168.1.11:443 because the two real servers are buddied together under the blue buddy group.
CLI Sample Configuration
The following example configuration applies to Figure 2 and shows the buddy group-related values in bold text:
host1/admin(config)#serverfarm httphost1/admin(config-sfarm-host)#rserver lnx1host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#rserver lnx2host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#serverfarm httpshost1/admin(config-sfarm-host)#rserver lnx1 443host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#rserver lnx2 443host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address both stick-carthost1/admin(config-sticky-ip)#serverfarm httphost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address both stick-credithost1/admin(config-sticky-ip)#serverfarm httpshost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#class-map cart-viphost1/admin(config-cmap)#match virtual-address 172.16.1.100 tcp eq wwwhost1/admin(config-cmap)#exithost1/admin(config)#class-map checkout-viphost1/admin(config-cmap)#match virtual-address 172.16.1.100 tcp eq httpshost1/admin(config-cmap)#exithost1/admin(config)#policy-map type loadbalance http first-match cart-lbhost1/admin(config-pmap-lb)#class class-defaulthost1/admin(config-pmap-lb-c)#sticky-serverfarm stick-carthost1/admin(config-pmap-lb-c)#exithost1/admin(config-pmap-lb)#exithost1/admin(config)#policy-map type loadbalance http first-match checkout-lbhost1/admin(config-pmap-lb)#class class-defaulthost1/admin(config-pmap-lb-c)#sticky-serverfarm stick-credithost1/admin(config-pmap-lb-c)#exithost1/admin(config-pmap-lb)#exithost1/admin(config)#policy-map multi-match shopping-carthost1/admin(config-pmap)#class cart-viphost1/admin(config-pmap-c)#loadbalance vip inservicehost1/admin(config-pmap-c)#loadbalance policy cart-lbhost1/admin(config-pmap-c)#exithost1/admin(config-pmap)#exithost1/admin(config-pmap)#class checkout-viphost1/admin(config-pmap-c)#loadbalance vip inservicehost1/admin(config-pmap-c)#loadbalance policy checkout-lbAsymmetric Association Application Example
In an asymmetric buddy sticky group association, you create a buddy sticky group that sticks all Layer 7 traffic from a client to a specific real server even when some of the traffic does not match the Layer 7 class map.
In the network example shown in Figure 3, the ACE is configured to include the following server farms, their associated real servers, and assigned real server buddy sticky groups:
foo bar
alpha
1nx1
blue
1nx2
red
foo
alpha
1nx1
blue
bar
alpha
1nx2
red
Figure 3 Buddy Sticky Groups: Asymmetric Association
The ACE is configured to send client traffic with Layer 3 matches to server farm foobar, which contains real servers that are also configured on server farms foo and bar. The ACE load balances the client traffic to one of the real servers based on Layer 7 class map matches. By defining buddy sticky groups, the ACE is also able to stick non-matching client traffic to the same real server.
In this example, the client sends traffic with Layer 3 matches that the ACE directs and sticks (using ip sticky) to server farm foobar. The ACE uses a Layer 7 class map to check for HTTP URL and if present, sends the traffic to server farm foo and sticks the client traffic to that server using sticky that is based on the source IP address. Using a buddy stick group, the ACE uses the sticky entry to send any other traffic type from the client to the same real server. For example, if the ACE sticks the client HTTP traffic to server farm foo:real server lnx1 based on a Layer 7 class map match, the buddy stick group allows the ACE to send non-HTTP traffic from the client to the same real server.
CLI Sample Configuration
The following example configuration applies to Figure 3 and shows the buddy group-related values in bold text:
host1/admin(config)#serverfarm foohost1/admin(config-sfarm-host)#rserver lnx1host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#serverfarm barhost1/admin(config-sfarm-host)#rserver lnx2host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#serverfarm foobarhost1/admin(config-sfarm-host)#rserver lnx1host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#rserver lnx2host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address both stick-foohost1/admin(config-sticky-ip)#serverfarm foohost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address both stick-barhost1/admin(config-sticky-ip)#serverfarm barhost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address both stick-foobarhost1/admin(config-sticky-ip)#serverfarm foobarhost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#class-map app-viphost1/admin(config-cmap)#match virtual-address 172.16.1.100 anyhost1/admin(config-cmap)#exithost1/admin(config)#class-map type http loadbalance match-all app-foohost1/admin(config-cmap)#match http url /app-foo/.*host1/admin(config-cmap)#exithost1/admin(config)#class-map type http loadbalance match-all app-barhost1/admin(config-cmap)#match http url /app-bar/.*host1/admin(config-cmap)#exithost1/admin(config)#policy-map type loadbalance http first-match slbhost1/admin(config-pmap-lb)#class app-foohost1/admin(config-pmap-lb-c)#sticky-serverfarm foohost1/admin(config-pmap-lb-c)#exithost1/admin(config-pmap-lb)#class app-barhost1/admin(config-pmap-lb-c)#sticky-serverfarm barhost1/admin(config-pmap-lb-c)#exithost1/admin(config-pmap-lb)#class class-defaulthost1/admin(config-pmap-lb-c)#sticky-serverfarm foobarMany-to-One Association Application Example
In a many-to-one buddy sticky group association, you create a buddy sticky group that sticks a group of real servers to a specific real server, which is useful when clients are load balanced to a first-tier server farm containing many real servers and are then directed to a second-tier server farm that contains fewer real servers. In this type of application, you create buddy sticky groups that stick each first-tier real server group to a specific second-tier real server.
In the network example shown in Figure 4, the ACE is configured with the following server farms, their associated real servers, and assigned real server buddy groups:
Figure 4 Buddy Sticky Groups: Many-to-One Association
The buddy sticky groups blue and red divide the first-tier real servers into groups and then sticks each of these groups to a specific second-tier real server.
In this example, when the ACE load balances clients to either real server 1nx1 or 1nx2 in the server farm web, the clients are directed only to real server db1 when they are ready to move to the server farm app. Notice also that clients that the ACE load balances to 1nx3 and 1nx4 are directed only to real server db2 when they are ready to move to the server farm app.
CLI Sample Configuration
The following example configuration applies to Figure 4 and shows the buddy group-related values in bold text:
host1/admin(config)#serverfarm webhost1/admin(config-sfarm-host)#rserver lnx1 80host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#inservicehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#rserver lnx2 80host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#inservicehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#rserver lnx3 80host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#inservicehost1/admin(config-sfarm-host)#rserver lnx4 80host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#inservicehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#serverfarm apphost1/admin(config-sfarm-host)#rserver db1host1/admin(config-sfarm-host-rs)#buddy bluehost1/admin(config-sfarm-host-rs)#inservicehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#rserver db2host1/admin(config-sfarm-host-rs)#buddy redhost1/admin(config-sfarm-host-rs)#inservicehost1/admin(config-sfarm-host-rs)#exithost1/admin(config-sfarm-host)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address source webhost1/admin(config-sticky-ip)#serverfarm webhost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#sticky ip-netmask 255.255.255.255 address source dbhost1/admin(config-sticky-ip)#serverfarm dbhost1/admin(config-sticky-ip)#member alphahost1/admin(config-sticky-ip)#exithost1/admin(config)#class-map webhost1/admin(config-cmap)#match virtual-address 172.16.1.100 tcp eq 80host1/admin(config-cmap)#exithost1/admin(config)#class-map dbhost1/admin(config-cmap)#match virtual-address 172.16.1.100 tcp eq 81host1/admin(config-cmap)#exithost1/admin(config)#policy-map type loadbalance http first-match webhost1/admin(config-pmap-lb)#class class-defaulthost1/admin(config-pmap-lb-c)#sticky-serverfarm webhost1/admin(config-pmap-lb-c)#exithost1/admin(config-pmap-lb)#exithost1/admin(config)#policy-map type loadbalance http first-match dbhost1/admin(config-pmap-lb)#class class-defaulthost1/admin(config-pmap-lb-c)#sticky-serverfarm dbhost1/admin(config-pmap-lb-c)#exithost1/admin(config-pmap-lb)#exithost1/admin(config)#policy-map multi-match web-dbhost1/admin(config-pmap)#class webhost1/admin(config-pmap-c)#loadbalance vip inservicehost1/admin(config-pmap-c)#loadbalance policy webhost1/admin(config-pmap-c)#exithost1/admin(config-pmap)#class dbhost1/admin(config-pmap-c)#loadbalance vip inservicehost1/admin(config-pmap-c)#loadbalance policy dbDisplaying Buddy Sticky Group Information
The following CLI show commands have been modified to include buddy sticky group information:
•
Example
host1/Admin# show sticky database buddymember group : redtype : IPtimeout : 720 timeout-activeconns : TRUEsticky-entry rserver-instance time-to-expire flags---------------------+-----------------+--------------+-------+250232353865662720 rs1:0 43196Total Sticky Entries: 1•
Example
switch/Admin# show rserver detailrserver : rs1, type: HOSTstate : OPERATIONAL (verified by arp response)description : -max-conns : - , out-of-rotation count : -min-conns : -conn-rate-limit : - , out-of-rotation count : -bandwidth-rate-limit : - , out-of-rotation count : -weight : 8-------------------------------------------connections-----------real weight state current total---+---------------------+------+------------+----------+--------------------serverfarm: sf110.10.10.2:0 8 OPERATIONAL 0 2max-conns : - , out-of-rotation count : -min-conns : -conn-rate-limit : - , out-of-rotation count : -bandwidth-rate-limit : - , out-of-rotation count : -total conn-failures : 0buddy group : blueserverfarm: sf210.10.10.2:0 8 OPERATIONAL 0 0max-conns : - , out-of-rotation count : -min-conns : -conn-rate-limit : - , out-of-rotation count : -bandwidth-rate-limit : - , out-of-rotation count : -total conn-failures : 0buddy group : red•
Example
switch/Admin# show serverfarm detailserverfarm : sf1, type: HOSTtotal rservers : 5active rservers: 5description : -state : ACTIVEpredictor : ROUNDROBINfailaction : -back-inservice : 0partial-threshold : 0num times failover : 1num times back inservice : 4total conn-dropcount : 0-------------------------------------------connections-----------real weight state current total failures---+---------------------+------+------------+----------+----------+---------rserver: rs110.10.10.2:0 8 OPERATIONAL 0 2 0max-conns : - , out-of-rotation count : -min-conns : -conn-rate-limit : - , out-of-rotation count : -bandwidth-rate-limit : - , out-of-rotation count : -retcode out-of-rotation count : -buddy group : bluerserver: rs210.10.10.3:0 8 OPERATIONAL 0 0 0max-conns : - , out-of-rotation count : -min-conns : -conn-rate-limit : - , out-of-rotation count : -bandwidth-rate-limit : - , out-of-rotation count : -retcode out-of-rotation count : -buddy group : red•
–
Example
host1/Admin# show stats sticky+------------------------------------------++----------- Sticky statistics ------------++------------------------------------------+Total sticky entries reused : 0prior to expiryTotal active sticky entries : 1Total active reverse sticky entries : 0Total active buddy sticky entries : 1Total active sticky conns : 0Total static sticky entries : 0Total sticky entries from Global Pool : 1Total insertion failures due to lack of resources : 0•
show buddy-group [group]
The optional group argument displays all server farms and associated real servers that belong to the specified buddy group.
