-
Application Control Engine Module Command Reference (Software Version A1(2))
-
CLI Command Summary By Mode
-
Preface
-
Using the Command-Line Interface
-
CLI Commands
-
Exec Mode Commands
-
Configuration Mode Commands
-
Chaingroup Configuration Mode Commands
-
Class Map Configuration Mode Commands
-
Console Configuration Mode Commands
-
Context Configuration Mode Commands
-
CSR Parameters Configuration Mode Commands
-
Domain Configuration Mode Commands
-
FT Group Configuration Mode Commands
-
FT Interface Configuration Mode Commands
-
FT Peer Configuration Mode Commands
-
FT Track Host Configuration Mode Commands.
-
Interface Configuration Mode Commands
-
LDAP Configuration Mode Commands
-
Line Configuration Mode Commands
-
Parameter Map Connection Configuration Mode Commands
-
Policy Map Configuration Mode Commands
-
Probe Configuration Mode Commands
-
RADIUS Configuration Mode Commands
-
Real Server Host Configuration Mode Commands
-
Resource Configuration Mode Commands
-
Role Configuration Mode Commands
-
Server Farm Host Configuration Mode Commands
-
SSL Proxy Configuration Mode Commands
-
Sticky Cookie Configuration Mode Commands
-
TACACS+ Configuration Mode Commands
-
Table Of Contents
Parameter Map Connection Configuration Mode Commands
(config-parammap-conn) exceed-mss
(config-parammap-conn) random-sequence-number
(config-parammap-conn) reserved-bits
(config-parammap-conn) set ip tos
(config-parammap-conn) set tcp ack-delay
(config-parammap-conn) set tcp buffer-share
(config-parammap-conn) set tcp mss
(config-parammap-conn) set tcp queue-limit
(config-parammap-conn) set tcp syn-retry
(config-parammap-conn) set tcp timeout
(config-parammap-conn) set tcp window-scale
(config-parammap-conn) set timeout inactivity
(config-parammap-conn) slowstart
(config-parammap-conn) syn-data
(config-parammap-conn) tcp-options
(config-parammap-conn) urgent-flag
Parameter Map HTTP Configuration Mode Commands
(config-parammap-http) case-insensitive
(config-parammap-http) persistence-rebalance
(config-parammap-http) server-conn reuse
(config-parammap-http) set content-maxparse-length
(config-parammap-http) set header-maxparse-length
(config-parammap-http) set secondary-cookie-delimiters
Parameter Map SSL Configuration Mode Commands
Parameter Map Connection Configuration Mode Commands
Parameter map connection configuration mode commands allow you to define a connection type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map. To create the connection parameter map and access parameter map connection configuration mode, use the parameter-map type connection command in configuration mode. The prompt changes to (config-parammap-conn). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type connection name
no parameter-map type connection name
Syntax Description
name
Name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) connection advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create a connection parameter map called TCP_MAP, enter:
host1/Admin(config)# parameter-map type connection TCP_MAPhost1/Admin(config-parammap-conn)#To delete the connection parameter map, enter:
host1/Admin(config)# no parameter-map type connection TCP_MAPRelated Commands
(config-pmap-c) connection advanced-options
(config-parammap-conn) exceed-mss
To configure the ACE behavior for a segment that exceeds the maximum segment size (MSS), use the exceed-mss command. Use the no form of this command to reset the ACE behavior to the default of discarding segments that exceed the MSS.
exceed-mss {allow | drop}
no exceed-mss
Syntax Description
allow
Permits segments that exceed the maximum segment size
drop
(Default) Discards segments that exceed the maximum segment size
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To configure the ACE to allow segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# exceed-mss allowTo configure the ACE to discard segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# exceed-mss dropTo reset the ACE behavior to the default of discarding segments that exceed the MSS, enter:
host1/Admin(config-parammap-conn)# no exceed-mss allowRelated Commands
(config-parammap-conn) set tcp mss
(config-parammap-conn) nagle
To enable Nagle's algorithm, use the nagle command. By default, this command is disabled. Nagle's algorithm instructs a sender to buffer any data to be sent until all outstanding data has been acknowledged or until there is a full segment of data to send. Use the no form of this command to disable Nagle's algorithm.
nagle
no nagle
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Nagle's algorithm automatically concatenates a number of small buffer messages transmitted over the TCP connection. This process increases throughput by decreasing the number of segments that need to be sent over the network. However, the interaction between Nagle's algorithm and the TCP delay acknowledgment may increase latency in your TCP connection. Disable Nagle's algorithm when you observe an unacceptable delay in a TCP connection.
