6-70
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 6 Configuring Real Servers and Server Farms
Configuring Secure KAL-AP
Step 3 Click Update Details to refresh the output for the show probe name detail CLI command.
Step 4 Click Close to return to the Health Monitoring table.
Related Topic
• Configuring Health Monitoring for Real Servers, page 6-41
Configuring Secure KAL-AP
A keepalive-appliance protocol (KAL-AP) on the ACE allows communication between the ACE and the
Global Site Selector (GSS), which send KAL-AP requests, to report the server states and loads for
global-server load-balancing (GSLB) decisions. The ACE uses KAL-AP through a UDP connection to
calculate weights and provide information for server availability to the KAL-AP device. The ACE acts
as a server and listens for KAL-AP requests. When KAL-AP is initialized on the ACE, the ACE listens
on the standard 5002 port for any KAL-AP requests. You cannot configure any other port.
The ACE supports secure KAL-AP for MD5 encryption of data between it and the GSS. For encryption,
you must configure a shared secret as a key for authentication between the GSS and the ACE context.
When configuring a KAL-AP, you can use the wildcard KAL-AP GSS IP address (0.0.0.0) to establish
a secure communications channel between the ACE and multiple GSS devices that use the same MD5
encryption secret.
Use this procedure to configure secure KAL-AP associated with a virtual context.
Assumptions
• You have created a virtual context that specifies the Keepalive Appliance Protocol over UDP.
• You have enabled KAL-AP on the ACE by configuring a management class map and policy map,
and apply it to the appropriate interface.
Guidelines and Restrictions
Use the following guidelines and restrictions when using the 0.0.0.0 wildcard KAL-AP GSS IP address:
• Use the wildcard IP address when both the following conditions exist:
–
All GSS devices in the cluster use a secure channel for KAL-AP message exchange with ACE.
Do not use the wildcard IP address if any GSS in the cluster uses an unsecure channel.
–
All or a set of GSS devices in the cluster use the same MD5 secret.
Note You can only use the wildcard VIP address for one set of GSS devices that use the same
MD5 secret. You must configure all other GSS devices individually for KAL-AP.
• When removing a KAL-AP IP address, using the wildcard IP address removes only those GSS IP
addresses that use the secret associated with the wildcard value. KAL-AP IP addresses that were
defined using a specific GSS IP addresses remain and must be removed individually.
Procedure
Step 1 Choose Config > Virtual Contexts > context > Load Balancing > Secure KAL-AP.
Comments to this Manuals