Example
host1/Admin# show buddy-groupBuddy-Grp Rserver Port Serverfarm+-----------------+---------------+----------+---------------bluers1-v4 0 sf-v4-1rs5-v4 0 sf-v4-1r1 0 sf-v6-1r5-backup 0 sf-v6-1r3 0 sf-v6-2rs1-v4 0 sf1-mainrs-main 0 sf2-mainrs1-v4 0 sf2-nobuddySupport for Static NAT IPv4-to-IPv6 and IPv6-to-IPv4 Translation
ACE software version A5(2.0) allows you to configure mixed-mode static network address translation (NAT) configurations in which the connections between the client and server use a mix of IPv4 and IPv6 addresses as follows:
•
•
These configuration options are in addition to the same-mode static NAT mapping options (IPv4 to IPv4 and IPv6 to IPv6) available with previous software releases, which do not support mixed-mode static NAT configurations.
The three static NAT applications for mixed mode are as follows:
•
•
•
Guidelines and Restrictions
For details about configuring static NAT, see the "Configuring Static NAT and Static Port Redirection as a Policy Action" section in the Security Guide vA5(1.0), Cisco ACE Application Control Engine Guide. The information that the guide provides for configuring same-mode static NAT mapping can be used for mixed-mode configurations.
This section includes the following topics:
•
•
Static Destination NAT and Dynamic Source NAT Mixed-Mode Application
This section describes how to use a combination of static destination NAT and dynamic source NAT for mapping a mixed mode application in which the client uses IPv4 and the application server uses IPv6 (see Figure 5). In this application, static destination NAT maps the server IPv6 source address to an IPv4 address and dynamic NAT translates the client IPv4 address to an IPv6 address.
Figure 5 Mixed Mode Static Destination NAT and Dynamic Source NAT Application
For this application, the two types of NAT are used as follows:
•
•
Example
The following example shows how to configure the ACE for the application described in this section:
access-list acl-01 line 8 extended permit ip any anyclass-map match-any ANY2 match anyclass-map match-all nat2 match source-address 2001:3008::1:1/128 -->Server IP addresspolicy-map multi-match doSrcNatANYclass ANY -->Src NAT any traffic hitting client VLANnat dynamic 10 vlan 3008policy-map multi-match static_natclass nat -->Matching server IPv6nat static 10.8.2.1 netmask 255.255.255.255 vlan 2008 -->Mapped to IPv4 IPhosted on client VLAN 2008access-group input acl-01interface vlan 2008ip address 10.8.0.3 255.255.0.0alias 10.8.0.1 255.255.0.0peer ip address 10.8.0.2 255.255.0.0service-policy input doSrcNatAny -->Do src NAT on all traffic hitting the client VLANno shutdowninterface vlan 3008ipv6 enableip address 2001:3008::1/100ip address 192.168.0.3 255.255.0.0nat-pool 10 2001:3008::3:1 2001:3008::3:1/100 -->Choose one of the IP from the poolservice-policy input static_nat -->Static NAT applied on egress/server side VLANno shutdownStatic Destination NAT and Static Source NAT Mixed-Mode Application
This section describes how to use static NAT for mapping a mixed mode application in which the client uses IPv4 and the application server uses IPv6 (see Figure 6). In this application, static destination NAT maps the server IPv6 source address to an IPv4 address and static source NAT translates the client IPv4 address to an IPv6 address.
Figure 6 Mixed-Mode Static NAT Application
For this application, static NAT is used as follows:
•
•
Example
The following example shows how to configure the ACE for the application described in this section:
class-map match-all src_server_s62 match source-address 2001:3017::1:1class-map match-all src_client_c42 match source-address 10.17.1.2 255.255.255.255policy-map multi-match dst_nat_s6_staticclass src_server_s6nat static 10.17.2.1 netmask 255.255.255.255 vlan 2017Policy-map multi-match src_nat_s4_staticclass src_client_c4nat static 2001:3017:2017::1 vlan 3017interface vlan 2017ip address 10.17.0.2 255.255.0.0service-policy input src_nat_s4_staticno shutdowninterface vlan 3017ipv6 enableip address 2002::1e11:2/112ip address 192.168.0.2 255.255.0.0service-policy input dst_nat_s6_staticno shutdownStatic NAT for Subnets
This section describes how to use static NAT to map a set of private IP addresses to a set of global IP addresses using a subnet, which you can do in mixed mode or non-mixed mode.
This static NAT application takes the host portion of the NAT IP address and appends it to the server host portion. For example, if NAT IP address 10.1.1.0 is mapped to the server host 192.168.2.0, then client 10.1.1.10 is sent to the server host as 192.168.2.10.
Guidelines and Restrictions
In a mixed mode application, the prefix length and IPv4 netmask must match. For example, if you configure the IPv4 netmask as 255.255.255.0 /24, then the IPv6 prefix length must be 120. The last octet (8 bits) is taken as the host portion for network address translation.
Example
The following example shows how to configure the ACE so that client 20.17.1.1 connects to mapped IP address 20.17.2.5 and is then translated to the destination as 2001:3017::1:5 (5 is derived from the NAT IP address):
class-map match-all src_server_s62 match source-address 2001:3017::1:0/120class-map match-all src_client_c42 match source-address 20.17.1.0 255.255.255.0policy-map multi-match dst_nat_s6_staticclass src_server_s6nat static 20.17.2.1 netmask 255.255.255.0 vlan 2017Policy-map multi-match src_nat_s4_staticclass src_client_c4nat static 2001:3017:2017::0/120 vlan 3017interface vlan 2017ip address 20.17.0.2 255.255.0.0service-policy input src_nat_s4_staticno shutdowninterface vlan 3017ipv6 enableip address 2002::1e11:2/112ip address 30.17.0.2 255.255.0.0service-policy input dst_nat_s6_staticno shutdownSupport for DNS IPv4-to-IPv6 and IPv6-to-IPv4 Load Balancing with Inspection
ACE software version A5(2.0) supports Domain Name System (DNS) inspection when using mixed-mode dynamic source network address translation (NAT), which performs NAT using the combinations of IPv4 and IPv6 connection types:
•
•
In both cases, the ACE translates the client address to an address in the NAT pool that matches the real server type and translates the VIP to the real server address.
Previous software releases support DNS inspection only when using same-mode dynamic source NAT in which NAT is performed on applications that use either IPv4 or IPv6 for all connections.
Guidelines and Restrictions
•
–
Note
–
•
Example
The following example shows a mixed-mode dynamic source NAT configuration in which DNS inspection is enabled using the inspect dns command (shown in bold):
access-list acl-01 line 8 extended permit ip any anyaccess-list acl-v6 line 8 extended permit ip anyv6 anyv6rserver host v4-rs-01ip address 10.10.1.1inservicerserver host v4-rs-02ip address 10.10.1.2inservicerserver host v4-rs-03ip address 10.10.1.3inservicerserver host v4-rs-04ip address 10.10.1.4inservicerserver host v6-rs-01ip address 2002::1e11:101inservicerserver host v6-rs-02ip address 2002::1e11:102inservicerserver host v6-rs-03ip address 2002::1e11:103inservicerserver host v6-rs-04ip address 2002::1e11:104inserviceserverfarm host mixed-farmrserver v4-rs-01inservicerserver v6-rs-01inserviceserverfarm host v4-sf-01rserver v4-rs-01inservicerserver v4-rs-02rserver v4-rs-03rserver v4-rs-04serverfarm host v6-sf-01rserver v6-rs-01inservicerserver v6-rs-02rserver v6-rs-03rserver v6-rs-04class-map match-any v4-vip-traffic-012 match virtual-address 172.16.2.1 udp eq domainclass-map match-any v4-vip-traffic-022 match virtual-address 172.16.2.2 udp eq domainclass-map match-any v6-vip-traffic-012 match virtual-address 2002::1411:201 udp eq domainclass-map match-any v6-vip-traffic-022 match virtual-address 2002::1411:202 udp eq domainpolicy-map type management first-match mgmtclass class-defaultpermitpolicy-map type management first-match mgmt2class class-default-v6permitpolicy-map type loadbalance first-match mixed-dns-polclass class-defaultserverfarm mixed-farmpolicy-map type loadbalance first-match v4-dns-pol-01class class-defaultserverfarm v4-sf-01policy-map type loadbalance first-match v6-dns-pol-01class class-defaultserverfarm v6-sf-01policy-map multi-match v4-vip-pol-01class v4-vip-traffic-01loadbalance vip inserviceloadbalance policy v4-dns-pol-01loadbalance vip icmp-replyinspect dnspolicy-map multi-match v4_to_mixed-vipclass v4-vip-traffic-02loadbalance vip inserviceloadbalance policy mixed-dns-polloadbalance vip icmp-replynat dynamic 2 vlan 3017inspect dnspolicy-map multi-match v6-vip-pol-01class v6-vip-traffic-01loadbalance vip inserviceloadbalance policy v6-dns-pol-01loadbalance vip icmp-replyinspect dnspolicy-map multi-match v6_to_mixed-vipclass v6-vip-traffic-02loadbalance vip inserviceloadbalance policy mixed-dns-polloadbalance vip icmp-replynat dynamic 1 vlan 3017inspect dnsservice-policy input mgmtservice-policy input mgmt2access-group input acl-01access-group input acl-v6interface vlan 2017ipv6 enableip address 2002::1411:2/112alias 2002::1411:1/112peer ip address 2002::1411:3/112ip address 172.16.0.2 255.255.0.0alias 172.16.0.1 255.255.0.0peer ip address 172.16.0.3 255.255.0.0service-policy input v4-vip-pol-01service-policy input v6-vip-pol-01service-policy input v4_to_mixed-vipservice-policy input v6_to_mixed-vipno shutdowninterface vlan 3017ipv6 enableip address 2002::1e11:2/112alias 2002::1e11:1/112peer ip address 2002::1e11:3/112ip address 192.168.0.2 255.255.0.0alias 192.168.0.1 255.255.0.0peer ip address 192.168.0.3 255.255.0.0nat-pool 1 2002::1e11:a 2002::1e11:f/128nat-pool 1 192.168.0.150 192.168.0.150 netmask 255.255.255.255nat-pool 2 2002::1e11:10 2002::1e11:15/128nat-pool 2 192.168.0.160 192.168.0.160 netmask 255.255.255.255no shutdownMaintaining a Full Proxy Connection During a TCP Handshake Mismatch
ACE software version A5(2.0) allows the ACE to splice together the client front-end and the server back-end connections when the ACE is proxying Layer 7 traffic flow and the negotiated front-end and back-end TCP handshakes do not match. Previous software releases do not have this option and drop connections in which the TCP handshakes do not match.