Examples
To enable Nagle's algorithm, enter:
host1/Admin(config-parammap-conn)# nagleTo disable Nagle's algorithm, enter:
host1/Admin(config-parammap-conn)# no nagleRelated Commands
(config-parammap-conn) random-sequence-number
To enable TCP sequence number randomization, use the random-sequence-number command. This feature is enabled by default. Use the no form of this command to disable sequence number randomization.
random-sequence-number
no random-sequence-number
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Randomizing TCP sequence numbers adds a measure of security to TCP connections by making it more difficult for a hacker to guess or predict the next sequence number in a TCP connection.
Examples
To enable sequence number randomization, enter:
host1/Admin(config-parammap-conn)# random-sequence-numberTo disable sequence number randomization, enter:
host1/Admin(config-parammap-conn)# no random-sequence-numberRelated Commands
(config-parammap-conn) reserved-bits
To configure how an ACE handles segments with the reserved bits set in the TCP header, use the reserved-bits command. Use the no form of this command to reset the default ACE behavior of clearing reserved bits set in the TCP header of a segment.
reserved-bits {allow | clear | drop}
no reserved-bits
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The six reserved bits in the TCP header are for future use and usually have a value of 0.
Examples
To configure the ACE to allow segments with the reserved bits set in the TCP header, enter:
host1/Admin(config-parammap-conn)# reserved-bits allowTo reset the ACE behavior to the default of clearing reserved bits set in the TCP header of a segment, enter:
host1/Admin(config-parammap-conn)# no reserved-bits allowRelated Commands
(config-parammap-conn) set ip tos
To set the type of service (TOS) for packets in a particular traffic class, use the set ip tos command. Use the no form of the command to instruct the ACE not rewrite the IP TOS value.
set ip tos number
no set ip tos
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The TOS for a packet determines how the network handles the packet and balances its precedence, delay, throughput, and reliability. This information resides in the IP header.
For details about the TOS byte, see RFCs 791, 1122, 1349, and 3168.
Examples
To set a packet's TOS value to 20, enter:
host1/Admin(config-parammap)# set ip tos 20To instruct the ACE to ignore the TOS of a packet, enter:
host1/Admin(config-parammap)# no set ip tosRelated Commands
(config-parammap-conn) set tcp ack-delay
To configure an ACK delay, use the set tcp ack-delay command in connection parameter-map configuration mode. You can configure the ACE to delay sending the ACK from a client to a server. Some applications require delaying the ACK for best performance. To reset the ACK delay timer to the default value of 200 ms, use the no form of the command.
set tcp ack-delay number
no set tcp ack-delay
Syntax Description
number
Specifies the delay time for sending an ACK from a client to a server. Enter an integer from 0 to 400 ms. The default is 200 ms.
Command Modes
Connection parameter-map configuration mode
Command History
Usage Guidelines
Delaying the ACK can help reduce congestion by sending one ACK for multiple segments rather than ACKing each segment individually.
Examples
To delay sending an ACK for 400 ms, enter:
host1/Admin(config-parammap-conn)# set tcp ack-delay 400To reset the ACK delay timer to the default value of 200 ms, enter:
host1/Admin(config-parammap-conn)# no set tcp ack-delayRelated Commands
(config-parammap-conn) set tcp buffer-share
To set the maximum receive or transmit buffer share size for each TCP connection, use the set tcp buffer-share command. Use the no form of this command to reset the buffer limit to the default value of 32768 bytes.
set tcp buffer-share {rx | tx} number
no set tcp buffer-share {rx | tx}
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
To improve throughput and overall performance, the ACE buffers the number of bytes you specify before processing received data or transmitting data. For large bandwidth and delay network connections, you may want to increase the default buffer size to realize network performance improvements.
