Americas Headquarters:
Control Engine Module
July 26, 2012
Note The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to software version A5(2.0) for the Cisco Application Control Engine Module (ACE), model ACE30 (ACE30_MOD_K9).
For information on the ACE module features and configuration details, see the ACE documentation located at:
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
This release note contains the following sections: • New Software Features in Version A5(2.0)
• Chassis, Supervisor Engine, and Cisco IOS Support for the ACE30 Module
• Virtual Switching System Support
• ACE Operating Considerations
• Available ACE Licenses
• Ordering an Upgrade License and Generating a License Key
• Upgrading Your ACE Module Software in a Redundant Configuration
• Downgrading Your ACE Module Software in a Redundant Configuration
• ACE Documentation Set
• ACE Troubleshooting Wiki
• Software Version A5(2.0) Resolved Caveats, Open Caveats, Command Changes, and System Log Messages
New Software Features in Version A5(2.0)
This section describes the new features associated with ACE module software Version A5(2.0). The information presented in this section builds on the information available in the documentation set for ACE software Version A5(1.0), which you can find at the following URLs:
• ACE configuration documentation doc set:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_installation_and_configuratio n_guides_list.html
• ACE command reference:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/r eference/ACE_cr.html
Software version A5(2.0) provides the following new features:
• Buddy Sticky Groups that Enable Persistence Across Multiple Server Farms
• Support for Static NAT IPv4-to-IPv6 and IPv6-to-IPv4 Translation
• Support for DNS IPv4-to-IPv6 and IPv6-to-IPv4 Load Balancing with Inspection
• Maintain a Full Proxy Connection During a TCP Handshake Mismatch
• Support for a Wildcard KAL-AP GSS IP Address
• SSL Probe Configuration Option for Ignoring the Certificate Expiration Date
• Support for Additional Syslog Logging Hosts
• Support for SSL Session ID Stickiness
• Support for the ACE No Payload Encryption Software Version
• Support for Creation of RDP Parameter Maps
• Ability to Enable Regular Expression Download Optimization
• Extended Range of Supported Characters in a URL
• Configuring an SNMP Peer Engine ID for the Standby ACE
• Configuring an SNMP User Authentication Password for the Standby ACE
• Ability for the ACE to Accept a User Account with an Expired Date
• Addressing SSL Certificates With a Subject or Issuer That is Greater Than 256 Bytes
Buddy Sticky Groups that Enable Persistence Across Multiple Server Farms
ACE software version A5(2.0) allows you to create buddy sticky groups that enable persistence to a real server or real server group across multiple server farms. Prior software releases allow you to configure stickiness within a single server farm only using sticky groups.You use the buddy sticky group feature for the following applications:
• One-to-one association—Sticks the client to the same physical server instances in two different server farms (see the “One-to-One Association Application Example” section on page 4).
• Asymmetric association—Sticks a client to a real server that is configured on different server farms even when the client comes back with a non-HTTP request or different HTTP header (see the
“Asymmetric Association Application Example” section on page 6).
• Many-to-one association—Sticks multiple, first-tier real servers to one real server in a second tier that contains fewer servers (see the “Many-to-One Association Application Example” section on page 9).
Note The ACE buddy sticky group feature does not support the one-to-many application. To use the buddy group feature, you perform the following steps while configuring the ACE for load balancing:
1. Create real server buddy sticky groups when specifying the real servers in a server farm.
You make a real server a member of a real server buddy group by using the new buddy command in the server farm host real server configuration mode. The command syntax is as follows:
buddy group_name
where group_name is the name of a new or existing real server buddy sticky group. Enter 1 to 64 alphanumeric characters.
Example
host1/admin(config)# serverfarm sfarm1
host1/admin(config-sfarm-host)# rserver rserv12 host1/admin(config-sfarm-host-rs)# buddy blue
2. Create sticky server farm buddy groups when specifying the server farms in a sticky group. You make a sticky server farm a member of a buddy sticky group by using the new member command in sticky configuration mode. The command syntax is as follows:
member group_name
where group_name is the name of a new or existing server farm buddy sticky group. Enter 1 to 64 alphanumeric characters.
Example
host1/admin(config)# sticky ip-netmask 255.255.255.255 address both stick-cart host1/admin(config-sticky-ip)# serverfarm http
host1/admin(config-sticky-ip)# member alpha
This section includes the following topics: • Guidelines and Restrictions, page 4
• One-to-One Association Application Example, page 4
• Many-to-One Association Application Example, page 9
• Displaying Buddy Sticky Group Information, page 11
Guidelines and Restrictions
• When two sticky groups with different timeout values are buddied together, the ACE uses the shortest timeout value for the buddy group.
• Sticky groups to be buddied together must of the same type, such as all IP-sticky, all http-cookie, and so forth. The ACE does not support different types of sticky groups buddied together.
• When two sticky groups are buddied together and one of them is configured for timeout active connections, the member group is also configured for timeout active connections.
• When two sticky groups are configured with different IP netmask (IPv4) or prefix-length (IPv6), the ACE uses the one with the most granular netmask or prefix-length.
• When a static entry is created under a buddy sticky group, its behavior is unchanged and it sticks to the same real server configured regardless of the buddy group that real server is associated with. • Before you can configure a sticky group as a member, you must have a server farm configured under
that sticky group and all the real servers that belong to that server farm have buddy group configured under them. This requirement prevents invalid configurations.
• The ACE does not support configuring the following types of sticky groups as buddy sticky group members:
– SSL
– RTSP Header
• The ACE supports PTMP sticky group such as SIP sticky; however, you must make sure that the configuration is the same across both sticky groups for the buddy sticky group feature to work. • For real server backup applications:
– We recommend only 1 level of backup-rserver with buddy sticky.
– If you add a buddy group to the primary real server, the backup server inherits this buddy group. However, if you remove the buddy group from the primary real server, the buddy group is not removed from the backup real server and vice versa.
• You can display information related to buddy sticky group configurations (see the “Displaying Buddy Sticky Group Information” section on page 11).
One-to-One Association Application Example
In a one-to-one buddy sticky group association, you create a buddy sticky group that sticks the client to the same physical server instances in two different server farms. In the network example shown in
Figure 1, the ACE is configured with the following server farms, their associated real servers, and the buddy sticky groups that group both items:
Server Farm
Server Farm
Buddy Member Group Real Server
Real Server Buddy Group http (for HTTP requests) alpha 1nx1:192.168.1.11:80 blue 1nx2:192.168.1.12:80 red
Figure 1 Buddy Sticky Groups: One-to-One Association
The ACE is configured to load balance HTTP requests to server farm http using either real server 1nx1:192.168.1.11:80 or 1nx2:192.168.1.12:80. The ACE is also configured to load balance HTTPS requests using server farm https and either real server 1nx1:192.168.1.11:443 or 1nx2:192.168.1.12:443. The buddy groups allow the ACE to stick a client to the same real server (for example, 1nx1) while building a shopping cart using HTTP requests and then checking out using HTTPS.