When the ACE is proxying Layer 7 flow, it completes the front-end TCP handshake before it initiates the back-end handshake. This process can cause issues for TCP options that are negotiated or specified during the TCP handshake. The ACE does provide the option of specifying the TCP handshake values in a connection parameter map but this method is not scalable as it needs to be defined per connection and it is difficult to predict these values as it requires significant coordination between the application, networking, and security teams. A mismatch in maximum segment size (MSS) and other TCP parameters results in slow or broken connections.
The parameter map type connection configuration mode command now includes the full-proxy-mss-mismatch command option that configures the ACE to force a connection to maintain full proxy when there is an MSS mismatch between the front-end and back-end connections.
When an MSS mismatch occurs, the ACE generates a syslog that provides information on why the ACE had to force a proxy connection due to an MSS mismatch. The ACE now also includes a counter that tracks the number of MSS mismatches, which you can display using the show np 1 me-stat -stcp command.
Guidelines and Restrictions
•
•
Examples
The following example shows how to use the CLI to create a connection parameter map (TCP_MISMATCH) that enables the TCP handshake mismatch feature:
host1/admin(config)#parameter-map type connection TCP_MISMATCH
host1/admin(config-sfarm-host)#full-proxy-mss-mismatchThe following example shows how to use the show np 1 me-stat -stcp command to show how many MSS mismatches have occurred:
host1/admin#show np 1 me-stat -stcpTCP Statistics: (Current)--------------TCP RX Messages received:TCP TX Messages received:...MSS mismatch counter:Support for a Wildcard KAL-AP GSS IP Address
ACE software version A5(2.0) allows you to configure the ACE with a wildcard KAL-AP Cisco Global Site Selector (GSS) IP address (0.0.0.0) to establish a secure communications channel between the ACE and multiple GSS devices that use the same MD5 encryption secret. With previous software releases, you must create a separate KAL-AP for each GSS IP address even when all or a set of GSS devices in a cluster use the same MD5 encryption secret.
To enable secure KAL-AP, you configure the IP address to the GSS and the shared secret using the ip address command from the KAL-AP UDP configuration mode. Use the no form of this command to remove the IP address and the shared secret from the configuration.
ip address ip_address encryption md5 secret
no ip address ip_address
The arguments are as follows:
•
•
Guidelines and Restrictions
•
•
–
–
Note
•
•
Examples
The following example shows how to configure a secure KAL-AP on the ACE using the wildcard IP address (0.0.0.0) for all GSS devices that use the secret "andromeda":
host1/admin(config-sfarm-host-rs)#kalap udp
host1/admin(config)#(config-kalap-udp)# ip address 0.0.0.0 encryption md5 secret andromedaThe following example shows how to configure a secure KAL-AP on the ACE using a specific GSS IP address (192.168.11.1):
host1/admin(config-sticky-ip)#kalap udp
host1/admin(config-sticky-ip)#(config-kalap-udp)# ip address 192.168.11.1 encryption md5 secret andromeda2To disable the secure KAL-AP for all GSS devices that use the secret associated with the wildcard IP address (in this example, andromeda), enter:
host1/admin(config)#(config-kalap-udp)# no ip address 0.0.0.0SSL Probe Configuration Option for Ignoring the Certificate Expiration Date
ACE software version A5(2.0) allows you to configure an SSL probe to ignore the certificate expiration date, which allows the ACE to establish the connection even when the SSL certificate has expired. Previous software releases do not provide the option to ignore the certificate expiration date.
The ssl https probe configuration mode command now includes the certificate- expiration ignore command option that configures the probe to ignore the SSL certificate expiration date.
The output of the show probe probe_name detail now includes information about the state of the certificate expiration ignore setting.
Guidelines and Restrictions
•
•
Examples
The following example shows how to configure an SSL probe that ignores the certificate expiration date:
host1/admin(config-sfarm-host)#probe https ssl_probe
host1/admin(config-sfarm-host-rs)#ssl certificate-expiration ignoreThe following example shows how to display the probe details, including the state of the certificate expiration ignore setting:
host1/admin(config-sfarm-host-rs)#show ssl_probe detailprobe : ssl_probe
type : HTTPS
state : INACTIVE
description :
----------------------------------------------
port : 443 address : 0.0.0.0
addr type : - interval : 15 pass intvl : 60
pass count: 3 fail count: 3 recv timeout: 10
SSL version : All
SSL cipher : RSA_ANY
SSL certificate-check : Ignore
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
regex cache-len : 0
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
Support for Additional Syslog Logging Hosts
ACE software version A5(2.0) allows you to specify up to four hosts (the syslog servers) to receive the syslog messages sent by the ACE. Previous software releases allow you to specify a maximum of two syslog servers.
To configure the ACE with a syslog server, you use the logging host command in configuration mode. To specify additional syslog servers, repeat the command for each server. To remove a syslog server, use the no form of the command.
Guidelines and Restrictions
•
•
•
Examples
The following example show how to use the CLI to configure the ACE with a syslog server:
host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format emblem default-udpThe following example show how to use the CLI to remove a syslog server:
host1/Admin(config)# no logging host 192.168.10.1Support for SSL Session ID Stickiness
ACE software version A5(2.0) allows you to configure SSL session ID stickiness using the new SSL sticky and HTTPS policy map features. Previous software releases require a more involved process to configure SSL session ID stickiness in which you configure a generic protocol-parsing policy and a sticky group of type layer-4-payload with attributes configured to locate the SSL session ID inside the payload.
To configure SSL session ID stickiness using ACE software version A5(2.0), the sticky command has been modified to include the ssl option and the policy-map type loadbalance command has been modified to include the https option. After creating the SSL sticky, you apply it to an HTTPS policy map.
This section includes the following topics:
•
•
Using the Modified sticky Command for SSL Session ID Stickiness
The modified syntax of the sticky configuration mode command is as follows:
sticky {http-content | http-cookie | http-header | ip-netmask | layer4-payload | radius | rtsp-header | sip|header | ssl | v6-prefix} name
no sticky {http-content | http-cookie | http-header | ip-netmask | layer4-payload | radius | rtsp-header | sip|header | ssl | v6-prefix} name
The ssl keyword has been added for configuring a sticky that is based on the SSL session ID. When you enter this command, the prompt changes to the sticky SSL content configuration mode (config-sticky-content) where you use the commands listed in Table 7 to define the SSL sticky attributes.
Guidelines and Restrictions
•
•
•
•
•
Examples
The following example shows to create an SSL sticky (SSL_STICKY) and configure its attributes:
host1/Admin(config)# sticky ssl SSL_STICKYhost1/Admin(config-sticky-ssl)# length 125host1/Admin(config-sticky-ssl)# serverfarm SERVERFARM_SSLhost1/Admin(config-sticky-ssl)# timeout 720The following example shows to remove an SSL sticky:
host1/Admin(config)# no sticky ssl SSL_STICKYUsing the Modified policy-map type loadbalance Command for SSL Session ID Stickiness
The modified syntax of the policy-map type loadbalance configuration mode command is as follows:
policy-map type loadbalance {first-match | generic | http | https | radius | rdp | rtsp | sip}
The https keyword has been added for configuring a policy map for a sticky that is based on the SSL session ID. The complete syntax for the command when using the https keyword is as follows:
policy-map type loadbalance https first-match map_name
where map_name is the policy map name. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
When you enter this command, the prompt changes to the policy map loadbalance HTTPS configuration mode (config-pmap-lb-https) where you use the following procedure to configure the policy map with the match condition and sticky server farm:
Step 1
match name source-address
Example
host1/Admin(config-pmap-lb-https)# match HTTPS source-address
Specifies the source address as the inline match condition, which is the only inline match condition required for SSL session parsing.
Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).
Step 1
class class-default
Example
host1/Admin(config-pmap-lb-https)# class class-default
Enters the policy map load balancing HTTPS class configuration mode. The class-default is the only class option available because it is the only class required for SSL session parsing.
Step 1
sticky-serverfarm sfarm_name
Example
host1/Admin(config-pmap-lb-https-c)# sticky-serverfarm SERVERFARM_SSL
Specifies the sticky server farm associated with the SSL sticky group (see the "Using the Modified sticky Command for SSL Session ID Stickiness" section).
Guidelines and Restrictions
•
•
Examples
The following example shows how to configure an HTTPS policy map to include the server farm (SERVERFARM_SSL) associated with the SSL sticky (SSL_STICKY) created in the previous section:
host1/Admin(config)# policy-map type loadbalance https first-match PMAP_HTTPShost1/Admin(config-pmap-lb-https)# match HTTPS source-addresshost1/Admin(config-pmap-lb-https)# class class-defaulthost1/Admin(config-pmap-lb-https-c)# sticky-serverfarm SERVERFARM_SSLSupport for the ACE No Payload Encryption Software Version
With ACE software Version A5(2.0), Cisco makes available the following two ACE software versions:
•
•
Note
This section includes the following topics:
•
•
ACE NPE Software Version CLI Changes
Table 8 lists the CLI commands that are removed from the ACE A5(2.0) NPE software version.
Table 9 lists the CLI commands that are either not functioning or are modified as a result of the commands removed from the ACE A5(2.0) NPE software version (see Table 8).
ACE NPE Software Version Device Manager GUI Changes
Changes to the Device Manager GUI for the ACE A5(2.0) NPE software version are as follows:
•
•
For more details, see the "Information About the ACE No Payload Encryption Software Version" section in the Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance or online help.
Support for A5(2.0)-Specific Features in ACE Appliance Device Manager GUI
With the A5(2.0) software release, the ACE appliance Device Manager GUI includes support for:
•
•
•
•
•
•
•
•
•
For details, refer to the Device Manager GUI Guide, Cisco ACE 4700 Series Application Control Engine Appliance.
http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html
Support for Creation of RDP Parameter Maps
The Microsoft Remote Desktop Protocol (RDP) provides users with remote display and input capabilities over network connections for Windows-based applications running on a terminal server. In a load-balancing configuration, the ACE distributes incoming session connections across the terminal servers in a server farm according to the load-balancing method configured on the server farm. For background on RDP load balancing as performed by the ACE, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine.