Examples
To specify a maximum receive buffer share size of 16384 bytes, enter:
host1/Admin(config-parammap-conn)# set tcp buffer-share rx 16384To reset the buffer limit to the default value of 32768 bytes, enter:
host1/Admin(config-parammap-conn)# no set tcp buffer-share rxRelated Commands
(config-parammap-conn) set tcp mss
To set a range of values for the TCP maximum segment size (MSS), use the set tcp mss command. Use the no form of this command to reset the minimum MSS to the default value of 536 bytes and the maximum MSS to the default value of 1460.
set tcp mss min number1 max number2
no set tcp mss
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The MSS is the largest amount of TCP data that the ACE accepts in one segment. To prevent the transmission of many smaller segments or very large segments that may require fragmentation, you can set the minimum and maximum acceptable sizes of the MSS.
Both the host and the server can set the MSS when they first establish a connection. If either maximum exceeds the value you set with the set tcp mss max command, then the ACE overrides the maximum value and inserts the value you set. If either maximum is less than the value you set with the set tcp mss min command, then the ACE overrides the maximum and inserts the minimum value you set (the minimum value is actually the smallest maximum allowed). For example, if you set a maximum size of 1200 bytes and a minimum size of 400 bytes, when a host requests a maximum size of 1300 bytes, then the ACE alters the packet to request 1200 bytes (the maximum). If another host requests a maximum value of 300 bytes, then the ACE alters the packet to request 400 bytes (the minimum).
The default of 1460 bytes allows room for header information so that the total packet size does not exceed 1500 bytes, which is the default MTU for Ethernet. See the following calculation:
If the host or server does not request an MSS, the ACE assumes that the RFC 793 default value of 536 bytes is in effect.
If you set the MSS to be greater than 1460, packets may become fragmented, depending on the MTU size (which is 1500 by default for Ethernet). Large numbers of fragments can impact the performance of the ACE. Setting the minimum size prevents the TCP server from sending many small TCP data packets to the client and impacting the performance of the server and the network.
Examples
To set the minimum acceptable MSS size to 768 bytes, and the maximum acceptable MSS size to 1500, enter:
host1/Admin(config-parammap-conn)# set tcp mss min 768 max 1500To reset the minimum MSS to the default value of 536 bytes and the maximum MSS to the default value of 1460, enter:.
host1/Admin(config-parammap-conn)# no set tcp mssRelated Commands
(config-parammap-conn) exceed-mss
(config-parammap-conn) set tcp queue-limit
To configure the maximum number of out-of-order TCP segments, use the set tcp queue-limit command. When the queue is full, the ACE drops additional segments until the queue is emptied. TCP retransmission allows for recovery of the discarded segments. Use the no form of this command to reset the queue limit to the default value of 5 segments.
set tcp queue-limit number
no set tcp queue-limit
Syntax Description
number
The maximum number of out-of-order TCP segments. Enter an integer from 0 to 100. The default is 5 segments
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To limit the number of out-of-order TCP segments to 10, enter:
host1/Admin(config-parammap-conn)# set tcp queue-limit 10
To reset the queue limit to the default value of 5, enter:
host1/Admin(config-parammap-conn)# no set tcp queue-limit
Related Commands
(config-parammap-conn) set tcp syn-retry
To set the maximum number of attempts that the ACE can take to transmit a TCP segment, use the set tcp syn-retry number command. Use the no form of this command to reset the maximum number of TCP SYN retires to the default value of 4.
set tcp syn-retry number
no set tcp syn-retry
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the maximum number of attempts that the ACE takes to transmit a TCP segment to 3, enter:
host1/Admin(config-parammap-conn)# set tcp syn-retry 3To reset the maximum number of TCP SYN retries to the default value of 4, enter:
host1/Admin(config-parammap-conn)# no set tcp syn-retryRelated Commands
(config-parammap-conn) set tcp timeout
To configure a timeout for TCP embryonic connections (connections that result from an incomplete three-way handshake) and half-closed connections (connections where the client has sent a FIN and the server has not responded), use the set tcp timeout command. Use the no forms of this command to reset TCP timeout values to their default settings.
set tcp timeout {embryonic seconds | half-closed seconds}
no set tcp timeout {embryonic | half-closed}
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the TCP timeout for embryonic connections to 24 seconds, enter:
host1/Admin(config-parammap-conn)# set tcp timeout embryonic 24To reset the TCP half-closed connection timeout to the default value of 600 seconds, enter:
host1/Admin(config-parammap-conn)# no set tcp timeout half-closedRelated Commands
(config-parammap-conn) set tcp window-scale
To configure a TCP window-scale factor for network paths with high-bandwidth, long-delay characteristics, use the set tcp window-scale command. Use the no form of this command to reset the window-scale factor to its default setting.
set tcp window-scale number
no set tcp window-scale
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The TCP window scaling feature adds support for the Window Scaling option in RFC 1323. We recommend increasing the window size to improve TCP performance in network paths with large bandwidth, long-delay characteristics. This type of network is called a long fat network (LFN).