In this example, the client hits VIP 172.16.1.100, destination port 80 with an HTTP request to begin to build a shopping cart. The ACE load balances the request to server farm http, real server
1nx1:192.168.1.11:80 and creates a sticky entry based on the corresponding sticky group (for example, source IP address) that sticks the client to the real server while the client builds their shopping cart. When the client moves to the secured connection (port 443) for checkout, it hits the VIP with destination port 443 and the ACE sends the client to server farm https. The ACE finds an existing sticky entry with real server Inx1:192.168.1.11:80 and directs the client to 1nx1:192.168.1.11:443 because the two real servers are buddied together under the blue buddy group.
CLI Sample Configuration
The following example configuration applies to Figure 1 and shows the buddy group-related values in bold text:
host1/admin(config)# serverfarm http
host1/admin(config-sfarm-host)# rserver lnx1 host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# rserver lnx2 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# exit host1/admin(config)# serverfarm https host1/admin(config-sfarm-host)# rserver lnx1 443 https (for HTTPS requests) alpha 1nx1:192.168.1.11:443 blue 1nx2:192.168.1.12:443 red Server Farm Server Farm
Buddy Member Group Real Server
Real Server Buddy Group Server Farm http (alpha) Server Farm https (alpha) 1nx1 192.168.1.11:80 192.168.1.11:443 1nx2 192.168.1.12:80 192.168.1.12:443 Internet Client Multilayer Switch Feature Card ACE VLAN 20 VLAN 40 172.16.1.1 192.168.1.1 Int: 172.16.1.5 VIP 172.16.1.100 blue red 332431
host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# exit
host1/admin(config-sfarm-host)# rserver lnx2 443 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address both stick-cart host1/admin(config-sticky-ip)# serverfarm http
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address both stick-credit host1/admin(config-sticky-ip)# serverfarm https
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# class-map cart-vip
host1/admin(config-cmap)# match virtual-address 172.16.1.100 tcp eq www host1/admin(config-cmap)# exit
host1/admin(config)# class-map checkout-vip
host1/admin(config-cmap)# match virtual-address 172.16.1.100 tcp eq https host1/admin(config-cmap)# exit
host1/admin(config)# policy-map type loadbalance http first-match cart-lb host1/admin(config-pmap-lb)# class class-default
host1/admin(config-pmap-lb-c)# sticky-serverfarm stick-cart host1/admin(config-pmap-lb-c)# exit
host1/admin(config-pmap-lb)# exit
host1/admin(config)# policy-map type loadbalance http first-match checkout-lb host1/admin(config-pmap-lb)# class class-default
host1/admin(config-pmap-lb-c)# sticky-serverfarm stick-credit host1/admin(config-pmap-lb-c)# exit
host1/admin(config-pmap-lb)# exit
host1/admin(config)# policy-map multi-match shopping-cart host1/admin(config-pmap)# class cart-vip
host1/admin(config-pmap-c)# loadbalance vip inservice host1/admin(config-pmap-c)# loadbalance policy cart-lb host1/admin(config-pmap-c)# exit
host1/admin(config-pmap)# exit
host1/admin(config-pmap)# class checkout-vip
host1/admin(config-pmap-c)# loadbalance vip inservice host1/admin(config-pmap-c)# loadbalance policy checkout-lb
Asymmetric Association Application Example
In an asymmetric buddy sticky group association, you create a buddy sticky group that sticks all Layer 7 traffic from a client to a specific real server even when some of the traffic does not match the Layer 7 class map.
In the network example shown in Figure 2, the ACE is configured to include the following server farms, their associated real servers, and assigned real server buddy sticky groups:
Figure 2 Buddy Sticky Groups: Asymmetric Association
The ACE is configured to send client traffic with Layer 3 matches to server farm foobar, which contains real servers that are also configured on server farms foo and bar. The ACE load balances the client traffic to one of the real servers based on Layer 7 class map matches. By defining buddy sticky groups, the ACE is also able to stick non-matching client traffic to the same real server.
In this example, the client sends traffic with Layer 3 matches that the ACE directs and sticks (using ip sticky) to server farm foobar. The ACE uses a Layer 7 class map to check for HTTP URL and if present, sends the traffic to server farm foo and sticks the client traffic to that server using sticky that is based on the source IP address. Using a buddy stick group, the ACE uses the sticky entry to send any other traffic type from the client to the same real server. For example, if the ACE sticks the client HTTP traffic to server farm foo:real server lnx1 based on a Layer 7 class map match, the buddy stick group allows the ACE to send non-HTTP traffic from the client to the same real server.
CLI Sample Configuration
The following example configuration applies to Figure 2 and shows the buddy group-related values in
bold text:
host1/admin(config)# serverfarm foo
host1/admin(config-sfarm-host)# rserver lnx1 host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# exit Server Farm
Server Farm
Buddy Member Group Real Server
Real Server Buddy Group
foo bar alpha 1nx1 blue
1nx2 red
foo alpha 1nx1 blue
bar alpha 1nx2 red
1nx1 192.168.1.11 Internet Client Multilayer Switch Feature Card ACE VLAN 20 VLAN 40 172.16.1.1 192.168.1.1 Int: 172.16.1.5 VIP 172.16.1.100 Server Farm foo (alpha) 1nx2 192.168.1.12 Server Farm bar (alpha) Server Farm foobar (alpha) red blue 332433
host1/admin(config-sfarm-host)# exit
host1/admin(config)# serverfarm bar
host1/admin(config-sfarm-host)# rserver lnx2 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# exit
host1/admin(config)# serverfarm foobar host1/admin(config-sfarm-host)# rserver lnx1 host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# rserver lnx2 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address both stick-foo host1/admin(config-sticky-ip)# serverfarm foo
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address both stick-bar host1/admin(config-sticky-ip)# serverfarm bar
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address both stick-foobar host1/admin(config-sticky-ip)# serverfarm foobar
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# class-map app-vip
host1/admin(config-cmap)# match virtual-address 172.16.1.100 any host1/admin(config-cmap)# exit
host1/admin(config)# class-map type http loadbalance match-all app-foo host1/admin(config-cmap)# match http url /app-foo/.*
host1/admin(config-cmap)# exit
host1/admin(config)# class-map type http loadbalance match-all app-bar host1/admin(config-cmap)# match http url /app-bar/.*
host1/admin(config-cmap)# exit
host1/admin(config)# policy-map type loadbalance http first-match slb host1/admin(config-pmap-lb)# class app-foo
host1/admin(config-pmap-lb-c)# sticky-serverfarm foo host1/admin(config-pmap-lb-c)# exit
host1/admin(config-pmap-lb)# class app-bar
host1/admin(config-pmap-lb-c)# sticky-serverfarm bar host1/admin(config-pmap-lb-c)# exit
host1/admin(config-pmap-lb)# class class-default
Many-to-One Association Application Example
In a many-to-one buddy sticky group association, you create a buddy sticky group that sticks a group of real servers to a specific real server, which is useful when clients are load balanced to a first-tier server farm containing many real servers and are then directed to a second-tier server farm that contains fewer real servers. In this type of application, you create buddy sticky groups that stick each first-tier real server group to a specific second-tier real server.