Per CSCua04753, the ACE now supports the use of a parameter map for RDP load-balancing connections. By default, if the real server that matches the routing token information in the RDP packet from the client is DOWN, the connection will be reset and the RDP packet will be dropped. By configuring routing-token-rebalance under an RDP-type parameter map and applying that parameter map to a VIP, if the real server that matches the routing token information is DOWN, RDP packets will not be dropped and the connection will be redirected to another server.
The following topics describe how to define an RDP parameter map and associate it with a server-load balancing policy map:
•
•
•
•
Configuring an RDP Parameter Map
The parameter map type rdp command specifies an RDP-type parameter map. After you create the parameter map, you configure settings in RDP parameter map configuration mode. You then reference this parameter map in the policy map using the appl-parameter rdp advanced-options command.
The syntax of the parameter map type rdp configuration mode command is as follows:
parameter map type rdp name
The name argument specifies the name assigned to the RDP parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For example, to create a RDP-type parameter map called RDP_MAP, enter:host1/Admin(config)# parameter-map type rdp RDP_MAPhost1/Admin(config-parammap-rdp)#To remove the RDP parameter map, use the no form of this command.
Guidelines and Restrictions
You can also use the ACE Device Manager GUI to create an RDP-type parameter map. For more information, see the "Configuring RDP Parameter Maps" section of the online help or the Device Manager GUI Guide vA5(2.0), Cisco ACE 4700 Series Application Control Engine Appliance.
Defining a Description to the RDP Parameter Map
You can provide a brief summary of the RDP parameter map by using the description command in RDP parameter map configuration mode. The syntax of this command is as follows:
description text
For the text argument, enter an unquoted text string with a maximum of 240 alphanumeric characters including spaces.
For example, to specify a description of an RDP parameter map, enter the following command:
host1/Admin(config-parammap-rdp)# description Remote Desktop Protocol parameter mapTo remove the description from the RDP parameter map, enter:
host1/Admin(config-parammap-rdp)# no descriptionEnabling Routing Token Rebalance in the RDP Parameter Map
You enable the routing-token-rebalance function in the RDP parameter map by using the routing-token-rebalance command in RDP parameter map configuration mode. There are no arguments for this command.
For example, enter the following command:
host1/Admin(config-parammap-rdp)# routing-token-rebalanceTo remove the routing-token-rebalance command from the RDP parameter map, enter:
host1/Admin(config-parammap-rdp)# no routing-token-rebalanceAssociating the RDP Parameter Map with a Layer 3 and Layer 4 Network Traffic Policy Map
You associate the RDP parameter map with a Layer 3 and Layer 4 network traffic policy map by using the appl-parameter rdp advanced-options command in policy-map class configuration mode.
Note
The syntax of this command is as follows:
appl-parameter rdp advanced-options name
The name argument identifies the existing RDP parameter map.
For example, to specify the appl-parameter rdp advanced-options command as an action for the network policy map, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICYhost1/Admin(config-pmap)# class FILTERRDPhost1/Admin(config-pmap-c)# appl-parameter rdp advanced-options RDP_MAPTo disassociate the RDP parameter map as an action from the network policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter rdp advanced-options RDP_MAPGuidelines and Restrictions
You can also use the ACE Device Manager GUI to associate an RDP parameter map with a Layer 3 and Layer 4 network traffic policy map. For more information, see the "Setting Policy Map Rules and Actions for Layer 3/Layer 4 Network Traffic" section of the online help or the Device Manager GUI Guide vA5(2.0), Cisco ACE 4700 Series Application Control Engine Appliance.
Ability to Enable Regular Expression Download Optimization
When you perform a number of configuration changes while traffic is running, either administrative tasks such as putting a real server inservice and out-of-service, or Layer 7 configuration changes such as modifying one or more class maps within a policy, these changes may result in traffic hitting an incorrect policy and being sent to the incorrect server farm. In this case, the HTTP regex tree gets recompiled and downloaded after every configuration change even if the change is limited to inservice/no inservice of a real server which does not alter the HTTP regex tree.
Per CSCtz37625, the ACE now displays the hidden command limit-regex-dnld enable in configuration mode to enable regular expression download optimization. When you specify the limit-regex-dnld enable command, the HTTP regex tree is not re-compiled and downloaded when performing processes such as putting a real server inservice and out-of-service. This feature is disabled by default.
To view information related to the regex download optimization status, the show download information command has been added to software version A5(2.0).
switch/Admin# show download informationcontext: AdminRegex download optimization status: ENABLEDInterface Download-status------------------------------------------------------200 Completed165 Completed1006 CompletedSupport for NTPv3 Authentication
Network Time Protocol (NTP) synchronizes the ACE system clock to a time server. Per CSCtr62165, the ACE appliance is now complaint with the NTPv3 standard and supports NTPv3 authentication through the addition of a series of new ntp commands in configuration mode and a series of new show ntp commands in Exec mode.
For details on the use of NTP by the ACE appliance, see the Administration Guide, Cisco ACE Appliance Control Engine, Chapter 1, Setting Up the ACE, the "Synchronizing the ACE with an NTP Server" section.
This section includes the following topics:
•
Configuring NTP Authentication
You can configure the ACE appliance to authenticate the time sources to which the local clock is synchronized. When you enable NTP authentication, the ACE appliance synchronizes to a time source only if the source carries one of the authentication keys specified by the ntp trusted-key command. The ACE appliance drops any packets that fail the authentication check and prevents them from updating the local clock.
Note
Perform the following sequence to configure your ACE appliance for NT authentication using the new ntp commands included as part of software version A5(2.0):
Step 1
ntp authentication-key number md5 md5-string
To remove an NTP authentication key, use the no form of this command.
The keywords and arguments are:
•
•
•
Step 2
ntp trusted-key number
To remove the NTP trusted key, use the no form of this command.
The range for the number argument is from 1 to 65535.
Step 3
ntp authenticate
To disable NTP authentication, use the no form of this command.
For example, to configure the ACE appliance to synchronize only to time sources that provide authentication key 42 in their NTP packets:
host/Admin# confighost/Admin(config)# ntp authentication-key 42 md5 ExampleKeyhost/Admin(config)# ntp trusted-key 42host/Admin(config)# ntp authenticate
Enabling NTP Logging
You can enable NTP logging in order to generate system logs with significant NTP events. Use the ntp logging configuration mode command to turn on NTP logging for the ACE appliance.
Note
The syntax of the ntp logging configuration mode command is as follows:
ntp logging
To turn off NT logging on the ACE appliance, use the no form of this command.
For example, to enable NTP logging for the ACE appliance:
host/Admin# confighost/Admin(config)# ntp loggingDisplaying NTP Information
To display the new NTP configuration status and relevant information, use the show ntp command from Exec mode. Only users who are authenticated in the Admin context can use the show ntp command.
The syntax of the show ntp configuration mode command has been expanded as follows:
show ntp {authentication-keys | authentication-status | logging-status | trusted-keys}
The keywords are:
•
•
•
•
For example, enter:
host/Admin# show ntp authentication-keys-----------------------------Auth key MD5 String-----------------------------1 ExampleKeyhost/Admin# show ntp trusted-keysTrusted Keys:1host/Admin# show ntp logging-statusNTP logging enabled.host/Admin# show ntp authentication-statusAuthentication enabled.Extended Range of Supported Characters in a URL
In software releases prior to A5(2.0), the ACE HTTP parser accepted characters in the range of 32 to 126 characters in the UTF-8 encoding schema for URLs. Per CSCts64534, with software release A5(2.0) the ACE has extended support for characters in the range from 128 to 255 (all characters) in the UTF-8 encoding schema for URLs. This extended range is allowed only when the parsing non-strict command is configured in the HTTP parameter map configuration mode.
Configuring an SNMP Peer Engine ID for the Standby ACE
In prior releases, the ACE allowed you to configure an SNMP engine ID that applied to both the active and standby ACE. Per CSCtq59860, you can configure a different engine ID for the standby ACE in a redundant configuration. The snmp-server engineid command in configuration mode includes the new peer engineid peer_value option. The syntax of this command is as follows:
snmp-server engineid local_value [peer engineid peer_value]
The local_value argument is the engine ID for the active ACE. If you do not enter the peer engineid value_2 option, the local_value argument applies to both the active and standby ACEs.
To change the value of an engine ID, you must change both values. Otherwise, the ACE displays the following error message:
Enter valid value for engineid/peer engineidEither both should be same or both should changeTo change the peer_value argument, you must also change the local_value argument, or visa versa, for example:
host/Admin(config)# snmp-server engineid 1234567892 peer engineid 2234567891host/Admin(config)# snmp-server engineid 2134567892 peer engineid 2324567891To change a configuration in which the active and standby engine IDs are different to a value that is the same value for both engine IDs, you must enter a value that is different for both IDs, for example:
host/Admin(config)# snmp-server engineid 2134567892 peer engineid 2324567891host/Admin(config)# snmp-server engineid 4567892213When synchronization occurs in a redundant configuration, consider the following:
•
–
host1/admin(config-sfarm-host)#–
host1/admin(config-sfarm-host-rs)#•
–
host1/admin(config-sfarm-host-rs)#–
host1/admin(config-sfarm-host)#•
–
host1/admin(config)#–
host1/admin(config-sfarm-host)#Use the no form of this command to delete the SNMP engine IDs. If you delete one engine ID, the other engine ID is also deleted.
The show snmp engineID command has been modified to display the identification of the peer SNMP engine in addition to the local SNMP engine configured on the ACE. If you use the show snmp engineID command on the standby ACE, the local SNMP engine ID will be the peer engine ID presented in the active ACE.
For example, you can configure different SNMPv3 engine IDs for active and standby ACEs:
host1/Admin(config)# snmp-server engineid 1234567890 peer engineid 0987654321host1/Admin(config)# do show snmp engineIDLocal SNMP engineID: 1234567890PEER SNMP engineID: 0987654321Configuring an SNMP User Authentication Password for the Standby ACE
Per CSCtq60293, when you configure Simple Network Management Protocol (SNMP) user information, you can specify a peer privacy password for user authentication parameters or user encryption parameters. Upon a switchover from an active ACE to the standby ACE, the snmp-server user command privacy passwords synchronize between the active and standby ACEs.
The modified keywords, arguments, and options are as follows:
snmp-server user user_name [group_name] [auth {md5 | sha} local_password1 peer peer_password1] [priv [aes-128] local_password2 peer peer_password 2] [localizedkey]]
•
Note
The ACE supports the following special characters in a password: , . / = + - ^ @ ! % ~ # $ * ( ) .
•
Note
Note the following specifications for the user encryption peer password:
–
–
–
Spaces are not allowed. The ACE supports the following special characters in a password: , . / = + - ^ @ ! % ~ # $ * ( ) .