The window scaling extension expands the definition of the TCP window to 32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header. You can increase the window size to a maximum scale factor of 14. Typical applications use a scale factor of 3 when deployed in LFNs.
Examples
To set the TCP window-scale factor to 3, enter:
host1/Admin(config-parammap-conn)# set tcp window-scale 3To reset the TCP window-scale factor to the default value of 0, enter:
host1/Admin(config-parammap-conn)# no set tcp window-scaleRelated Commands
(config-parammap-conn) set timeout inactivity
To configure the connection inactivity timer, use the set timeout inactivity command. Use the no form of this command to reset the timeout inactivity values to the default ICMP, TCP, and UDP settings.
set timeout inactivity seconds
no set timeout inactivity
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ACE uses the connection inactivity timer to disconnect established ICMP, TCP, and UDP connections that have remained idle for the duration of the specified timeout period.
The ACE rounds up the configured timeout value to the nearest 30-second interval.
Examples
To specify that the ACE disconnect idle established TCP connections after 2400 seconds, enter:
host1/Admin(config-parammap-conn)# set timeout inactivity 2400To reset the ICMP, TCP, and UDP inactivity timeout to the default values, enter:
host1/Admin(config-parammap-conn)# no set timeout inactivityRelated Commands
(config-parammap-conn) slowstart
To enable the slow start algorithm, use the slowstart command. This feature is enabled by default. Use the no form of this command to disable the slow start algorithm.
slowstart
no slowstart
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
The slow start algorithm is a congestion avoidance method in which TCP increases its window size as ACK handshakes arrive. It operates by observing that the rate at which new segments should be injected into the network is the rate at which the acknowledgments are returned by the host at the other end of the connection. For further details about the TCP slow start algorithm, see RFC 3390.
Examples
To enable the slow start algorithm, enter:
host1/Admin(config-parammap-conn)# slowstartTo disable the slow start algorithm, enter:
host1/Admin(config-parammap-conn)# no slowstartRelated Commands
(config-parammap-conn) syn-data
To set the ACE behavior for SYN segments with data, use the syn-data command. Use the no form of this command to reset the ACE behavior to the default of allowing SYN segments that contain data.
syn-data {allow | drop}
no syn-data
Syntax Description
allow
(Default) Permits the SYN segments that contain data and flags them for data processing
drop
Discards the SYN segments that contain data
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Occasionally, the ACE may receive a SYN segment that contains data. You can configure the ACE to either discard the segment or flag the segment for data processing.
Examples
To instruct the ACE to discard segments that contain data, enter:
host1/Admin(config-parammap-conn)# syn-data dropTo reset the ACE behavior to the default of allowing SYN segments that contain data, enter:
host1/Admin(config-parammap-conn)# no syn-dataRelated Commands
(config-parammap-conn) tcp-options
To specify a range of TCP option options not explicitly supported by the ACE, or allow or clear explicitly supported TCP options specified in a SYN segment, use the tcp-options command. Use the no form of this command to remove a TCP option range from the configuration or reset the behavior of the ACE to the default of clearing the specific TCP options.
tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp | window-scale {allow | clear}}
no tcp-options {range number1 number2 {allow | drop}} | {selective-ack | timestamp | window-scale {allow | clear}}
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
Using the tcp-options command, the ACE permits you to allow or clear the following explicitly supported TCP options specified in a SYN segment:
•
Selective Acknowledgement (SACK)
•
•
You can specify this command multiple times to configure different options and actions. If you specify the same option with different actions, the ACE uses the order of precedence to decide which action to use.
The order of precedence for the actions in this command is:
1.
2.
3.
The following table lists the TCP options not explicitly supported by the ACE .
The table below lists the TCP options explicitly supported by the ACE.