In the network example shown in Figure 3, the ACE is configured with the following server farms, their associated real servers, and assigned real server buddy groups:
Server Farm
Server Farm
Buddy Member Group Real Server
Real Server Buddy Group
web (first tier) alpha 1nx1:192.168.1.11:80 blue
1nx2:192.168.1.12:80 blue
1nx3:192.168.1.13:80 red 1nx4:192.168.1.14:80 red app (second tier) alpha db1:192.168.1.21:123 blue
Figure 3 Buddy Sticky Groups: Many-to-One Association
The buddy sticky groups blue and red divide the first-tier real servers into groups and then sticks each of these groups to a specific second-tier real server.
In this example, when the ACE load balances clients to either real server 1nx1 or 1nx2 in the server farm web, the clients are directed only to real server db1 when they are ready to move to the server farm app. Notice also that clients that the ACE load balances to 1nx3 and 1nx4 are directed only to real server db2 when they are ready to move to the server farm app.
CLI Sample Configuration
The following example configuration applies to Figure 3 and shows the buddy group-related values in
bold text:
host1/admin(config)# serverfarm web
host1/admin(config-sfarm-host)# rserver lnx1 80 host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# inservice host1/admin(config-sfarm-host-rs)# exit
host1/admin(config-sfarm-host)# rserver lnx2 80 host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# inservice host1/admin(config-sfarm-host-rs)# exit
host1/admin(config-sfarm-host)# rserver lnx3 80 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# inservice Server Farm web (alpha) Server Farm app (alpha) 1nx3 192.168.1.13:80 1nx4 192.168.1.14:80 db2 192.168.1.22:123 1nx2 192.168.1.12:80 1nx1 192.168.1.11:80 db1 192.168.1.21:123 blue red
First Tier Servers Second Tier Servers
host1/admin(config-sfarm-host)# rserver lnx4 80 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# inservice host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# exit
host1/admin(config)# serverfarm app
host1/admin(config-sfarm-host)# rserver db1 host1/admin(config-sfarm-host-rs)# buddy blue
host1/admin(config-sfarm-host-rs)# inservice host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# rserver db2 host1/admin(config-sfarm-host-rs)# buddy red
host1/admin(config-sfarm-host-rs)# inservice host1/admin(config-sfarm-host-rs)# exit host1/admin(config-sfarm-host)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address source web host1/admin(config-sticky-ip)# serverfarm web
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# sticky ip-netmask 255.255.255.255 address source db host1/admin(config-sticky-ip)# serverfarm db
host1/admin(config-sticky-ip)# member alpha host1/admin(config-sticky-ip)# exit
host1/admin(config)# class-map web
host1/admin(config-cmap)# match virtual-address 172.16.1.100 tcp eq 80 host1/admin(config-cmap)# exit
host1/admin(config)# class-map db
host1/admin(config-cmap)# match virtual-address 172.16.1.100 tcp eq 81 host1/admin(config-cmap)# exit
host1/admin(config)# policy-map type loadbalance http first-match web host1/admin(config-pmap-lb)# class class-default
host1/admin(config-pmap-lb-c)# sticky-serverfarm web host1/admin(config-pmap-lb-c)# exit
host1/admin(config-pmap-lb)# exit
host1/admin(config)# policy-map type loadbalance http first-match db host1/admin(config-pmap-lb)# class class-default
host1/admin(config-pmap-lb-c)# sticky-serverfarm db host1/admin(config-pmap-lb-c)# exit
host1/admin(config-pmap-lb)# exit
host1/admin(config)# policy-map multi-match web-db host1/admin(config-pmap)# class web
host1/admin(config-pmap-c)# loadbalance vip inservice host1/admin(config-pmap-c)# loadbalance policy web host1/admin(config-pmap-c)# exit
host1/admin(config-pmap)# class db
host1/admin(config-pmap-c)# loadbalance vip inservice host1/admin(config-pmap-c)# loadbalance policy db
Displaying Buddy Sticky Group Information
The following CLI show commands have been modified to include buddy sticky group information: • show sticky database—Command now includes the buddy keyword, which displays buddy sticky
Example
host1/Admin# show sticky database buddy member group : red
type : IP
timeout : 720 timeout-activeconns : TRUE
sticky-entry rserver-instance time-to-expire flags ---+---+---+---+ 250232353865662720 rs1:0 43196 Total Sticky Entries: 1
• show rserver detail—Command output now includes the buddy group associated with the real
server in a particular server farm.
Example
switch/Admin# show rserver detail
rserver : rs1, type: HOST
state : OPERATIONAL (verified by arp response) description :
maxconns : , outofrotation count : min-conns : -
connratelimit : , outofrotation count : bandwidthratelimit : , outofrotation count : weight : 8
real weight state current total serverfarm: sf1
10.10.10.2:0 8 OPERATIONAL 0 2 maxconns : , outofrotation count :
min-conns : -
connratelimit : , outofrotation count : bandwidthratelimit : , outofrotation count : total conn-failures : 0
buddy group : blue
serverfarm: sf2
10.10.10.2:0 8 OPERATIONAL 0 0 maxconns : , outofrotation count :
min-conns : -
connratelimit : , outofrotation count : bandwidthratelimit : , outofrotation count : total conn-failures : 0
buddy group : red
• show serverfarm detail—Command output now includes the buddy group associated with the real
servers in the server farm.
Example
switch/Admin# show serverfarm detail serverfarm : sf1, type: HOST total rservers : 5 active rservers: 5 description : state : ACTIVE predictor : ROUNDROBIN failaction : back-inservice : 0 partial-threshold : 0
num times failover : 1 num times back inservice : 4
total conn-dropcount : 0
real weight state current total failures rserver: rs1
10.10.10.2:0 8 OPERATIONAL 0 2 0
maxconns : , outofrotation count : min-conns : - connratelimit : , outofrotation count : bandwidthratelimit : , outofrotation count : retcode outofrotation count : buddy group : blue rserver: rs2 10.10.10.3:0 8 OPERATIONAL 0 0 0
maxconns : , outofrotation count : min-conns : - connratelimit : , outofrotation count : bandwidthratelimit : , outofrotation count : retcode outofrotation count : buddy group : red • show stats sticky—Command output now includes the following attribute that shows the total number of sticky entries that are part of any buddy group: – Total active buddy sticky entries Example host1/Admin# show stats sticky +---+ +--- Sticky statistics ---+ +---+ Total sticky entries reused : 0
prior to expiry Total active sticky entries : 1
Total active reverse sticky entries : 0
Total active buddy sticky entries : 1
Total active sticky conns : 0
Total static sticky entries : 0
Total sticky entries from Global Pool : 1
Total insertion failures due to lack of resources : 0
• show buddy-group—New command that displays the list of buddy groups configured in the virtual
context. The command syntax is as follows:
show buddy-group [group]
The optional group argument displays all server farms and associated real servers that belong to the specified buddy group.
