Ace 4710 can I capture packets on a Load Balancer

We have just implemented JD Edwards we have three servers front ended by ACE4710,most things are good, but I there are some reports(.CSV)generated by the system that cannot be viewed  when going through the load balancer, but ok if going directly to the server. I have logged on as a user that is getting the problem, and it is ok for me! So it looks as if it could be a PC problem, but other people think it must be the LB. is there anything like Tethereal available within the ACE that I could use to capture packets.

Hi,
There isn't a tethereal built-in to the ACE, but you can capture packets.
You need to create an ACL to identify the interesting traffic and then use the capture command. This is documented in the command reference guide.
When you stop the capture copy the file from flash to disk0: ('copy capture disk0:') The copying converts the capture into a pcap format file readable with any sniffer tool like wireshark. You'll need to download the file from disk0: to a workstation to be able to run wireshark against it.
HTH
Kind Regards
Cathy

Similar Messages

  • ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

    Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
    As background, we are a small company with a SaaS product and a pair of webservers.
    I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
    That seems to be working and session traffic is sticking to a server during the user's session.
    Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
    I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
    As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
    I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
    Hopefully this request makes sense.
    Thanks,
    Mark Steeves.

    Daniel,
    Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
    Therfore without reading the article, I wanted to ask if the proper setup would be:
    1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
    Type = HTTP Header: Header name = Host
    2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
    Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
    If you have another link for the above document, please let me know.
    Thanks,
    Mark Steeves.

  • ACE 4710 Can not confirm http cookie sticky connections

    We are using a ACE 4710 with A3(2.6) software release.
    I had to change our sticky load balancing method for HTTPS to cookie based.
    However while connections appear to work if I look at the sho sticky database table I can not see or confirm sticky entries for the cookie based connections.
    Here or config snippets to show the config
    sticky http-cookie ghh-www scook-ghh
      cookie insert browser-expire
      serverfarm ghh-www-443
    class-map match-all ghh-www-443_CLASS
      2 match virtual-address 172.16.1.21 tcp eq https
    class-map type http loadbalance match-any ghh-www-443_CLASSURL
      2 match http url [.]*
    policy-map type loadbalance first-match ghh-sticky-443_POLICY
      class class-default
        sticky-serverfarm scook-ghh
    policy-map multi-match POLICY
    class ghh-www-443_CLASS
          loadbalance vip inservice
          loadbalance policy ghh-sticky-443_POLICY
          loadbalance vip icmp-reply active
          appl-parameter http advanced-options CASE_PARAM

    Another point: please check whether your servers are listening only for HTTPS traffic or also for HTTP traffic:
    in the first case the ACE will have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and then re-encrypt it and send it to the server
    in the second case the ACE would have to: decrypt the traffic from the client, inspect the http header to take the loadbalance decision and send it out as it is unencrypted to the server
    the second solution would have the benefit of being easier to configure and to require less resoucerces both on the ACE (only decryption to be performed) and on the servers (no need for SSL operations at all there) but it might be that your company or business sector have requirements for which this traffic should never flow unencrypted, in which case you would have to go for the first solution.
    Here you have a config example for the first solution:
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
    I would not expect you to have to pay extra for importing the cert and kepair into the ace, it would be just a copy, however as Alex said that may still depend on the license agreement with the CA.
    Cheers,
    Francesco

  • Can't capture packets with tcpdump or dumpcap/tshark. Sigsev (Linode)

    I'm running arch linux on my linode, everything is up to date in pacman. Whenever I try to run tcpdump or tshark it just gives me "Segmentation Fault". I checked the packages repo site and saw someone having the same issue and the fix was creating the /dev/bus/usb/001/001 which didn't fix the issue for me (still segfaults). When setting up the char device it uses the major version 189 which is usb_device on my linode /proc/devices doesn't show a usb_device anywhere.
    So is there something I need to install or something I'm missing? In the past tcpdump has worked with no issues.
    Thanks for reading, hope you can help.
    ~AaronM

    You might want to try running it with gdb and do a backtrace after it segfaults to see what's causing that.

  • ACE 4710- Global Site load-balancing

    Does the 4710 have a feature like global site load balancing like the CSS?
    We have a site that will have 2 ISPs but we don't have our own block of IP addresses to advertise so we would need to use the ISPs IP blocks.  We've had issues in the past advertising one ISPs IP block out another ISP so I was wondering if there was a way we could configure the ACE similar to the way the CSS did global site load balancing.  Basically have the ACE act as a DNS server and respond back with the IP address of whichever ISP we wanted the end user to come in on and use a probe to ping the ISPs remote WAN IP to verify the circuit is passing traffic and resolve the correct IP if it's not.
    Thanks

    ACE does not have DNS server functionality.
    And these methods are not supported on the CSS anymore.
    The solution we offer is to install a Cisco GSS (Global Site Selector) which can interact with the ACE or CSS or CSM to determine which vip is up or down.
    Gilles.