Examples
To allow the segment with the SACK option set, enter:
host1/Admin(config-parammap-conn)# tcp-options selective-ack allowTo reset the behavior of the ACE to the default of clearing the SACK option and allowing the segment, enter:
host1/Admin(config-parammap-conn)# no tcp-options selective-ack allowYou can specify a range of options for each action. If you specify overlapping option ranges with different actions, the ACE uses the order of precedence described earlier in the Usage Guidelines to decide which action to perform for the specified options.
For example, enter:
host1/Admin(config-parammap-conn)# tcp-options range 6 7 allowhost1/Admin(config-parammap-conn)# tcp-options range 9 18 clearhost1/Admin(config-parammap-conn)# tcp-options range 19 26 dropTo remove the TCP option ranges from the configuration, enter:
host1/Admin(config-parammap-conn)# no tcp-options range 6 7 allowhost1/Admin(config-parammap-conn)# no tcp-options range 9 18 clearhost1/Admin(config-parammap-conn)# no tcp-options range 19 26 dropRelated Commands
(config-parammap-conn) urgent-flag
To set the Urgent Pointer policy, use the urgent-flag command. Use the no form of this command to return to the default setting of clearing the Urgent flag.
urgent-flag {allow | clear}
no urgent-flag
Syntax Description
Command Modes
Parameter map connection configuration mode
Admin and user contexts
Command History
Usage Guidelines
If the Urgent control bit (flag) is set in the TCP header, it indicates that the Urgent Pointer is valid. The Urgent Pointer contains an offset that indicates the location of the segment following the urgent data in the payload. Urgent data is data that should be processed as soon as possible, even before normal data is processed. The ACE permits you to allow or clear the Urgent flag. If you clear the Urgent flag, you invalidate the Urgent Pointer.
The ACE clears the Urgent flag for any traffic above Layer 4. If you have enabled server connection reuse (see the Cisco Application Control Engine Module Security Configuration Guide), the ACE does not pass the Urgent flag value to the server.
Examples
To clear the Urgent flag, enter:
host1/Admin(config-parammap-conn)# urgent-flag clearTo reset the ACE behavior to the default of allowing the Urgent flag, enter:
host1/Admin(config-parammap-conn)# no urgent-flagRelated Commands
Parameter Map HTTP Configuration Mode Commands
Parameter map HTTP configuration mode commands allow you to specify an HTTP type parameter map and define its settings. To create an HTTP type parameter map and access parameter map HTTP configuration mode, use the parameter-map type http command in configuration mode. The prompt changes to (config-parammap-http). Use the no form of the command to remove an an HTTP type parameter map from the configuration.
parameter-map type http name
no parameter-map type http name
Syntax Description
name
The name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure a parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-pmap-c) appl-parameter http advanced-options command in the "Policy Map Configuration Mode Commands" section.
Examples
To create an HTTP type parameter map called HTTP_MAP, enter:
host1/Admin(config)# parameter-map type http HTTP_MAPhost1/Admin(config-parammap-http)#Related Commands
(config-pmap-c) appl-parameter http advanced-options
(config-parammap-http) case-insensitive
To enable case-insensitive matching for HTTP matching only, use the case-insensitive command in parameter map HTTP configuration mode. With case-insensitive matching enabled, upper- and lower-case letters are considered the same. By default, the ACE CLI is case sensitive. Use the no form of this command to reenable the default ACE behavior of case-sensitive HTTP matching.
case-insensitive
no case-insensitive
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
When enabled, case insensitivity applies to:
•
•
•
•
Examples
To enable case-insensitive-matching, enter:
host1/Admin(config-parammap-http)# case-insensitiveTo reenable case-sensitive matching, enter:
host1/Admin(config-parammap-http)# no case-insensitiveRelated Commands
(config-parammap-http) length
To configure how the ACE handles URLs or cookies that exceed the maximum parse length, use the length command in parameter map HTTP configuration mode. Use the no form of this command to reset the ACE behavior to the default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length.
length {drop | continue}
no length
Syntax Description
drop
(Default) Specifies that the ACE stop load balancing when the maximum parse length is exceeded.
continue
Specifies that the ACE continue load balancing when the maximum parse length is exceeded.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
When you specify the continue keyword, the (config-parammap-http) persistence-rebalance command is disabled if the total length of all cookies, HTTP headers, and URLs exceeds the maximum parse-length value.