By default, the ACE automatically creates an SNMP engine ID for the Admin context and each user context. The SNMP engine represents a logically separate SNMP agent. In prior releases, the ACE allowed you to configure an SNMP engine ID that applied to both the active and standby ACE. With software version A5(2.0), you can configure a different engine ID for the standby ACE in a redundant configuration (see the "Configuring an SNMP Peer Engine ID for the Standby ACE" section).
Included below are a set of running configuration examples that illustrate the interaction between the SNMP engine ID and SNMP user password configured for the active and standby ACEs in a redundant configuration:
SNMP Engine ID is the Same for the Active and Standby ACEs and SNMP User Password is the Same for the Active and Standby ACEs
host1/Admin(config)# snmp-server engineid 1234567890 peer engineid 1234567890host1/Admin(config)# snmp-server user usr1 auth md5 abcd12345 peer abcd12345host1/Admin(config)# do show running-config | inc snmpGenerating configuration....snmp-server engineid 1234567890 peer engineid 1234567890snmp-server user usr1 Network-Monitor auth md5 0xea2410e3deaf422dab2ad979d4068257 peer 0xea2410e3deaf422dab2ad979d4068257 localizedkeySNMP Engine ID is the Same for the Active and Standby ACEs and SNMP User Password is Different for the Active and Standby ACEs
host1/Admin(config)# snmp-server engineid 1234567890 peer engineid 1234567890host1/Admin(config)# snmp-server user usr1 auth md5 abcd12345 peer ghijk12345host1/Admin(config)# do show running-config | inc snmpGenerating configuration....snmp-server engineid 1234567890 peer engineid 1234567890snmp-server user usr1 Network-Monitor auth md5 0xea2410e3deaf422dab2ad979d4068257 peer 0x2285eb39064716bdae814e038bcba6c4 localizedkeySNMP Engine ID is Different for the Active and Standby ACEs and SNMP User Password is the Same for the Active and Standby ACEs
host1/Admin(config)# snmp-server engineid 123456789010 peer engineid 0987654321host1/Admin(config)# snmp-server user usr1 auth md5 abcd12345 peer abcd12345host1/Admin(config)# do show running-config | inc snmpGenerating configuration....snmp-server engineid 123456789010 peer engineid 0987654321snmp-server user usr1 Network-Monitor auth md5 0x4d1d46812f0484674e98ba5757ed7aa7 peer 0x95312cbb53b1ef8c8c556fa5a2378fa7 localizedkeySNMP Engine ID is Different for the Active and Standby ACEs and SNMP User Password is Different for the Active and Standby ACEs
host1/Admin(config)# snmp-server engineid 123456789010 peer engineid 0987654321host1/Admin(config)# snmp-server user usr1 auth md5 abcd12345 peer dfgh12345host1/Admin(config)# do show running-config | inc snmpGenerating configuration....snmp-server engineid 123456789010 peer engineid 0987654321snmp-server user usr1 Network-Monitor auth md5 0x4d1d46812f0484674e98ba5757ed7aa7 peer 0x30778af5b6239945f2bae806112676b3 localizedkeyAbility for the ACE to Accept a User Account with an Expired Date
You create a user and define the associated role and operating domains by using the username command in configuration mode. You can optionally specify an expiration date of the user account. In software releases prior to A5(2.0), when the user account is configured with a specified expiration date in the past (with reference to the ACE system clock), the ACE displays the error message "date should be in the future, expiry date wrong" and the configuration is then rejected. When operating in a redundant configuration, when the username expires, the expired configuration is not removed from the running-configuration file on the active ACE which can result in synchronization issues.
Per CSCtx45830, with software release A5(2.0), when the user account is configured with an expiry date in the past (with reference to the ACE system clock), the ACE displays the error message "User created with expiry date in the past, please edit to make it usable, which allows the configuration to be accepted. You can then modify the expiration date associated with the user account.
The change allows an expired "username" configuration to be accepted.
For example:
host1/Admin(config)# do show clockWed Mar 14 11:16:09 UTC 2012host1/Admin(config)# username abcd pass cisco123 expire 2012-03-10 role Network-Monitor domain default-domainUser created with expiry date in the past, please edit to make it usablehost1/Admin(config)#Addressing SSL Certificates With a Subject or Issuer That is Greater Than 256 Bytes
Per CSCtx64223, when the subject or issuer of an imported SSL certificate is greater than 256 bytes the ACE truncates the output of imported certificate when displayed by using the show crypto certificate all command. Note that the imported certificate is not affected by this truncation; if you export the certificate you will still be able to see the correct (greater than 256 byte) subject or issuer in the certificate.
As an example, included below is authcert2 with the full subject:
Subject: /C=US/ST=Georgia/L= Friendly Village of Crooked Creek/O=State Community College of Friendly Village of Crooked Creek/OU=Department of Thermonuclear and Quantum Physics/CN=www.statecommununitycollegeoffriendlyvillageofcrookedcreek.edu/emailAddress=adm in@statecommununitycollegeoffriendlyvillageofcrookedcreek.eduIncluded below is an example of the current show crypto certificate all command output behavior in releases prior to software version A5(2.0).
host1/Admin# show crypto cert allauthcert2Subject: /C=US/ST=Georgia/L= Friendly Village of Crooked Creek/O=State Community College of Friendly Village of Crooked Creek/OU=Department of Thermonuclear and Quantum Physics/CN=www.statecommununitycollegeoffriendlyvillageofcrookedcreek.edu/emailAddresIssue r: / C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division,CN=Thawte Server CA/emailAddress=server-certs@thawte.comNot Before: Dec 8 14:57:27 2009 GMTNot After: Sep 3 14:57:27 2012 GMTCA Cert: FALSEAnd here is an example of this updated show crypto certificate all command output behavior in software version A5(2.0).
host1/Admin# show crypto cert allauthcert2Subject: /C=US/ST=Georgia/L= Friendly Village of Crooked Creek/O=State Community College of Friendly Village of Crooked Creek/OU=Department of Thermonuclear and Quantum Physics/CN=www.statecommununitycollegeoffriendlyvillageofcrookedcreek.edu/emailAddresIssuer: / C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division,CN=Thawte Server CA/emailAddress=server-certs@thawte.comNot Before: Dec 8 14:57:27 2009 GMTNot After: Sep 3 14:57:27 2012 GMTCA Cert: FALSEWith software version A5(2.0), the ACE prints a warning message when importing a certification with a subject or issuer that is greater than 256 bytes.
host1/Admin# crypto import terminal 1.pemPlease enter PEM formatted data. End with "quit" on a new line.-----BEGIN CERTIFICATE-----MIIEOzCCA6SgAwIBAgIJAOKKpTWQqvrjMA0GCSqGSIb3DQEBBQUAMGsxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEQMA4GA1UECgwHQ29tcGFueTEMMAoGA1UECwwDdHMzMRAwDgYDVQQDDAdqdW5pY2hpMRowGAYJKoZIhvcNAQkBFgtqdW5AanVuLmNvbTAeFw0xMjAxMTcwNTA5NDRaFw0xMzAxMTYwNTA5NDRaMIIB1TELMAkGA1UEBhMCSlAxSTBHBgNVBAgMQGFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWExSTBHBgNVBAcMQGJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmJiYmIxSTBHBgNVBAoMQGNjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2MxSTBHBgNVBAsMQGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGQxSTBHBgNVBAMMQGVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWVlZWUxTzBNBgkqhkiG9w0BCQEWQGZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmZmYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALolNEP5y5UhhnzXmam3UZo1z9JuLc8ZcYHc415SDA5LKHDFIZN8WKjJjypRe+jadalXaK8WM1yDGDlaM3JxQXZ4F+V5FNHhpTUxtfnvnpePWMmrP4jZowehkThgaXBqRq3XyLFhErxqE3VIIOU6j9EYbFeiZIfNlCiTvr5xFiOHAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT0DegeQfhf5TKa7E1Ixcw3gTYLODAfBgNVHSMEGDAWgBQgBnaGwQfnkTa5vsz+38FffwKlyDANBgkqhkiG9w0BAQUFAAOBgQBGlH6ipRK2my5ND391XJGnf7xraRuBGKRdXAbCArCtH2Nbt5nM//kQHZx0im7go+Zq25bzBnyFvUoS6HM09P+elzPeY4ZjeJ+vRL8qbQgOsI1yEUEAwbeNilYGjFwI1SZGubvFPJRYplab7Bb217C9u4J6wZDmxdcSbRAh7pNHUA==-----END CERTIFICATE-----quitWarning: this cert has a subject or issuer DN that is longer than 256 bytes, the 'show crypto certificate all' command truncates anything beyond 256 bytes in the subject and issuer fieldsAccessibility of Device Manager GUI Troubleshooting Tools from the ACE Appliance CLI
Per CSCtq28184, software version A4(2.3) now enables you to utilize the following troubleshooting tools on the Device Manager GUI directly from the ACE appliance CLI:
•
•
•
•
For details on troubleshooting the ACE appliance Device Manager GUI, see the Device Manager GUI Guide, Cisco ACE 4700 Series Application Control Engine Appliance, Chapter 16, Using ANM Troubleshooting Tools.
Enabling the Device Manager GUI
By default, the ACE appliance Device Manager is always enabled. If you find that the ACE appliance Device Manager is no longer running, you can use the dm enable configuration mode command to restart the Device Manager GUI.
For example, enter:
host/Admin# confighost/Admin(config)# dm enableIf you need to stop the ACE appliance Device Manager, enter the no dm enable configuration mode command as follows:
host/Admin(config)# no dm enableThe no dm enable command will be included in the running-configuration file.
Note
Checking the ACE Appliance DM GUI Status
If you find that the ACE appliance Device Manager GUI appears to be inoperative, enter the dm status CLI command in Exec mode to verify the health of the Device Manager. The dm status command output indicates the status of the Device Manager: whether it is running or stopped. This status is reflected in the DM and MySQL fields of the status output.
Note
For example, enter:
host1/Admin# dm statusDM ROOT:DM HOME: /opt/CSCOanmJAVA_HOME: /opt/CSCOanm/jreMYSQL_HOME: /opt/CSCOanm/mysqljava is /opt/CSCOanm/jre/bin/javaDM : STOPPED (1230)MySQL : STOPPED (1187)If you see that the status is "STOPPED," restart the Device Manager by using the dm reload command. You must be the global administrator to access the dm reload command. Restarting the Device Manager does not impact ACE functionality; however, it may take a few minutes for the Device Manager to reinitialize as it reads the ACE CLI configuration.
For example, enter:
host1/Admin# dm reloadAre you sure you want to reload? [y/n]: yBeginning Reload...Reload done..Reenter the dm status CLI command in Exec mode to verify that the status of the Device Manger is "RUNNING."
