Our company is considering puchasing ICE licensing, but our managment is concerned that it could be left active when not necessary. We have already set up SNMP monitoring of for the number of users, but I wondered if there is an OID that indicates that ICE is active or inactive? We could then monitor that OID and be notified every 24 hours that ICE is active. If this is not possible, does anyone have other ideas on monitoring ICE to ensure it is not left active? Regards, Todd.
... View more
This issue has been perplexing me for some time, and I am running out of ideas, so here goes: I recently stood up an SA-4500 (6.5r6) in a remote office (India) as a point of ingress for local users to access local resources more quickly. Ever since we have deployed this appliance in the field, I have gotten some very strange behavior out of it. 1. I can ping and traceroute it by name and IP. 2. nslookups resolve. 3. http redirect works https fails, but not across the board. Half of our users get sign-in pages just fine. The other half just time out. Doing a packet trace from a failed client, I see the SSL client hello send out, but no SSL server hello return. I have run TCP dumps on the IVE, and I see server hellos attempting to go out, but It just retransmits as if it cannot reach the client. The network setup is simple - a single router and switch comprise the edge (only one simple inbound access list that should not affect SSLVPN). The IVE is plugged into the switch. I removed the ACL just in case, and the same behavior occured. I have adjusted the IVE for what TLS/SSL settings it accepts, and no change. I have flattened the box to a factory state (6.3r7), and put on a bare-bones config - no change. I set up an https web server on a switch on the same network and tested. All clients could connect to it. Ideas? Thanks in advance.
... View more