  • ACE Load Balancing

    Hi all,
    I´m configuring 2 ACE 4710 in failover, and I also need to balance 2 webservers at the momment. I have all of the IP address in the same subnet, is that a problem?
    Server 1 192.168.1.1
    Server 2 192.168.1.2
    VIP 192.168.1.3
    I have a VLAN for administration, and I have a VLAN for the client connection.
    But when I try to connect to the VIP, It doesn't show the web page, but if I connect to the servers page directly they are working ok..
    Does anybody know what can i check, or if there is any manual that really shows how to configure this type of connections.
    Thanks..

    Hello,
    From your description, it sounds like you might have a one-armed configuration for load balancing.  If your management VLAN interface is only used for management, and you only have the client VLAN interface for load balancing, then this would be a one-armed config.  If this is indeed the case, then you would need to use either Policy-Based Routing to route the server response traffic back to the ACE rather than directly back to the client.  Or, the more common solution is to configure source NAT as shown below:
    access-list ANYONE line 10 extended permit tcp any any
    rserver host SERVER_01
      ip address 192.168.1.1
      inservice
    rserver host SERVER_02
      ip address 192.168.1.2
      inservice
    serverfarm host REAL_SERVERS
      rserver SERVER_01
        inservice
      rserver SERVER_02
        inservice
    class-map match-all VIP-3
      2 match virtual-address 192.168.1.3 any
    class-map type management match-any REMOTE_ACCESS
      description remote-access-traffic-match
      2 match protocol telnet any
      3 match protocol ssh any
      4 match protocol icmp any
    policy-map type management first-match REMOTE_MGT
      class REMOTE_ACCESS
        permit
    policy-map type loadbalance first-match SLB_LOGIC
      class class-default
        serverfarm REAL_SERVERS
    policy-map multi-match CLIENT_VIPS
      class VIP-3
        loadbalance vip inservice
        loadbalance policy SLB_LOGIC
        loadbalance icmp-reply active
        nat dynamic 1 vlan 20
    interface vlan 10
      description MANAGEMENT VLAN
      ip address 172.16.51.11 255.255.255.0
      access-group input ANYONE
      service-policy input REMOTE_MGT
      no shutdown
    interface vlan 20
      description CLIENT VLAN
      ip address 192.168.1.10 255.255.255.0
      service-policy input CLIENT_VIPS
      nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
      no shutdown
    ip route 0.0.0.0 0.0.0.0 192.168.1.254
    Hope this helps,
    Sean

  • Can ACE 4710 send ICMP-dest-unreachable?

    Dear Community!
    We have previously configured an ACE context for implementing redundant corporate DNS service and now testing a transparent ACE context and HA configuration.One virtual-IP is configured for UDP/53, listening for DNS requests. Behind the VIP, there are 3 DNS server. The next step of our testing process, we have shut down all real-server instance behind the virtual-IP while inspecting DNS clients behaviour. Besides the DNS clients requesting the virtual-IP DNS service need ICMP-destination-unreachable packet to switchover the secondary DNS server.
    Can ACE 4710 send ICMP-dest-unreachable?
    Thanks in advance!
    Regards,
    Belabacsi
    from Hungary

    Unfortunately the 4710 does not send icmp unreachable when a vserver is down.
    If you have backup dns service, you can configure it on ace itself.
    Gilles.

  • Can't view all captured packets.

    Hello,
    Is there any command which allows to change number of displayed captured packets?
    I have a following capture setup:
    capture SFTP_TEST type raw-data access-list SFTP_TEST buffer 200000 interface inside circular-buffer [Capturing - 199102 bytes]
    when I issue command show capture SFTP_TEST I get:
    1676543 packets captured
    1...
    2...
    and so on
    157 packets shown.
    So far I have tried:
    show capture SFTP_TEST count 10000
    same result (only 157 are shown)
    same when I try
    show capture SFTP_TEST count 10
    (always displays magic number 157)
    I have a very similar capture setup on another firewall and I can view all packets without any problems.
    Any help will be much appreciated.
    Regards
    Mariusz