Example
host1/Admin# show buddy-group
Buddy-Grp Rserver Port Serverfarm blue rs1-v4 0 sf-v4-1 rs5-v4 0 sf-v4-1 r1 0 sf-v6-1 r5-backup 0 sf-v6-1
r3 0 sf-v6-2
rs1-v4 0 sf1-main
rs-main 0 sf2-main
rs1-v4 0 sf2-nobuddy
Support for Static NAT IPv4-to-IPv6 and IPv6-to-IPv4 Translation
ACE software version A5(2.0) allows you to configure mixed-mode static network address translation (NAT) configurations in which the connections between the client and server use a mix of IPv4 and IPv6 addresses as follows:
• IPv4 server or source address to an IPv6 address • IPv6 server or source address to an IPv4 address
These configuration options are in addition to the same-mode static NAT mapping options (IPv4 to IPv4 and IPv6 to IPv6) available with previous software releases, which do not support mixed-mode static NAT configurations.
The three static NAT applications for mixed mode are as follows:
• Static Destination NAT and Dynamic Source NAT— Uses a combination of static destination NAT and dynamic source NAT for mapping a mixed mode application in which the client uses IPv4 and the application server uses IPv6 (see the “Static Destination NAT and Dynamic Source NAT Mixed-Mode Application” section on page 14).
• Static Destination NAT and Static Source NAT—Use static NAT only for mapping a mixed mode application in which the client uses IPv4 and the application server uses IPv6 (see the “Static Destination NAT and Static Source NAT Mixed-Mode Application” section on page 16).
• Static NAT for a Subnet—Use static NAT to map a set of private IP addresses to a set of global IP addresses with a subnet (also referred to as the many-to-many application).
Guidelines and Restrictions
For details about configuring static NAT, see the “Configuring Static NAT and Static Port Redirection as a Policy Action” section in the Security Guide vA5(1.0), Cisco ACE Application Control Engine Guide. The information that the guide provides for configuring same-mode static NAT mapping can be used for mixed-mode configurations.
This section includes the following topics:
• Static Destination NAT and Dynamic Source NAT Mixed-Mode Application, page 14
• Static Destination NAT and Static Source NAT Mixed-Mode Application, page 16
• Static NAT for Subnets, page 16
Static Destination NAT and Dynamic Source NAT Mixed-Mode Application
This section describes how to use a combination of static destination NAT and dynamic source NAT for mapping a mixed mode application in which the client uses IPv4 and the application server uses IPv6 (see Figure 4). In this application, static destination NAT maps the server IPv6 source address to an IPv4 address and dynamic NAT translates the client IPv4 address to an IPv6 address.
Figure 4 Mixed Mode Static Destination NAT and Dynamic Source NAT Application
For this application, the two types of NAT are used as follows:
• Static Destination NAT: Maps S6 (IPv6) to S’4 (IPv4) in client side VLAN • Dynamic Source NAT: Maps C’6 (IPv4) to S6 (IPv6) after NAT maps C4 to C’6
Example
The following example shows how to configure the ACE for the application described in this section:
access-list acl-01 line 8 extended permit ip any any class-map match-any ANY
2 match any
class-map match-all nat
2 match source-address 2001:3008::1:1/128 -->Server IP address
policy-map multi-match doSrcNatANY
class ANY -->Src NAT any traffic hitting client VLAN nat dynamic 10 vlan 3008
policy-map multi-match static_nat
class nat -->Matching server IPv6
nat static 10.8.2.1 netmask 255.255.255.255 vlan 2008 -->Mapped to IPv4 IP hosted on client VLAN 2008
access-group input acl-01
interface vlan 2008
ip address 10.8.0.3 255.255.0.0 alias 10.8.0.1 255.255.0.0
peer ip address 10.8.0.2 255.255.0.0
service-policy input doSrcNatAny -->Do src NAT on all traffic hitting the client VLAN no shutdown
interface vlan 3008 ipv6 enable
ip address 2001:3008::1/100 ip address 192.168.0.3 255.255.0.0
nat-pool 10 2001:3008::3:1 2001:3008::3:1/100 -->Choose one of the IP from the pool service-policy input static_nat -->Static NAT applied on egress/server side VLAN no shutdown
Client
ACE
C4
(IPv4)
S’4
C’6
S6
(IPv6)
Server
S6 mapped to S'4 (Static NAT)
Static Destination NAT and Static Source NAT Mixed-Mode Application
This section describes how to use static NAT for mapping a mixed mode application in which the client uses IPv4 and the application server uses IPv6 (see Figure 5). In this application, static destination NAT maps the server IPv6 source address to an IPv4 address and static source NAT translates the client IPv4 address to an IPv6 address.
Figure 5 Mixed-Mode Static NAT Application
For this application, static NAT is used as follows:
• Static Destination NAT: Maps S6 (IPv6) to S’4 (IPv4) in client side VLAN • Static Source NAT: Maps C’6 (IPv4) to S6 (IPv6) after NAT maps C4 to C’6
Example
The following example shows how to configure the ACE for the application described in this section:
class-map match-all src_server_s6 2 match source-address 2001:3017::1:1 class-map match-all src_client_c4
2 match source-address 10.17.1.2 255.255.255.255
policy-map multi-match dst_nat_s6_static class src_server_s6
nat static 10.17.2.1 netmask 255.255.255.255 vlan 2017 Policy-map multi-match src_nat_s4_static
class src_client_c4
nat static 2001:3017:2017::1 vlan 3017
interface vlan 2017
ip address 10.17.0.2 255.255.0.0 service-policy input src_nat_s4_static no shutdown
interface vlan 3017 ipv6 enable
ip address 2002::1e11:2/112 ip address 192.168.0.2 255.255.0.0 service-policy input dst_nat_s6_static no shutdown
Static NAT for Subnets
This section describes how to use static NAT to map a set of private IP addresses to a set of global IP addresses using a subnet, which you can do in mixed mode or non-mixed mode.
Client
ACE
C4
(IPv4)
S’4
C’6
S6
(IPv6)
Server
S'4 mapped to S6 (Static NAT)
This static NAT application takes the host portion of the NAT IP address and appends it to the server host portion. For example, if NAT IP address 10.1.1.0 is mapped to the server host 192.168.2.0, then client 10.1.1.10 is sent to the server host as 192.168.2.10.
Guidelines and Restrictions
In a mixed mode application, the prefix length and IPv4 netmask must match. For example, if you configure the IPv4 netmask as 255.255.255.0 /24, then the IPv6 prefix length must be 120. The last octet (8 bits) is taken as the host portion for network address translation.
Example
The following example shows how to configure the ACE so that client 20.17.1.1 connects to mapped IP address 20.17.2.5 and is then translated to the destination as 2001:3017::1:5 (5 is derived from the NAT IP address):
class-map match-all src_server_s6
2 match source-address 2001:3017::1:0/120 class-map match-all src_client_c4
2 match source-address 20.17.1.0 255.255.255.0
policy-map multi-match dst_nat_s6_static class src_server_s6
nat static 20.17.2.1 netmask 255.255.255.0 vlan 2017 Policy-map multi-match src_nat_s4_static
class src_client_c4
nat static 2001:3017:2017::0/120 vlan 3017
interface vlan 2017
ip address 20.17.0.2 255.255.0.0 service-policy input src_nat_s4_static no shutdown
interface vlan 3017 ipv6 enable
ip address 2002::1e11:2/112 ip address 30.17.0.2 255.255.0.0 service-policy input dst_nat_s6_static no shutdown
Support for DNS IPv4-to-IPv6 and IPv6-to-IPv4 Load Balancing with Inspection
ACE software version A5(2.0) supports Domain Name System (DNS) inspection when usingmixed-mode dynamic source network address translation (NAT), which performs NAT using the combinations of IPv4 and IPv6 connection types:
• IPv4 client connects to a IPv4 VIP and is load balanced to a IPv6 real server • IPv6 client connects to a IPv6 VIP and is load balanced to a IPv4 real server
In both cases, the ACE translates the client address to an address in the NAT pool that matches the real server type and translates the VIP to the real server address.