For example, enter:
host1/Admin# dm statusDM ROOT:DM HOME: /opt/CSCOanmJAVA_HOME: /opt/CSCOanm/jreMYSQL_HOME: /opt/CSCOanm/mysqljava is /opt/CSCOanm/jre/bin/javaDM : RUNNING (1230)MySQL : RUNNING (1187)Creating a Lifeline Package from the ACE Appliance CLI
If you encounter issues with the ACE appliance Device Manager GUI (for example, when the Device Manager GUI is inoperative), use the dm lifeline CLI command from Exec mode to create and upload a lifeline to a remote TFTP server. The dm lifeline CLI command is useful when a lifeline cannot be generated from the ACE appliance Device Manager GUI.
Assumptions
•
•
•
•
Procedure
Note
Step 1
host1 login: adminPassword: xxxxxStep 2
dm lifeline tftp host [port]
The keywords, arguments, and options are as follows:
•
•
A file is created and uploaded to the specified TFTP server in the following format: anm-lifeline.tar.gz. The file is copied to the root directory of the TFTP server.
ACE Probes Use the Interface MAC Address as the Source MAC Address
When an ACE-configured probe closes internally or times-out internally, a RST is generated. Per CSCtj65372, a change has occurred in this RST to have the source MAC address use the nterface MAC address instead of the current behavior of using the virtual MAC address. The inclusion of the interface MAC address allows both the active and standby ACEs in an HA pair to send the RST packet out with the source MAC as its respective interface MAC rather than a common virtual MAC address.
This changes impacts the following probes types: TCP, FTP, HTTP, and HTTPS.
Available ACE Licenses
By default, the ACE supports the following features and capabilities:
•
•
•
•
•
•
You can increase the performance and operating capabilities of your ACE product by purchasing one of the optional license bundles. You can order your ACE product by ordering a license bundle. Each license bundle includes the ACE appliance and a software license bundle.
Note
You must have the Admin role in the Admin context to perform the tasks of installing, removing, and updating the license. You can access the license and show license commands only in the Admin context.
For more information on license bundles, see the Administration Guide, Cisco ACE Appliance Control Engine.
ACE demo licenses are available through your Cisco account representative. A demo license is valid for only 60 days. At the end of this period, you must update the demo license with a permanent license to continue to use the ACE software. To view the expiration of a demo license, from the CLI, use the show license usage command in Exec mode. If you need to replace the ACE appliance, you can copy and install the licenses onto the replacement appliance.
Ordering an Upgrade License and Generating a Key
This section describes the process that you use to order an upgrade license and to generate a license key for your ACE. To order an upgrade license, follow these steps:
Step 1
Step 2
•
http://www.cisco.com/go/license
•
http://www.cisco.com/go/license/public
Step 3
Step 4
Step 5
For information on installing and managing ACE licenses:
•
•
Performing ACE Appliance Software Upgrades and Downgrades
For detailed information on performing an ACE appliance software upgrade or downgrade, see the Upgrade/Downgrade Guide, Cisco ACE 4700 Series Application Control Engine Appliance. You can find this document at the following location on www.cisco.com:
http://www.cisco.com/en/US/products/ps7027/prod_installation_guides_list.html
Supported Browsers for ACE Appliance Device Manager
The ACE appliance Device Manager is supported on the following browsers listed in Table 10. All browsers require cookies and DHTML (JavaScript) to be enabled.
ACE Operating Considerations
The ACE operating considerations are as follows:
•
–
–
–
–
The default HTTP and SSL ports (80 and 443) now have a default inactivity timeout of 300 seconds.
•
host1/Admin(con)# no ft auto-sync running-configWhen you have finished making configuration changes to the active ACE, reenable config sync by entering the following command:
host1/Admin(con)# ft auto-sync running-configAfter you reenable config sync, the ACE automatically synchronizes the configuration changes from the active ACE to the standby ACE.
•
•
–
–
•
•
•
We recommend that you do not make any configuration changes during this time and that you do not keep the ACEs in this state for a long time. However, if you must make configuration changes while the ACEs are in split mode, ensure that you manually synchronize to the standby ACE any configuration changes that you make on the active ACE. After you complete the software upgrade of both ACEs, a bulk sync occurs automatically to replicate the entire configuration of the new active ACE to the new standby ACE. At this time, dynamic incremental sync will be enabled again. For details about config sync, see Chapter 6, "Configuring Redundant ACEs" in the Administration Guide, Cisco ACE Appliance Control Engine.
•
When redundancy peers run on different version images, the SRG compatibility field of the show ft peer detail command output displays WARM_COMPATIBLE instead of COMPATIBLE. When the peer is in the WARM_COMPATIBLE state, the FT groups on standby go to the STANDBY_WARM state instead of the STANDBY_HOT state.
The following software version combinations in Table 12 indicate whether the SRG compatibility field displays WARM_COMPATIBLE (WC) or COMPATIBLE (C):
Note
•
•
•
When naming ACE objects (such as a real server, virtual server, parameter map, class map, health probe, and so on) for use with ANM, enter an alphanumeric string of 1 to 64 characters, which can include the following special characters: underscore (_), hyphen (-), dot (.), and asterisk (*). Spaces are not allowed.
•
ACE Documentation Set
You can access the ACE appliance documentation on www.cisco.com at:
http://www.cisco.com/en/US/products/ps7027/tsd_products_support_series_home.html
For information about installing the Cisco ACE 4710 appliance hardware, see the following documents on Cisco.com:
To familiarize yourself with the ACE appliance software, see the following documents on Cisco.com:
For detailed configuration information on the ACE appliance Device Manager, see the following software documents on Cisco.com:
For detailed configuration information on the ACE CLI, see the following software documents on Cisco.com:
Administration Guide, Cisco ACE Appliance Control Engine
Describes how to perform the following administration tasks on the ACE:
•
•
•
•
•
•
•
•
•
Application Acceleration and Optimization Guide, Cisco ACE 4700 Series Application Control Engine Appliance
Describes the configuration of the application acceleration and optimization features of the ACE. It also provides an overview and description of the application acceleration features and operation.
Cisco Application Control Engine (ACE) Configuration Examples Wiki
Provides examples of common configurations for load balancing, security, SSL, routing and bridging, virtualization, and so on.
Describes the procedures and methodology in wiki format to troubleshoot the most common problems that you may encounter during the operation of your ACE.
Command Reference, Cisco ACE Application Control Engine
Provides an alphabetical list and descriptions of all CLI commands by mode, including syntax, options, and related commands.
Routing and Bridging Guide, Cisco ACE Application Control Engine
Describes how to perform the following routing and bridging tasks on the ACE:
•
•
•
•
•
•
Security Guide, Cisco ACE Application Control Engine
Describes how to perform the following ACE security configuration tasks:
•
•
•
•
•
Server Load-Balancing Guide, Cisco ACE Application Control Engine
Describes how to configure the following server load-balancing tasks on the ACE:
•
•
•
•
•
•
•
SSL Guide, Cisco ACE Application Control Engine
Describes how to configure the following Secure Sockets Layer (SSL) tasks on the ACE:
•
•
•
•
System Message Guide, Cisco ACE Application Control Engine
Describes how to configure system message logging on the ACE. This guide also lists and describes the system log (syslog) messages generated by the ACE.
Virtualization Guide, Cisco ACE Application Control Engine
Describes how to operate your ACE in a single context or in multiple contexts.
Cisco CSS-to-ACE Conversion Tool User Guide
Describes how to use the CSS-to-ACE conversion tool to migrate Cisco Content Services Switches (CSS) running-configuration or startup-configuration files to the ACE.
For detailed configuration information on Cisco Application Networking Manager (ANM), see the following software document on Cisco.com:
Software Version A5(2.2) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(2.2):
•
•
•
•
Software Version A5(2.2) Resolved Caveats
The following resolved caveats apply to software version A5(2.2):
•
•
%ACE-6-615003: VLAN 64 not available for configuring an interface%ACE-6-615003: VLAN 65 not available for configuring an interfaceWorkaround: Use different VLANs in the startup configuration.
•
•
•
•
•
•
•
•
Workaround: Set the same MSS values at the connection parameter map "set tcp mss min **** max ****" in the parameter map connection configuration mode.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
ACE/Admin# copy ru startup-config Generating configuration....running config of context Admin savedACE/Admin# sh: /proc/sys/vm/drop_caches: Permission deniedWorkaround: Use the wr mem command to save the configuration data.
•
•
Workaround: Perform one of the following tasks:
–
–
•
•
•
•
•
•
•
•
Workaround: Follow one of these steps:
–
–
–
•
•
•
–
–
Workaround: None.
•
For example: In following string "GET /pictures/index.html?request=My Picture&color=red", the space between "My" and "Picture" should be encoded as 20%. This request should be reset if it reaches ACE. However, this request is ignored and the connection is dropped to a L4 level. Workaround: None.•
•
•
•
•
Software Version A5(2.2) Open Caveats
The following open caveats apply to software version A5(2.2):
•
•
•
•
•
•
•
•
Workaround: Disable the "tcp-options window-scale allow" option.
•
•
•
Software Version A5(2.2) Command Changes
Table 13 lists the command changes in software version A5(2.2).
Note
Table 13 CLI Command Changes in Version A5(2.2)
Configuration
resource usage-threshold
The resource usage-threshold command is used to configure the resource usage threshold. See the "Performing Device Monitoring" section for more details.
Configuration
system-level
The system-level command determines the resource usage threshold configured at the system level. See the "Bandwidth and Active SSL Connections" section for more details.
Configuration
rserver
The rserver command determines the resource usage threshold configured at the real server level. See the "Performing Device Monitoring" section for more details.
Configuration
vip
The vip command determines the resource usage threshold configured at the VIP level. See the "Performing Device Monitoring" section for more details.
Admin
show resource monitor-params
The show resource monitor-params command is used to display the monitoring parameters. See the "Displaying Monitoring Parameters Using the Show Command" section for more details.
Configuration
show tech-support brief
The show tech-support brief captures the basic information such as, resource usage, NP commands, and crypto counters. See the "Using the show tech-support brief Command for Critical Output" section for more details.
Configuration
buffer threshold
The buffer threshold command is used to set threshold levels for NP buffers in the active and standby ACEs and the active ACE can switchover when the NP buffer reaches or exceeds the threshold. See the "Monitoring and Displaying the Network Processor Buffer Usage (Switchover Option and NP Buffer Usage)"section for more details.
Exec
show np number buffer usage
The show np number buffer usage command displays the buffer usage by each NP. See the "Monitoring and Displaying the Network Processor Buffer Usage (Switchover Option and NP Buffer Usage)" section for more details.