    Hi Jouni,
    Thanks for replying.
    I though the same, but the confusing bit was different number of packets captured and number of packets displayed.
    Looks like the “packet captured” shows total number of packets processed by the defined capture rather than packets in the buffer so it makes sense what you said.
    I have reconfigured this with the maximum 33554432 buffer and I’ll post the outcome in few days.
    Regards
    Mariusz

  • Can't install ACE 4710 license

    Hi,
    I've tried to installed the license, but is not successful, below are the steps which i've taken to installed the license, with error messages. pls. assist.
    CBJ6-LBDMZ2/Admin# copy tftp://10.2.18.66/ACE20090909090659371.lic disk0:
    Enter the destination filename[]? [ACE20090909090659371.lic]
    Trying to connect to tftp server......
    TFTP get operation was successful
    685 bytes copied
    CBJ6-LBDMZ2/Admin# license install disk0:ACE20090909090659371.lic
    Installing license... failed: Can't install this license with the current count

    CBJ6-LBDMZ2/Admin# show licen
    ACE20090727112500202.lic:
    SERVER this_host ANY
    VENDOR cisco
    INCREMENT ACE-AP-01-LIC cisco 1.0 permanent 1 \
            VENDOR_STRING=1 HOSTID=ANY \
            NOTICE="200907271125002021 \
            1211J5CB363" SIGN=F2E3AFA69526
    I think you have an HW appliance (code: ACE-4710-K9) with one a la carte license ( ACE-AP-01-LIC).
    You bought a Bundle upgrade license, and  this is not compatibly with you current license ( a la carte license).
    To use the  ACE-4710-BUN-UP2= ( 1G Bundle to 2G Bundle Upgrade License) you need to have a bundle product like the
    ACE-4710-1F-K9.
    Check this:
    Table 1     ACE Licensing Bundles
    License Model Description Upgrade Path
    ACE-4710-0.5F-K9
    This license bundle includes the following items:
    •ACE 4710 appliance
    •0.5-Gbps throughput license (ACE-AP-500M-LIC)
    •100-Mbps compression license (ACE-AP-C-100-LIC)
    •100 SSL transactions per second (TPS) license (ACE-AP-SSL-100-K9)
    •5 virtual contexts license (ACE-AP-VIRT-5)
    •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
    You have the option to upgrade to the 1-Gbps, 2-Gbps, or 4-Gbps bundle.
    Start the upgrade with ACE-4710-BUN-UP1=.
    ACE-4710-1F-K9
    This license bundle includes the following items:
    •ACE 4710 appliance
    •1-Gbps throughput license (ACE-AP-01-LIC)
    •500-Mbps compression license (ACE-AP-C-500-LIC)
    •5000 SSL TPS license (ACE-AP-SSL-05K-K9)
    •5 virtual contexts license (ACE-AP-VIRT-5)
    •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
    You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
    Start the upgrade with ACE-4710-BUN-UP2=.
    ACE-4710-BAS-2PAK
    This license bundle includes the following items:
    •Two ACE 4710 appliances
    •1-Gbps throughput license (ACE-AP-01-LIC)
    ACE-4710-BAS-2PAK also includes the following default options:
    •1000 SSL TPS
    •100-Mbps compression
    •5 virtual contexts
    •Application acceleration (50 connections)
    You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
    Start the upgrade with ACE-4710-BUN-UP2=. Two upgrade licenses are  required for upgrading two units of the ACE-4710-BAS-2PAK bundle.
    ACE-4710-2F-K9
    This license bundle includes the following items:
    •ACE 4710 appliance
    •2-Gbps throughput license (ACE-AP-02-LIC)
    •1-Gbps compression license (ACE-AP-C-1000-LIC)
    •7500 SSL TPS license (ACE-AP-SSL-07K-K9)
    •5 virtual contexts license (ACE-AP-VIRT-5)
    •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
    You have the option to upgrade to the 4-Gbps bundle.
    Start the upgrade with ACE-4710-BUN-UP3=.
    ACE-4710-4F-K9
    This license bundle includes the following items:
    •ACE 4710 appliance
    •4-Gbps throughput license (ACE-AP-04-LIC)
    •2-Gbps compression license (ACE-AP-C-2000-LIC)
    •7500 SSL TPS license (ACE-AP-SSL-07K-K9)
    •5 virtual contexts license (ACE-AP-VIRT-5)
    •Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
    This is the highest value bundle.
    ACE-4710-BUN-UP1
    0.5 to 1-Gbps throughput bundle upgrade license
    See the Upgrade Path outlined above.
    ACE-4710-BUN-UP2
    1 to 2-Gbps throughput bundle upgrade license
    See the Upgrade Path outlined above.
    ACE-4710-BUN-UP3
    2 to 4-Gbps throughput bundle upgrade license
    See the Upgrade Path outlined above.
    Table 2     ACE Licensing Options
    Feature License Model Description
    Performance Throughput
    Default
    1-Gbps throughput.
    ACE-AP-500M-LIC
    0.5-Gbps throughput.
    ACE-AP-01-LIC
    1-Gbps throughput.
    ACE-AP-02-LIC
    2-Gbps throughput.
    ACE-AP-04-LIC
    4-Gbps throughput.
    ACE-AP-02-UP1
    Upgrade from 1-Gbps to 2-Gbps throughput.
    ACE-AP-04-UP1
    Upgrade from 1-Gbps to 4-Gbps throughput.
    ACE-AP-04-UP2
    Upgrade from 2-Gbps to 4-Gbps throughput.
    Virtualization
    Default
    1 admin/5 user contexts.
    ACE-AP-VIRT-020
    1 admin/20 user contexts.
    SSL
    Default
    100 TPS.
    ACE-AP-SSL-05K-K9
    5000 TPS.
    ACE-AP-SSL-07K-K9
    7500 TPS.
    ACE-AP-SSL-UP1-K9
    Upgrade from 5000 TPS to 7500 TPS.
    HTTP Compression
    Default
    100-Mbps.
    ACE-AP-C-500-LIC
    500-Mbps.
    ACE-AP-C-1000-LIC
    1-Gbps.
    ACE-AP-C-2000-LIC
    2-Gbps.
    ACE-AP-C-UP1
    Upgrade from 500-Mbps to 1 Gbps.
    ACE-AP-C-UP2
    Upgrade from 500-Mbps to 2 Gbps.
    ACE-AP-C-UP3
    Upgrade from 1 Gbps to 2 Gbps.
    Application Acceleration Feature Pack License
    ACE-AP-OPT-LIC-K9
    Application acceleration and optimization. By default, the ACE performs  up to 50 concurrent connections. With the application acceleration and  optimization software feature pack installed, the ACE can provide  greater than 50 concurrent connections.
    This license increases the operating capabilities of the following features:
    •Delta optimization
    •Adaptive dynamic caching
    •FlashForward
    •Dynamic Etag
    ACE-AP-02-LIC=
    Upgrade Performance License 2   Gbps Spare