Examples
To continue load balancing when the maximum parse length is exceeded, enter:
host1/Admin(config-parammap-http)# length continueTo reset the ACE behavior to the default of stopping load balancing and discarding a packet when its URL or cookie exceeds the maximum parse length, enter:
host1/Admin(config-parammap-http)# no lengthRelated Commands
show parameter-map
(config-parammap-http) persistence-rebalance(config-parammap-http) persistence-rebalance
To enable the ACE to load-balance requests on the same TCP connection independently, use the persistence-rebalance command. By default, HTTP persistence is disabled. Use the no form of this command to reset persistence to the default setting of disabled.
persistence-rebalance
no persistence-rebalance
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
With persistence rebalance enabled, each subsequent HTTP request on the same TCP connection is load-balanced independently. Persistence rebalance allows the ACE to load-balance each HTTP request to a potentially different Layer 7 class and/or real server.
Another effect of persistence rebalance is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request.
If a real server is enabled with the NTLM Microsoft authentication protocol, we recommend that you leave persistence rebalance disabled. NTLM is a security measure that is used to perform authentication with Microsoft remote access protocols. When a real server is enabled with NTLM, every connection to the real server must be authenticated; typically, each client user will see a pop-up window prompting for a username and password. Once the connection is authenticated, all subsequent requests on the same connection will not be challenged. However, when the server load balancing function is enabled and configured with persistence rebalance, a subsequent request may point to a different real server causing a new authentication handshake.
Examples
To enable persistence rebalance, enter:
host1/Admin(config-parammap-http)# persistence-rebalanceTo reset persistence rebalance to the default setting of disabled, enter:
host1/Admin(config-parammap-http)# no persistence-rebalanceRelated Commands
(config-pmap-lb-c) insert-http
(config-sticky-cookie) cookie insert
(config-parammap-http) server-conn reuse
To configure TCP server reuse use the server-conn reuse command. TCP server reuse allows the ACE to reduce the number of open connections on a server by allowing connections to persist and be reused by multiple client connections. Use the no form of this command to disable TCP server reuse.
server-conn reuse
no server-conn reuse
Syntax Description
This command has no keywords or arguments.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
The ACE maintains a pool of TCP connections that can be reused provided that the client connection and server connection share the same TCP options. For information about configuring how the ACE handles TCP options, see the Cisco Application Control Engine Module Security Configuration Guide. To ensure proper operation of this feature, observe the following TCP server reuse configuration recommendations and restrictions:
•
•
•
•
Another effect of TCP server reuse is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request.
Examples
To enable TCP server reuse, enter:
host1/Admin(config-parammap-http)# server-conn reuseTo disable TCP server reuse, enter:
host1/Admin(config-parammap-http)# no server-conn reuseRelated Commands
show parameter-map
(config-parammap-http) persistence-rebalance
(config-pmap-lb-c) insert-http
(config-sticky-cookie) cookie insert(config-parammap-http) set content-maxparse-length
To set the maximum number of bytes to parse in HTTP content, use the set content-maxparse-length command in HTTP parameter map configuration mode. Use the no form of this command to reset the maximum parse length to the default of 4096 bytes.
set content-maxparse-length bytes
no set content maxparse-length
Syntax Description
bytes
The maximum number of bytes to parse in HTTP content. Enter an integer from 1 to 65535. The default is 4096 bytes.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set content-maxparse-length 8192To reset the maximum parse length to the default of 4096 bytes, enter:
host1/Admin(config-parammap-http)# no set content-maxparse-lengthRelated Commands
(config-parammap-http) set header-maxparse-length
To set the maximum number of bytes to parse for cookies, HTTP headers, and URLs, use the set header-maxparse-length command. Use the no form of this command to reset the HTTP header maximum parse length to the default of 2048 bytes.
set header-maxparse-length bytes
no set-header maxparse-length
Syntax Description
bytes
The maximum number of bytes to parse for the total length of all cookies, HTTP headers, and URLs. Enter an integer from 1 to 65535. The default is 2048 bytes.