Software Version A5(2.2) System Log Messages
Software version A5(2.2) includes the following system log (syslog) message changes:
445004
Error Message %ACE-5-445004Current bandwidth usage[95%] exceeds configured high threshold[90%] at context level, context Context_1Current bandwidth usage[30%] within configured threshold limits at context level, context Context_1Current bandwidth usage[5%] falls below configured low threshold [8%] at context level, context Context_1Current bandwidth usage[30%] within configured threshold limits at context level, context Context_1Current cpu usage[5%] exceeds configured high threshold[3%] at system levelCurrent memory usage[5%] exceeds configured high threshold[3%] at system levelCurrent Connection rate [95%] exceeds configured high threshold[90%] at system levelCurrent Connection rate [30%] within configured threshold limits at system levelCurrent Connection rate [5%] falls below configured low threshold [8%] at system levelCurrent Connection rate [30%] within configured threshold limits at system levelCurrent Connection rate [5%] exceeds configured high threshold[3%] at context levelCurrent Connection rate [30%] within configured threshold limits at context level, context Context_1Current Connection rate [5%] falls below configured low threshold [8%] at context level, context Context_1Current Connection rate [30%] within configured threshold limits at context level, context Context_1Current Concurrent connection [95%] exceeds configured high threshold[90%] at system levelCurrent Concurrent connection [30%] within configured threshold limits at system levelCurrent Concurrent connection [5%] falls below configured low threshold [8%] at system levelCurrent Concurrent connection [30%] within configured threshold limits at system levelCurrent Concurrent connection [5%] exceeds configured high threshold[3%] at context levelCurrent Concurrent connection [30%] within configured threshold limits at context level, context Context_1Current Concurrent connection [5%] falls below configured low threshold [8%] at context level, context Context_1Current Concurrent connection [30%] within configured threshold limits at context level, context Context_1Explanation The syslog notifications (at system level) when enabled are generated along with the SNMP notifications.
Recommended Action None required.
445005
Error Message %ACE-5-445005Current bandwidth usage[95%] exceeds configured high threshold[90%] at context level, context Context_1Current bandwidth usage[30%] within configured threshold limits at context level, context Context_1Current bandwidth usage[5%] falls below configured low threshold [8%] at context level, context Context_1Current bandwidth usage[30%] within configured threshold limits at context level, context Context_1Current cpu usage[5%] exceeds configured high threshold[3%] at system levelCurrent memory usage[5%] exceeds configured high threshold[3%] at system levelCurrent Connection rate [95%] exceeds configured high threshold[90%] at system levelCurrent Connection rate [30%] within configured threshold limits at system levelCurrent Connection rate [5%] falls below configured low threshold [8%] at system levelCurrent Connection rate [30%] within configured threshold limits at system levelCurrent Connection rate [5%] exceeds configured high threshold[3%] at context levelCurrent Connection rate [30%] within configured threshold limits at context level, context Context_1Current Connection rate [5%] falls below configured low threshold [8%] at context level, context Context_1Current Connection rate [30%] within configured threshold limits at context level, context Context_1Current Concurrent connection [95%] exceeds configured high threshold[90%] at system levelCurrent Concurrent connection [30%] within configured threshold limits at system levelCurrent Concurrent connection [5%] falls below configured low threshold [8%] at system levelCurrent Concurrent connection [30%] within configured threshold limits at system levelCurrent Concurrent connection [5%] exceeds configured high threshold[3%] at context levelCurrent Concurrent connection [30%] within configured threshold limits at context level, context Context_1Current Concurrent connection [5%] falls below configured low threshold [8%] at context level, context Context_1Current Concurrent connection [30%] within configured threshold limits at context level, context Context_1Explanation The syslog notifications (at system level) when enabled are generated along with the SNMP notifications.
Recommended Action None required.
Software Version A5(2.1) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(2.1):
•
•
•
•
Software Version A5(2.1) Resolved Caveats
The following resolved caveats apply to software version A5(2.1):
•
•
•
•
%MAC_MOVE-SP-4-NOTIF: Host <IBM-SERVER-MAC> in vlan XX is flapping between port<ACE-PORT> and port <SERVER-PORT>Workaround: If necessary, downgrade to an earlier version of ACE software.
•
•
•
•
•
•
•
•
•
•
•
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.8:
CVE ID CVE-2012-1165 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5:
CVE ID CVE-2012-2131 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5:
CVE ID CVE-2012-2110 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•
PSIRT Evaluation
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 5/4.5:
CVE ID CVE-2011-4576 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•
–
–
–
–
Workaround: Perform either of the following:
–
–
•
–
–
–
–
Workaround: Configure VIP with a specific port.
•
ACE/Context# sh np 1 me-stats "-stcp" | i MSS Drops due to packet size exceed MSS: 21 0
Workaround: Configure the exceed-mss allow in connection parameter-map for VIP.
parameter-map type connection TCP-Options exceed-mss allow policy-map multi-match VIPS class IPv6-SSL-Term-Vip connection advanced-options TCP-Options•
•
Workaround: For the VIP addresses that are inactive, remove the configuration in the multi-match policy and reapply them.
•
•
•
Workaround: None.
•
Workaround: After the ACE appliance cools down, insert a L2 switch between the ft links and drop an unexpected frame on this switch.
•
Workaround: Do not enter the show np <x> me-stats "-call command with a large number of connections.
•
•
•
•
Workaround: Remove the CRL check from the configuration.
•
•
May 2 2012 15:10:03 : %ACE-2-901001 kernel: unable to alloc and fill in a new mtsbuf (pid=1017,sap=1124, ret_val = -97, size=85608, opc=4001)May 2 2012 15:10:03 : %ACE-2-901001 kernel: unable to alloc and fill in a new mtsbuf (pid=1017,sap=1124, ret_val = -97, size=85608, opc=4001)May 2 2012 15:10:03 : %ACE-2-901001 kernel: unable to alloc and fill in a new mtsbuf (pid=1017,sap=1124, ret_val = -97, size=85608, opc=4001)May 2 2012 15:10:04 : %ACE-2-901001 kernel: unable to alloc and fill in a new mtsbuf (pid=1017,sap=1124, ret_val = -97, size=85608, opc=4001)Workaround: None.
•
•
•
Software Version A5(2.1) Open Caveats
The following open caveats apply to software version A5(2.1):
•
%ACE-6-615003: VLAN 64 not available for configuring an interface%ACE-6-615003: VLAN 65 not available for configuring an interfaceWorkaround: Use different VLANS in the startup configuration.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
%ACE-LB_STICKY-3-728007: Internal communications error (sticky) -- type 4Workaround: Perform a failover or reload the ACE.
•
Software Version A5(2.1) Command Changes
Table 14 lists the command changes in software version A5(2.1).
Note
Table 14 CLI Command Changes in Version A5(2.1)
Configuration
url rewrite
The url rewrite command enables the ACE to rewrite URI/URL pathnames in HTTP requests. See "Configuring HTTP URL Rewrite" section for more details.
RADIUS Sticky Configuration
enduser-v6-prefix-length
The enduser-v6-prefix-length command is used to configure prefix length for end user packets from the radius sticky mode. The valid prefix range is 1 to 128 bits. The default range is 64 bits. See the "Related CLI Changes" section for more details.
Configuration
resource usage-threshold
The resource usage-threshold command is used to configure the resource usage threshold. See the "Bandwidth and Active SSL Connections" section for more details.
Configuration
system-level
The system-level command determines the resource usage threshold configured at the system level. See the "Bandwidth and Active SSL Connections" section for more details.
Exec
show nat-fabric
The show nat-fabric command determines the NAT pool utilization displays the following information: User Pool ID, NP Utilization, Lower/Upper Ip Addresses fields, and Context name. See the "NAT Pool Utilization" section for more details.
Software Version A5(2.1) System Log Messages
Software version A5(2.1) includes the following system log (syslog) message changes:
445004
Error Message %ACE-5-445004:Current Bandwidth usage[98%] exceeds configured high threshold[95%] at system level Current Bandwidth usage[1%] falls below configured low threshold [10%] at system level Current Bandwidth usage[78%] within configured threshold limits at system level Current Active SSL connections usage[98%] exceeds configured high threshold[95%] at system level Current Active SSL connections usage[78%] within configured threshold limits at system levelExplanation Per CSCua52945, the syslog notifications (at system level) when enabled are generated along with the SNMP notifications.
Recommended Action None required.
445005
Error Message %ACE-5-445005:Current Bandwidth usage[98%] exceeds configured high threshold[95%] at context level, context Admin Current Bandwidth usage[1%] falls below configured low threshold [10%] at context level, context Admin Current Bandwidth usage[78%] within configured threshold limits at context level, context AdminExplanation Per CSCua52945, the syslog notifications (at context level) when enabled are generated along with the SNMP notifications.
Recommended Action None required.
Software Version A5(2.0) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
This release note includes resolved and open caveats that have a severity level of Sev1, Sev2, and customer-use Sev 3. The following sections contain the resolved and open caveats in software version A5(2.0):
•
•
•
•
Software Version A5(2.0) Resolved Caveats
The following resolved caveats apply to software version A5(2.0):
•
•
•
•
•
•
%ACE-5-441003: Serverfarm (name) failed in policy_map (policy_name) --> class_map(cmap_name) without backup. Number of failovers = count1, number of times back inservice = count2Workaround: None.
•
•
•
•
Workaround: Reboot the ACE. If this action does not resolve the issue, try another configuration change to force the ACL to be downloaded again to the internal VLAN.
•
•
•
•
•
•
•
•
•
access-list acl1 extended deny ip any 10.45.15.192 0.0.0.15access-list acl1 extended deny ip any 10.45.15.192 0.0.9.0Workaround: Manually unconfigure the objects (such as access-lists) that have an inconsistent netmask and then reconfigure them with consistent netmasks.
•
Error on Standby device when applying configuration fileIt is a timing issue due to the configuration size and total number of contexts. This issue can lead to a lot of Configuration Manager (CFGMGR) download processing which can lead to a command failure. CSCtn50357 is tracking the issue of the actual failing command that is not properly placed in the error logs. Workaround: Perform either of the following:
–
–
•
•
Workaround: Configure the gateway farther from the switch and use SUP as the L2 device.
•
Warning:- MTS queue is full for opcode %d sap %d pid %d clear idle debug plugin sessions or telnet/ssh connections to recover"Workaround: Close all the debug plugin sessions and terminate command execution in all telnet/ssh connections to prevent these warning messages.
•
•
•
•
•
Workaround: Use the peer engine id for the configuration.
•
•
snmpd[1027]: (ctx:9)send_notification: new: enqueueing notification........snmpd[1027]: (ctx:9)ERROR: notif_enqueue_tail : Size of the notif queue is more than the MAX size 250Software version A4(2.3) increased the queue size from 250 to 2000 and added new a counter in the show snmp command output to print the number of traps dropped because of a full SNMP queue. Workaround: None.