  • ACE 4710 breaks single sign-on on IE

    I haven't run into this before and I can't find anything in the documentation regarding it.  (Our 2 4710 were setup prior in a routed configuration although I personally see no reason for it.)  Regardless, we have 2 servers that host 4 websites on them.  We built everything on the ACE with a new VIP and matching the http header.  If we use firefox/chrome, it load balances properly and we are prompted for credentials as those browsers don't support single sign on.  We enter our credentials and are able to get to the appropriate website on the server.
    When we use IE, it fails to open the page.  A sniffer capture shows an authentication failure packet and a reset and that's it.  We built the ACE both as sticky and non-sticky but neither worked properly with IE.
    Is there something else in the ACE we need to configure to get SSO to work?  Thanks in advance!
    Chris
    **NEW CONFIGURATION**
    probe icmp PING
      description ICMP echo request probe
      interval 5
      passdetect interval 5
      passdetect count 12
      receive 4
    probe tcp TCP-80
      description TCP port 80 probe
      interval 5
      passdetect interval 5
      passdetect count 12
      receive 4
      connection term forced
      open 1
    rserver host corp-w-sp-lab01
      ip address 10.250.1.52
      probe PING
      inservice
    rserver host corp-w-sp-lab02
      ip address 10.250.1.53
      probe PING
      inservice
    serverfarm host sharepoint-test-80
      failaction purge
      predictor leastconns
      probe TCP-80
      rserver corp-w-sp-lab01 80
        inservice
      rserver corp-w-sp-lab02 80
        inservice
    class-map match-any sharepoint-test-vip
      2 match virtual-address 10.250.89.10 tcp eq www
    class-map type http loadbalance match-any intranet-test
      match http header Host header-value http://intranettest
    class-map type http loadbalance match-any dashboards-test
      match http header Host header-value http://dashboardstest
    class-map type http loadbalance match-any odpeople-test
      match http header Host header-value http://odpeopletest
    class-map type http loadbalance match-any sandbox-test
      match http header Host header-value http://sandbox
    policy-map type loadbalance http first-match sharepoint-test-lb
      class intranet-test
          serverfarm sharepoint-test-80
      class dashboards-test
          serverfarm sharepoint-test-80
      class odpeople-test
          serverfarm sharepoint-test-80
      class sandbox-test
          serverfarm sharepoint-test-80
      class class-default
          serverfarm sharepoint-test-80
    policy-map multi-match sharepoint-test-80-pol
      class sharepoint-test-vip
        loadbalance vip inservice
        loadbalance policy sharepoint-test-lb
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 92
    interface vlan 88
      service-policy input sharepoint-test-80-pol
    ***CONFIGURATION ALREADY ON INTERFACES PRIOR TO NEW CONFIG***
    interface vlan 88
      description Client_Connections
      ip address 10.250.88.51 255.255.252.0
      alias 10.250.88.50 255.255.252.0
      peer ip address 10.250.88.52 255.255.252.0
      access-group input Client
      service-policy input remote_mgmt_allow_policy
      service-policy input PM_LB_FRONTEND
      no shutdown
    interface vlan 92
      description RealServer_Network
      ip address 10.250.92.51 255.255.252.0
      alias 10.250.92.50 255.255.252.0
      peer ip address 10.250.92.52 255.255.252.0
      nat-pool 1 10.250.93.1 10.250.93.1 netmask 255.255.255.255 pat
      service-policy input remote_mgmt_allow_policy
      no shutdown