Previous software releases support DNS inspection only when using same-mode dynamic source NAT in which NAT is performed on applications that use either IPv4 or IPv6 for all connections.
Guidelines and Restrictions
• ACE software version A5(2.0) does not support a static NAT configuration for a DNS payload translation that requires a DNS Record type conversion, which is the process of converting an A record type to AAAA or AAAA to A. Because DNS record type conversion is not supported, the following related items are also not supported:
– Record type conversion, which is required for translating an IPv4 address to IPv6 and IPv6 to IPv4 in the DNS payload.
Note ACE software version A5(2.0) does support static NAT translations of the same type (IPv4 to IPv4 or IPv6 to IPv6) in the DNS payload.
– DNS64 because DNS record type conversion is required.
• For details about configuring static NAT, see the “Configuring Dynamic NAT and PAT” section in the Security Guide vA5(1.0), Cisco ACE Application Control Engine Guide. The information that the guide provides for configuring same-mode static NAT mapping can be used for mixed-mode configurations.
Example
The following example shows a mixed-mode dynamic source NAT configuration in which DNS inspection is enabled using the inspect dns command (shown in bold):
access-list acl-01 line 8 extended permit ip any any access-list acl-v6 line 8 extended permit ip anyv6 anyv6
rserver host v4-rs-01 ip address 10.10.1.1 inservice rserver host v4-rs-02 ip address 10.10.1.2 inservice rserver host v4-rs-03 ip address 10.10.1.3 inservice rserver host v4-rs-04 ip address 10.10.1.4 inservice rserver host v6-rs-01 ip address 2002::1e11:101 inservice rserver host v6-rs-02 ip address 2002::1e11:102 inservice rserver host v6-rs-03 ip address 2002::1e11:103 inservice rserver host v6-rs-04 ip address 2002::1e11:104 inservice
serverfarm host mixed-farm rserver v4-rs-01
inservice rserver v6-rs-01 inservice
rserver v4-rs-01 inservice rserver v4-rs-02 rserver v4-rs-03 rserver v4-rs-04 serverfarm host v6-sf-01 rserver v6-rs-01 inservice rserver v6-rs-02 rserver v6-rs-03 rserver v6-rs-04
class-map match-any v4-vip-traffic-01
2 match virtual-address 172.16.2.1 udp eq domain class-map match-any v4-vip-traffic-02
2 match virtual-address 172.16.2.2 udp eq domain class-map match-any v6-vip-traffic-01
2 match virtual-address 2002::1411:201 udp eq domain class-map match-any v6-vip-traffic-02
2 match virtual-address 2002::1411:202 udp eq domain
policy-map type management first-match mgmt class class-default
permit
policy-map type management first-match mgmt2 class class-default-v6
permit
policy-map type loadbalance first-match mixed-dns-pol class class-default
serverfarm mixed-farm
policy-map type loadbalance first-match v4-dns-pol-01 class class-default
serverfarm v4-sf-01
policy-map type loadbalance first-match v6-dns-pol-01 class class-default
serverfarm v6-sf-01
policy-map multi-match v4-vip-pol-01 class v4-vip-traffic-01
loadbalance vip inservice loadbalance policy v4-dns-pol-01 loadbalance vip icmp-reply inspect dns
policy-map multi-match v4_to_mixed-vip class v4-vip-traffic-02
loadbalance vip inservice loadbalance policy mixed-dns-pol loadbalance vip icmp-reply nat dynamic 2 vlan 3017
inspect dns
policy-map multi-match v6-vip-pol-01 class v6-vip-traffic-01
loadbalance vip inservice loadbalance policy v6-dns-pol-01 loadbalance vip icmp-reply inspect dns
policy-map multi-match v6_to_mixed-vip class v6-vip-traffic-02
loadbalance vip inservice loadbalance policy mixed-dns-pol loadbalance vip icmp-reply nat dynamic 1 vlan 3017 inspect dns
service-policy input mgmt service-policy input mgmt2 access-group input acl-01 access-group input acl-v6
interface vlan 2017 ipv6 enable ip address 2002::1411:2/112 alias 2002::1411:1/112 peer ip address 2002::1411:3/112 ip address 172.16.0.2 255.255.0.0 alias 172.16.0.1 255.255.0.0 peer ip address 172.16.0.3 255.255.0.0 service-policy input v4-vip-pol-01 service-policy input v6-vip-pol-01 service-policy input v4_to_mixed-vip service-policy input v6_to_mixed-vip no shutdown
interface vlan 3017 ipv6 enable
ip address 2002::1e11:2/112 alias 2002::1e11:1/112
peer ip address 2002::1e11:3/112 ip address 192.168.0.2 255.255.0.0 alias 192.168.0.1 255.255.0.0
peer ip address 192.168.0.3 255.255.0.0 nat-pool 1 2002::1e11:a 2002::1e11:f/128
nat-pool 1 192.168.0.150 192.168.0.150 netmask 255.255.255.255 nat-pool 2 2002::1e11:10 2002::1e11:15/128
nat-pool 2 192.168.0.160 192.168.0.160 netmask 255.255.255.255 no shutdown
Maintain a Full Proxy Connection During a TCP Handshake Mismatch
ACE software version A5(2.0) allows the ACE to splice together the client front-end and the server back-end connections when the ACE is proxying Layer 7 traffic flow and the negotiated front-end and back-end TCP handshakes do not match. Previous software releases do not have this option and drop connections in which the TCP handshakes do not match.
When the ACE is proxying Layer 7 flow, it completes the front-end TCP handshake before it initiates the back-end handshake. This process can cause issues for TCP options that are negotiated or specified during the TCP handshake. The ACE does provide the option of specifying the TCP handshake values in a connection parameter map but this method is not scalable as it needs to be defined per connection and it is difficult to predict these values as it requires significant coordination between the application, networking, and security teams. A mismatch in maximum segment size (MSS) and other TCP parameters results in slow or broken connections.
The parameter map type connection configuration mode command now includes the
full-proxy-mss-mismatch command option that configures the ACE to force a connection to maintain
full proxy when there is an MSS mismatch between the front-end and back-end connections.
When an MSS mismatch occurs, the ACE generates a syslog that provides information on why the ACE had to force a proxy connection due to an MSS mismatch. The ACE now also includes a counter that tracks the number of MSS mismatches, which you can display using the show np 1 me-stat -stcp command.