•
Note
•
•
%ACE-6-253008: CRL My_CRL could not be retrieved, reason: invalid format of dataWorkaround: None.
•
•
Workaround: None.
•
CSCtr93395—When UDP Booster is enabled on the ACE to load balance DNS traffic, the source IP address does not appear in the show conn command output.host1/Admin# show connconn-id np dir proto vlan source destination state----------+--+---+-----+----+---------------------+---------------------+-----101646 1 in UDP 302 0.0.38.114:0 80.58.61.250:53 -Workaround: None.
•
•
•
•
•
•
This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20110830-apache.shtml.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 7.8/7.8:
CVE ID CVE-2011-3192 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
•
"%ACE-1-106028: WARNING: ACL Merge failed to add ACE..." and this leave the servicepolicy incomplete and can cause traffic to be mis-handled.Workaround: Perform one of the following actions:
–
–
•
no 2 match anyv6no 3 match port- v6 tcp range 6 600no 2 match anyYou cannot apply the "match port tcp/udp...." after removing the "match anyv6" config from the L3/4n/w traffic class map. The following error message is displayed:
Class contains Ipv6 match statementWorkaround: Use the no command with the line number only.
•
•
•
•
•
•
%ACE-1-106028: WARNING: ACL Merge failed to locate specified ACL in context 10049.Error while processing service-policy. Incomplete rule is currently applied on interface vlan200. Configuration on this interface needs to be manually revertedWorkaround: Perform one of the following actions:
–
–
•
•
•
•
•
•
The following example system error log messages may appear shortly before the ACE reloads:
MG6509:7:Admin 443001 Critical 24-Oct-2011 08:29:09 System experienced fatalfailure.Service name:cfgmgr(1050) has terminated on receiving signal 11,system willnot be reloadedMG6509:7:Admin 443001 Critical 24-Oct-2011 08:30:23 System experienced fatalfailure.Service name:cfgmgr(1050) crashed, last core saved,system will not be reloadedMG6509:7:Admin 199006 Critical 24-Oct-2011 08:30:31 Orderly reload started at Mon Oct24 13:30:28 2011 by System. Reload reason: Service "cfgmgr"Workaround: None.
•
•
•
•
(config-if)# description t"e"st(config-if)# do sh run | i descGenerating configuration....description t e stYou may encounter this behavior when strings between double quotations do not include a space. This show output display issue does not occur if you insert a space between the double quotations (for example, description t" e"st). In this case, a space is inserted between " and e. For example:
(config-if)# description t" e"st(config-if)# do sh run | i descGenerating configuration....description t " e" stWorkaround: None.
•
ACE/1(config)# no serverfarm host 2081bancaPRError: serverfarm 'SERVERFARM_X' is in use. Cannot delete!Workaround: Reboot the ACE.
•
•
–
–
•
ACE/Admin# show system resourcesLoad average: 1 minute: 0.10 5 minutes: 0.05 15 minutes: 0.01Processes : 5606 total, 1 runningCPU states : nan% user, nan% kernel, nan% idle <<<<<<<<<<<<<Memory usage: 5955K total, 1623K used, 4331K free21K buffers, 858K cacheAverage ME Utilization StatisticsWorkaround: None.
•
%ACE-3-251006: Health probe failed for server x.x.x.x on port nnnnn, internal error:failed to setup a socketWorkaround: None.
•
•
–
–
–
Workaround: To resolve this issue, address one or more of the configuration items listed above.
•
•
•
•
•
parameter-map type http PM-HTTPpersistence-rebalanceset header-maxparse-length 65535set content-maxparse-length 65535•
•
•
•
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are 4.3/3.6:
CVE ID CVE-2011-2461 has been assigned to document this issue.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
•
•
interface vlan Xdescription Admin context Mgmt VLAN IP addressOn the standby ACE, the "IP address" section is parsed as an actual command and changed to the peer ip address command. When the ACE applies this command, it fails because the command is incomplete. The following config synchronization error appears:
cdn-ace--2/Admin# sh ft config-errorTue Mar 6 22:56:56 CET 2012`peer ip address`*** Context 5: cmd parse error ***--*** Context 5: Config can not been applied fully. Please try again***Workaround: Remove or modify the description string. For example, insert a dash (-) or underscore (_) instead of using a space.
•
Workaround: In order for the ACE to generate two different real server IDs for the same real server to separately serve the HTTP and HTTPS traffic, create a new server farm to contain the same real servers. Associate one server farm to the HTTP policy and another server farm to the HTTPS policy. The ACE will generate two different real server IDs for this real server because it is configured with two server farms. The server connections for HTTP traffic are stored to and retrieved from the reuse pool indexed by one real server ID, and server connections for HTTPS traffic are stored to and retrieved from the reuse pool indexed by a different real server ID.
•
•
•
•
Workaround: Use "no buddy green" instead of "no buddy.
•
PSIRT Evaluation:
CVE ID CVE-2012-0053 has been assigned to document this issue.
•
•
Workaround: None.
•
•
•
Workaround:Change the request method to HEAD.
•
•
Workaround: None.
•
•
•
–
–
%ACE-2-443001: System experienced fatal failure.Service name:cfgmgr(1961) has terminated on receiving signal 11,system will not be reloaded Service name:cfgmgr(1961) has terminated on receiving signal 11 The ACE will then reboot and generate cfgmgr_log core files.Workaround: Revert to the software version A4(1.0) using the recovery image.
•
•
•
•
•
•
–
–
–
–
–
Workaround: None.
•
Cannot configure dissimilar sticky groups under same memberWorkaround: None.
•
–
–
–
For example: If a syn attack is transmitted with the value more than the value set in SYN-cookie, the ACE sends SYN-ACK with a MTU of 536 bytes. If the MSS of the server is less than 536 bytes, a GET request is sent instead of SYN-attack. The ACE does not proxy the TCP connections.
Workaround: None.
•
•
Workaround: Perform either of the following
–
–
•
•
ACE/Admin# show stats http | inc chunkHTTP chunks : 0 , Pipelined requests : 0Workaround: Use IP-based stick.
•
Workaround: Do not remove and add a VIP simultaneously.
•
•
Workaround: Do not enter the show np x me-stats "-call command with a large number of connections.
•
•
•
Workaround: None.
•
•
•
Software Version A5(2.0) Open Caveats
The following open caveats apply to software version A5(2.0):
•
•
•
•
•
•
•
%MAC_MOVE-SP-4-NOTIF: Host <IBM-SERVER-MAC> in vlan XX is flapping between port<ACE-PORT> and port <SERVER-PORT>Workaround: If necessary, downgrade to an earlier version of ACE software.
•
•
•
•
•
•
•
•
•
Workaround: Shutdown or disable the FT interface and do a checkpoint rollback to an empty config in an active ACE module.
•
•
•
•
•
Component:Cert/Key" & "Error, decipher failed for keysWorkaround: Do not use special characters when you configure certificates and key names.
•
•
•
•
•
•
•
Workaround: None.
•
•
•
•
•
•
–
–
–
–
Workaround: Perform either of the following:
–
–
•
–
–
–
–
Workaround: Configure VIP with a specific port.
•
ACE/Context# sh np 1 me-stats "-stcp" | i MSS Drops due to packet size exceed MSS: 21 0
Workaround: Configure the exceed-mss allow in connection parameter-map for VIP.
parameter-map type connection TCP-Options exceed-mss allow policy-map multi-match VIPS class IPv6-SSL-Term-Vip connection advanced-options TCP-Options•
•
Workaround: For the VIP addresses that are inactive, remove the configuration in the multi-match policy and reapply them.
•
•
•
•
Workaround: Perform one of the following:
–
–
•
Workaround: None.
•
Workaround: After the ACE appliance cools down, insert a L2 switch between the ft links and drop an unexpected frame on this switch.
•
–
–
Workaround: None.
•
–
–
–
Workaround: Perform one of the following:
–
–
•
Workaround: Configure HTTP on the front end.
•
•
For example, execute the command in the following configuration,
ACE/Admin(config)# resource-class RC1ACE/Admin(config-resource)# limit-resource all minimum 20% maximum equal-to-minThe following output of the above command appears in the configuration:
resource-class RC1limit-resource all minimum 0.20 maximum equal-to-minThe output of show resource-usage confirms that the ACE assigns only 0.2% (instead of 20%) of resources to all contexts, which are member of this class.
Workaround: Remove the percent sign ('%') from the "limit-resource" command. The ACE accepts any non-numerical characters (even multiple of these characters) in the <number> field without any error.
•
Workaround: Remove the CRL check from the configuration.
•
•
•
Workaround: Create a single content with all the match statements in it.
Software Version A5(2.0) Command Changes
Table 15 lists the command changes in software version A5(2.0).
Note
Table 15 CLI Command Changes in Version A5(2.0)
Exec
show download information
Per CSCtz37625, the ACE now displays the hidden command limit-regex-dnld enable in configuration mode (as described below). To view information related to the regex download optimization status, the show download information command has been added to software version A5(2.0).
See the "Ability to Enable Regular Expression Download Optimization" section for details.
Configuration
limit-regex-dnld enable
Per CSCtz37625, the ACE now displays the hidden command limit-regex-dnld enable in configuration mode. You would use this command to enable regular expression download optimization.
See the "Ability to Enable Regular Expression Download Optimization" section for details.
Parameter map HTTP
parsing error-drop
Per CSCts66950, when you configure advanced HTTP behavior for SLB connections in an HTTP parameter map, you can configure the ACE to drop a packet when there is an HTTP parse error defected even if there is a class-default class map configured in the same policy. By default, when there is a class-default class map configured in the same policy, the ACE will attempt to perform Layer 4 load-balancing even when an HTTP parsing error is encountered. The new parsing drop-error command provides you with the option to drop the parse error connection instead of performing Layer 4 load-balancing.
For details on configuring an HTTP parameter map, see the Server Load-Balancing Guide, Cisco ACE Application Control Engine. You can also use the ACE Device Manager GUI to configure an HTTP parameter map. For more information, see the "Configuring HTTP Parameter Maps" section of the online help or the Device Manager GUI Guide vA5(2.0), Cisco ACE 4700 Series Application Control Engine Appliance.
Software Version A5(2.0) System Log Messages
Software version A5(2.0) includes the following system log (syslog) message changes.
251006
Error Message %ACE-3-251006: Health probe failed for server A.B.C.D on port P, internal error: error messagePer CSCtx58666, the "failed to setup a socket" error message has been removed as one of the possible values of the error message variable from syslog %ACE-3-251006.
251010
Error Message %ACE-3-251010: Health probe failed for server A.B.C.D on port P, error messagePer CSCtx58666, connection error message "Network or Host is unreachable" has been added as one of the possible values of the error message variable in syslog %ACE-3-251010.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2013 Cisco Systems, Inc. All rights reserved.