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To set the HTTP header maximum parse length to 8192, enter:
host1/Admin(config-parammap-http)# set header-maxparse-length 8192To reset the HTTP header maximum parse length to the default of 2048 bytes, enter:
host1/Admin(config-parammap-http)# no set header-maxparse-lengthRelated Commands
(config-parammap-http) set secondary-cookie-delimiters
To define a list of ASCII-character delimiter strings that you can use to separate the cookies in a URL string, use the set secondary-cookie-delimiters command. Use the no form of this command to reset the delimiter string list to the default of /?&#+.
set secondary-cookie-delimiters text
no set secondary-cookie-delimiters
Syntax Description
Command Modes
Parameter map HTTP configuration mode
Admin and user contexts
Command History
Usage Guidelines
Cookies and their delimiters appear in GET request lines. In the following example of a GET request line, the ampersand (&) that appears between name-value pairs is the secondary cookie delimiter. The question mark (?) begins the URL query and is not configurable.
GET /default.cgi?user=me&hello=world&id=2 HTTP/1.1Examples
For example, enter:
host1/Admin(config-parammap-http)# set secondary-cookie-delimiters !@#$To reset the delimiter string list to the default of /?&#+, enter:
host1/Admin(config-parammap-http)# no set secondary-cookie-delimitersRelated Commands
Parameter Map SSL Configuration Mode Commands
Parameter map SSL configuration mode commands allow you to specify an SSL type parameter map and configure SSL settings for the map. To create an SSL type parameter map and access parameter map SSL configuration mode , use the parameter-map type ssl command in configuration mode. The prompt changes to (config-parammap-ssl). Use the no form of this command to remove the parameter map from the configuration.
parameter-map type ssl name
no parameter-map type ssl name
Syntax Description
name
The name assigned to the parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command History
Usage Guidelines
The commands in this mode require the connection or SSL feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco Application Control Engine Module Virtualization Configuration Guide.
After you create and configure an SSL parameter map, you must associate the parameter map with a policy map to activate it. For details, see the (config-ssl-proxy) ssl advanced-options command in the "SSL Proxy Configuration Mode Commands" section.
Examples
To create an SSL type parameter map called SSL_MAP, enter:
host1/Admin(config)# parameter-map type ssl SSL_MAPhost1/Admin(config-parammap-ssl)#Related Commands
(config-ssl-proxy) ssl advanced-options
(config-parammap-ssl) cipher
To define each of the cipher suites you want the ACE to support during a secure session, use the cipher command in ssl parameter map configuration mode. Use the no form of the command to delete a cipher suite from the SSL parameter map.
cipher cipher_name [priority cipher_priority]
no cipher cipher_name
Syntax Description
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
The following table lists the available cipher suites that the ACE supports and indicates which of the supported cipher suites are exportable from the ACE. The table also lists the authentication certificate and encryption key required by each cipher suite.
Repeat the cipher command for each cipher suite you want to include in the SSL parameter map.
When negotiating which cipher suite to use, the ACE selects from the client list based on the cipher suite configured with the highest priority level. A higher priority level will bias towards the specified cipher suite. For SSL termination applications, the ACE uses the priority level to match cipher suites in the client's ClientHello handshake message. For SSL initiation applications, the priority level represents the order in which the ACE places the cipher suites in its ClientHello handshake message to the server.
The default "all cipher suites" setting works only when you do not configure the SSL parameter map with any specific ciphers. To return to using the all cipher suites setting, you must delete each of the specifically-defined ciphers from the parameter map using the no form of the command.
Examples
To add the cipher suite RSA_WITH _AES_128_CBC_SHA and assign it a priority 2 level, enter:
host1/Admin(config-parammap-ssl)# cipher RSA_WITH_AES_128_CBC_SHA priority 2To delete the cipher suite RSA_WITH _AES_128_CBC_SHA from the SSL parameter map, enter:
host1/Admin(config-parammap-ssl)# no cipher RSA_WITH_AES_128_CBC_SHARelated Commands
(config-parammap-ssl) version
To specify which SSL and TLS versions the ACE supports when it uses the SSL proxy parameter map during the handshake process, use the version command in SSL parameter map configuration mode. Use the no form of the command to remove a version from the SSL proxy parameter map.
version {all | ssl3 | tls1}
no version
Syntax Description
Command Modes
SSL parameter map configuration mode
Admin and user contexts
Command History
Usage Guidelines
This command has no usage guidelines.
Examples
To specify the version SSL3, enter:
host1/Admin(config-parammap-ssl)# version SSL3To remove the version TLS1 from the SSL proxy parameter map, enter:
host1/Admin(config-parammap-ssl)# no versionRelated Commands