Guidelines and Restrictions
For details about using the CLI to create a parameter map for a TCP connection, see the “Creating a Connection Parameter Map for TCP/IP, UDP, and ICMP” section in the Security Guide vA5(1.0), Cisco
ACE Application Control Engine. Examples
The following example shows how to use the CLI to create a connection parameter map (TCP_MISMATCH) that enables the TCP handshake mismatch feature:
switch/admin(config)# parameter-map type connection TCP_MISMATCH switch/admin(config-parammap-conn)# full-proxy-mss-mismatch
The following example shows how to use the show np 1 me-stat -stcp command to show how many MSS mismatches have occurred:
host1/admin# show np 1 me-stat -stcp TCP Statistics: (Current) ---TCP RX Messages received: TCP TX Messages received: . . . MSS mismatch counter:
Support for a Wildcard KAL-AP GSS IP Address
ACE software version A5(2.0) allows you to configure the ACE with a wildcard KAL-AP Cisco Global Site Selector (GSS) IP address (0.0.0.0) to establish a secure communications channel between the ACE and multiple GSS devices that use the same MD5 encryption secret. With previous software releases, you must create a separate KAL-AP for each GSS IP address even when all or a set of GSS devices in a cluster use the same MD5 encryption secret.
To enable secure KAL-AP, you configure the IP address to the GSS and the shared secret using the
ip address command from the KAL-AP UDP configuration mode. Use the no form of this command to
remove the IP address and the shared secret from the configuration.
ip address ip_address encryption md5 secret no ip address ip_address
The arguments are as follows:
• ip_address—GSS IP address. Enter the IP address using dotted-decimal notation (for example,
192.168.11.1). Use the 0.0.0.0 wildcard value when multiple GSS devices in a cluster use the same secret.
• secret—Shared secret between the GSS and the ACE. Enter the shared secret as a case-sensitive
string with no spaces and a maximum of 31 alphanumeric characters.
Guidelines and Restrictions
• The ACE supports KAL-AP using IPv4 only.
– All GSS devices in the cluster use a secure channel for a KAL-AP message exchange with the ACE. Do not use the wildcard IP address if any GSS in the cluster uses an insecure channel. – All or a set of GSS devices in the cluster use the same MD5 secret.
Note You can only use the wildcard VIP address for one set of GSS devices that use the same MD5 secret. You must configure all other GSS devices individually for KAL-AP. • When using the no form of the command to remove a KAL-AP IP address, using the wildcard IP
address removes only those VIPs that use the secret associated with the wildcard value. KAL-AP IP addresses that were defined using a specific GSS IP addresses remain and must be removed individually.
• For details about using the CLI to configure a secure KAL-AP, see the “Configuring Secure KAL-AP” section in the Server Load-Balancing Guide vA5(1.0), Cisco ACE Application Control
Engine. Examples
The following example shows how to configure a secure KAL-AP on the ACE using the wildcard IP address (0.0.0.0) for all GSS devices that use the secret “andromeda”:
host1/admin(config)# kalap udp
host1/admin(config-kalap-udp)# ip address 0.0.0.0 encryption md5 secret andromeda
The following example shows how to configure a secure KAL-AP on the ACE using a specific GSS IP address (192.168.11.1):
host1/admin(config)# kalap udp
host1/admin(config-kalap-udp)# ip address 192.168.11.1 encryption md5 secret andromeda2
To disable the secure KAL-AP for all GSS devices that use the secret associated with the wildcard IP address (in this example, andromeda), enter:
host1/admin(config-kalap-udp)# no ip address 0.0.0.0
SSL Probe Configuration Option for Ignoring the Certificate Expiration Date
ACE software version A5(2.0) allows you to configure an SSL probe to ignore the certificate expiration date, which allows the ACE to establish the connection even when the SSL certificate has expired. Previous software releases do not provide the option to ignore the certificate expiration date. The ssl https probe configuration mode command now includes the certificate- expiration ignore command option that configures the probe to ignore the SSL certificate expiration date.The output of the show probe probe_name detail now includes information about the state of the certificate expiration ignore setting.
Guidelines and Restrictions
For more information about using the CLI to configure an SSL probe, see the “Configuring an HTTPS Probe” section in the Server Load-Balancing Guide vA5(1.0), Cisco ACE Application Control Engine.
Examples
The following example shows how to configure an SSL probe that ignores the certificate expiration date:
host1/admin(config)# probe https ssl_probe
host1/admin(config-probe-https)# ssl certificate-expiration ignore
The following example shows how to display the probe details, including the state of the certificate expiration ignore setting:
host1/admin# show ssl_probe detail probe : ssl_probe type : HTTPS state : INACTIVE description : port : 443 address : 0.0.0.0
addr type : - interval : 15 pass intvl : 60 pass count: 3 fail count: 3 recv timeout: 10 SSL version : All
SSL cipher : RSA_ANY SSL certificate-check : Ignore http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1 regex cache-len : 0
expect regex : send data :
probe results
associations ip-address port porttype probes failed passed health ---
---+----+---+---+---+---+---Support for Additional Syslog Logging Hosts
ACE software version A5(2.0) allows you to specify up to four hosts (the syslog servers) to receive the syslog messages sent by the ACE. Previous software releases allow you to specify a maximum of two syslog servers.
To configure the ACE with a syslog server, you use the logging host command in configuration mode. To specify additional syslog servers, repeat the command for each server. To remove a syslog server, use the no form of the command.
Guidelines and Restrictions
• On an ACE module, you can enable 256 servers only. That is, if there are four syslog servers in a context, then you can only configure 64 such contexts. You cannot a add a syslog server for the 65th context.
• For more information about using the CLI to configure the ACE with syslog logging hosts, see the “Sending Syslog Messages to a Syslog Server” section in the System Message Guide vA5(1.0), Cisco
ACE Application Control Engine. Examples
The following example show how to use the CLI to configure the ACE with a syslog server: host1/Admin(config)# logging host 192.168.10.1 tcp/1025 format emblem default-udp
The following example show how to use the CLI to remove a syslog server: host1/Admin(config)# no logging host 192.168.10.1
Support for SSL Session ID Stickiness
ACE software version A5(2.0) allows you to configure SSL session ID stickiness using the new SSL sticky and HTTPS policy map features. Previous software releases require a more involved process to configure SSL session ID stickiness in which you configure a generic protocol-parsing policy and a sticky group of type layer-4-payload with attributes configured to locate the SSL session ID inside the payload.
To configure SSL session ID stickiness using ACE software version A5(2.0), the sticky command has been modified to include the ssl option and the policy-map type loadbalance command has been modified to include the https option. After creating the SSL sticky, you apply it to an HTTPS policy map.
This section includes the following topics:
• Using the Modified sticky Command for SSL Session ID Stickiness, page 24
• Using the Modified policy-map type loadbalance Command for SSL Session ID Stickiness, page 25
Using the Modified sticky Command for SSL Session ID Stickiness
The modified syntax of the sticky configuration mode command is as follows:
sticky {http-content | http-cookie | http-header | ip-netmask | layer4-payload | radius | rtsp-header | sip|header | ssl | v6-prefix} name
no sticky {http-content | http-cookie | http-header | ip-netmask | layer4-payload | radius | rtsp-header | sip|header | ssl | v6-prefix} name
The ssl keyword has been added for configuring a sticky that is based on the SSL session ID. When you enter this command, the prompt changes to the sticky SSL content configuration mode
(config-sticky-content) where you use the commands listed in Table 1 to define the SSL sticky attributes.
Table 1 Sticky SSL Content Configuration Mode Commands
Command Description
length id_length Specify the number of bytes in the SSL ID to parse. For the
id_length argument, enter a value from 1 to 65535. The default is
32 bytes.
replicate sticky Instructs the ACE to replicate SSL content sticky table entries on the standby ACE.
Guidelines and Restrictions
• By default, the SSL sticky offset is set to 43 bytes and the begin pattern is set to \x20|\x00\xST. • To display the SSL sticky statistics, the show sticky database command now includes the ssl
session_id keyword and argument options.
• After creating the SSL sticky, you must apply it to an HTTPS policy map (see the “Using the Modified policy-map type loadbalance Command for SSL Session ID Stickiness” section on page 25).
• For more information about using the CLI to configure stickiness, see the “Configuring Stickiness” chapter in the Server Load-Balancing Guide vA5(1.0), Cisco ACE Application Control Engine.
Examples
The following example shows to create an SSL sticky (SSL_STICKY) and configure its attributes:
host1/Admin(config)# sticky ssl SSL_STICKY host1/Admin(config-sticky-ssl)# length 125
host1/Admin(config-sticky-ssl)# serverfarm SERVERFARM_SSL host1/Admin(config-sticky-ssl)# timeout 720
The following example shows to remove an SSL sticky:
host1/Admin(config)# no sticky ssl SSL_STICKY
Using the Modified policy-map type loadbalance Command for SSL Session ID Stickiness
The modified syntax of the policy-map type loadbalance configuration mode command is as follows:
policy-map type loadbalance {first-match | generic | http | https | radius | rdp | rtsp | sip}
The https keyword has been added for configuring a policy map for a sticky that is based on the SSL session ID. The complete syntax for the command when using the https keyword is as follows:
policy-map type loadbalance https first-match map_name
response sticky Enables the sticky for response.
serverfarm server_farm Specifies a server farm entry for the sticky group. For the argument, enter a unique server farm identifier using an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
static ssl-id ssl_id Defines the static SSL session ID string. For the ssl_id argument, enter the SSL ID ASCII or hex string (for hex: \xstring). The maximum string length is 255 characters.
timeout {timeout | activeconns} Configures the SSL sticky timeout as follows:
• timeout—Specifies the number of minutes that the ACE
remembers the last real server to which a client made a sticky connection. Enter a value from 1 to 65535. The default timeout value is 1440 minutes (24 hours).
• activeconns—Specifies that sticky entries are timed out when
the sticky timer expires even if there are active connections. Table 1 Sticky SSL Content Configuration Mode Commands (continued)
where map_name is the policy map name. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
When you enter this command, the prompt changes to the policy map loadbalance HTTPS configuration mode (config-pmap-lb-https) where you use the following procedure to configure the policy map with the match condition and sticky server farm:
Guidelines and Restrictions
For more information about using the CLI to create a policy map, see the “Configuring Traffic Policies for Server Load Balancing” chapter in the Server Load-Balancing Guide vA5(1.0), Cisco ACE
Application Control Engine. Examples
The following example shows how to configure an HTTPS policy map to include the server farm (SERVERFARM_SSL) associated with the SSL sticky (SSL_STICKY) created in the previous section:
host1/Admin(config)# policy-map type loadbalance https first-match PMAP_HTTPS host1/Admin(config-pmap-lb-https)# match HTTPS source-address
host1/Admin(config-pmap-lb-https)# class class-default
host1/Admin(config-pmap-lb-https-c)# sticky-serverfarm SERVERFARM_SSL
Command Purpose
Step 1 match name source-address
Example
host1/Admin(config-pmap-lb-https)# match HTTPS source-address
Specifies the source address as the inline match condition, which is the only inline match condition required for SSL session parsing.
Enter an unquoted text string with no spaces. The length of the inline match statement name plus the length of the policy map name with which it is associated cannot exceed a total maximum of 64 alphanumeric characters. For example, if the policy map name is L7_POLICY (nine characters), an inline match statement name under this policy cannot exceed 55 alphanumeric characters (64 - 9 = 55).
Step 2 class class-default Example
host1/Admin(config-pmap-lb-https)# class class-default
Enters the policy map load balancing HTTPS class configuration mode. The class-default is the only class option available because it is the only class required for SSL session parsing.
Step 3 sticky-serverfarm sfarm_name
Example
host1/Admin(config-pmap-lb-https-c)# sticky-serverfarm SERVERFARM_SSL
Specifies the sticky server farm associated with the SSL sticky group (see the “Using the Modified sticky Command for SSL Session ID Stickiness” section on page 24).
Support for the ACE No Payload Encryption Software Version
With ACE software Version A5(2.0), Cisco makes available the following two ACE software versions: • ACE Payload Encryption (PE)—CLI commands related to payload encryption protocols are
enabled. The ACE uses the payload encryption protocols, such as SSL, to encrypt through-the-box traffic. The ACE PE software version contains the same payload encryption functionality found in previous ACE software versions.
• ACE No Payload Encryption (NPE)—CLI commands related to payload encryption protocols are either removed or do not function because the key encryption configuration commands have been removed. The new ACE NPE software version supports customers located in countries where the United States has imposed export restrictions on crypto functions. Without the use of payload encryption protocol commands, you cannot configure the ACE to perform data encryption tasks, such as configuring it as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.
Note Modifications made to the ACE NPE software version do not affect management protocols, such as SSH, which is required to access the Device Manager GUI.
Table 2 lists the CLI commands that are removed from the ACE A5(2.0) NPE software version.
Table 2 Commands Removed from the ACE A5(2.0) NPE Software Version
CLI Mode Removed Commands
Exec
host1/Admin#
• crypto {delete | export | generate csr | import | verify}
Config
host1/Admin(config)#
(accessed using the config command from Exec mode)
• ssl-proxy service name
Removal of this command also removes the following related SSL proxy configuration mode commands:
– authgroup – cert – chaingroup – crl – key – ocspserver – revcheckprio – ssl • probe https name
Table 3 lists the CLI commands that are either not functioning or are modified as a result of the commands removed from the ACE A5(2.0) NPE software version (see Table 2).
Table 3 Non-Functioning or Modified Commands in the ACE A5(2.0) NPE Software Version
CLI Mode Removed Commands
Exec
host1/Admin#
Non functioning commands: • backup exclude ssl-files
• clear stats crypto [client | server [alert | authentication | cipher | termination]]
• debug cfgmgr sslstats
• restore [all] disk0:archive_filename exclude ssl-files
[licenses]
• show cfgmgr internal table ssl-proxy [all | context | detail]
• show crypto {aia-errors | authgroup | cdp-errors | certificate | chaingroup | crl | csr-params | files | key | ocspserver | session}
• show ip https
• show np 1 me-stats ucdump_option
where ucdump_option is one of the following: – F
– A
– a
• show stats crypto {client [alert | authentication | cipher | termination]} | server [alert | authentication | cipher | insert | redirect | termination]}
• show stats probe type https
Modified commands:
• show license status: Command output does not contain the SSL transactions per second listing.
• show resource usage resource rate ssl-connections counter [all | current | denied | peak]: Command output
Config
host1/Admin(config)#
(accessed using the config command from Exec mode)
Non functioning commands:
• access-list name extended {permit | deny} tcp {ipv4_address | ipv6address | any | anyv6 | host | object-group} {any | eq | gt | host | lt | neq | object-group | range} {ldaps | https}
• ip https certificate cert key
• parameter-map type ssl name
Removal of this command also removes the following related ssl parameter-map configuration mode commands:
– authentication failure – cdp-error ignore – cipher – close-protocol – expired-crl reject – purpose-check disabled – queue-delay timeout – rehandshake enabled – session-cache timeout – version
Action list modify
host1/Admin(config-actlist-modify)#
(accessed using the action-list type
modify http name command)
Non functioning commands:
• ssl header-insert {client-cert specific_field | server-cert specific_field | session specific_field} [prefix prefix_string | rename new_field_name]
• ssl url rewrite location expression [clearport number] [sslport number]
Policy map class
host1/Admin(config-pmap-c)#
(accessed using the policy-map type
multi-match name command from
config mode and then the class name command from the policy map mode)
Non functioning commands:
• nat static [ipv6_address/prefix_length | ipv4_address netmask mask] tcp eq https vlan number
• ssl-proxy server name
Policy map class
host1/Admin(config-pmap-c)#
(accessed using the policy-map type
first-match name command from
config mode and then the class name command from the policy map mode)
Non functioning commands: • ssl-proxy server name
Table 3 Non-Functioning or Modified Commands in the ACE A5(2.0) NPE Software Version
Support for Creation of RDP Parameter Maps
The Microsoft Remote Desktop Protocol (RDP) provides users with remote display and input
capabilities over network connections for Windows-based applications running on a terminal server. In a load-balancing configuration, the ACE distributes incoming session connections across the terminal servers in a server farm according to the load-balancing method configured on the server farm. For background on RDP load balancing as performed by the ACE, see the Server Load-Balancing Guide,
Cisco ACE Application Control Engine.
Per CSCua04753, the ACE now supports the use of a parameter map for RDP load-balancing
connections. By default, if the real server that matches the routing token information in the RDP packet from the client is DOWN, the connection will be reset and the RDP packet will be dropped. By configuring routing-token-rebalance under an RDP-type parameter map and applying that parameter map to a VIP, if the real server that matches the routing token information is DOWN, RDP packets will not be dropped and the connection will be redirected to another server.
The following topics describe how to define an RDP parameter map and associate it with a server-load balancing policy map:
• Configuring an RDP Parameter Map
• Defining a Description to the RDP Parameter Map
• Enabling Routing Token Rebalance in the RDP Parameter Map
• Associating the RDP Parameter Map with a Layer 3 and Layer 4 Network Traffic Policy Map
Policy map load balancing HTTP class
host1/Admin(config-pmap-lb-c)#
(accessed using the class name command from policy map load balancing HTTP config mode)
Non functioning commands: • ssl-proxy client
Class map HTTP load balancing
host1/Admin(config-cmap-http-lb)#
(accessed using the class-map type
http loadbalance match-any name
command from config mode)
Non functioning commands:
• match cipher {equal-to | less-than} cipher
Role configuration
host1/Admin(config-role)#
(accessed using the role name command from config mode)
Non functioning commands:
• rule number {permit | deny} {create | debug | modify | monitor} feature {pki | ssl}
Table 3 Non-Functioning or Modified Commands in the ACE A5(2.0) NPE Software Version
Configuring an RDP Parameter Map
The parameter map type rdp command specifies an RDP-type parameter map. After you create the parameter map, you configure settings in RDP parameter map configuration mode. You then reference this parameter map in the policy map using the appl-parameter rdp advanced-options command. The syntax of the parameter map type rdp configuration mode command is as follows:
parameter map type rdp name
The name argument specifies the name assigned to the RDP parameter map. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For example, to create a RDP-type parameter map called RDP_MAP, enter:
host1/Admin(config)# parameter-map type rdp RDP_MAP host1/Admin(config-parammap-rdp)#
To remove the RDP parameter map, use the no form of this command.
Defining a Description to the RDP Parameter Map
You can provide a brief summary of the RDP parameter map by using the description command in RDP parameter map configuration mode. The syntax of this command is as follows:
description text
For the text argument, enter an unquoted text string with a maximum of 240 alphanumeric characters including spaces.
For example, to specify a description of an RDP parameter map, enter the following command:
host1/Admin(config-parammap-rdp)# description Remote Desktop Protocol parameter map
To remove the description from the RDP parameter map, enter:
host1/Admin(config-parammap-rdp)# no description
Enabling Routing Token Rebalance in the RDP Parameter Map
You enable the routing-token-rebalance function in the RDP parameter map by using the
routing-token-rebalance command in RDP parameter map configuration mode. There are no arguments
for this command.
For example, enter the following command:
host1/Admin(config-parammap-rdp)# routing-token-rebalance
To remove the routing-token-rebalance command from the RDP parameter map, enter:
Associating the RDP Parameter Map with a Layer 3 and Layer 4 Network Traffic Policy Map
You associate the RDP parameter map with a Layer 3 and Layer 4 network traffic policy map by using the appl-parameter rdp advanced-options command in policy-map class configuration mode.
Note For details on configuring a Layer 3 and Layer 4 policy map for network traffic, see the Server
Load-Balancing Guide, Cisco ACE Application Control Engine.
The syntax of this command is as follows:
appl-parameter rdp advanced-options name
The name argument identifies the existing RDP parameter map.
For example, to specify the appl-parameter rdp advanced-options command as an action for the network traffic policy map, enter:
host1/Admin(config)# policy-map multi-match L4SLBPOLICY host1/Admin(config-pmap)# class FILTERRDP
host1/Admin(config-pmap-c)# appl-parameter rdp advanced-options RDP_MAP
To disassociate the RDP parameter map as an action from the network traffic policy map, enter:
host1/Admin(config-pmap-c)# no appl-parameter rdp advanced-options RDP_MAP
Ability to Enable Regular Expression Download Optimization
When you perform a number of configuration changes while traffic is running, either administrative tasks such as putting a real server inservice and out-of-service, or Layer 7 configuration changes such as modifying one or more class maps within a policy, these changes may result in traffic hitting an incorrect policy and being sent to the incorrect server farm. In this case, the HTTP regex tree gets recompiled and downloaded after every configuration change even if the change is limited to inservice/no inservice of a real server which does not alter the HTTP regex tree.
Per CSCtz37625, the ACE now displays the hidden command limit-regex-dnld enable in configuration mode to enable regular expression download optimization. When you specify the limit-regex-dnld
enable command, the HTTP regex tree is not re-compiled and downloaded when performing processes
such as putting a real server inservice and out-of-service. This feature is disabled by default.
To view information related to the regex download optimization status, the show download information command has been added to software version A5(2.0).
switch/Admin# show download information
context: Admin
Regex download optimization status: ENABLED Interface Download-status
200 Completed
165 Completed 1006 Completed