    Hi Chris,
    Try this:
    parameter-map type http sample
      persistence-rebalance
      set header-maxparse-length 65535
      set content-maxparse-length 65535
      length-exceed continue
    policy-map multi-match sharepoint-test-80-pol
      class sharepoint-test-vip
        loadbalance vip inservice
        loadbalance policy sharepoint-test-lb
        loadbalance vip icmp-reply active
        appl-parameter http advanced-options sample
        nat dynamic 1 vlan 92
    Let me know if you see any difference
    Cesar R
    ANS Team

  • ACE 4710 blocking FTP WLSD directory listing

    Hello
    I have a ACE 4710 setup in a test environment(and context) with 2 filezilla FTP servers on the back end and a Win7 laptop on the front end with a FTP client(s).  The ACE is setup to load balance by source(the requirement for our project).
    When the laptop tries to FTP to the Filezilla FTP servers it connects, enters passive mode, and sends a WLSD command to get a directory listing, but never gets it.  If the Win7 laptop is put on the same vlan as the Filezilla FTP servers, behind the ACE, everything works fine.
    As far as I can tell the ACE configs doesn’t have any sort of deny acl acting on this traffic.  *attached*  The FTP client always connects, its just the directory listing that doesn't seem to work.. and we need it to work for the app this is targeting.
    Any help is greatly appreciated.
    e-

    Yeah me too!
    So after much packet capturing and hair pulling and general dismay, we(me, another admin, and a local var ccie) think this is a app layer issue.  We added the inspect command but it wouldnt take without a nat pool in place, so we added that.
    We found a packet in the FTP client that tells the server the real IP of client to the server.  This is the only oddity that we can locate.  Of course I admit we arent using a ACE in the normal way an ACE would be used, we LB by source not destination.
    I put telnet servers on my targets and they also communicate directly to the clients IP, but they layer 2 back to the ace first, whereas the FTP server doesnt.  We are still working on it to try and find a way to make FTP happy.
    e-

  • ACE 4710: Config Allows all traffic except large HTTP downloads

    Hi Folks,
    Got an ACE 4710 with a basic config that seems to work for all traffic except large downloads.
    I've attached the current config
    As I mentioned I can do normal HTTP to a standard destination like google or SSH through the ACE or ICMP
    If i try to get a large file from the server side of ACE, then a trace shows that the first and subsequent 1460Byte packets dont go through ACE
    I've thought of parse lengths, but i cannot see any that seem to affect the generic L4 maps that I am trying to use
    Cheers
    Alan

    I've seen a similar fault. I suppose a lower MSS was sent in the TCP SYN handshake packets (1300 or 1380?) and the packets exceeding that value were dropped by the ACE. This is the default behavior which can be switched to a less strict mode by either
    exceed-mss allow
    or
    no normalization
    commands.
    In our case, a linux web server was whose replies wouldn't keep to the MSS limit.

  • ACE 4710 HTTP Probes

    Using the ACE 4710 for loadbalancing a Sharepoint site.
    We currently have a HTTP probe setup to check the port 80 status of the rserver.
    Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
    Thanks for any information.

    Has anyone figure this out?  I am tring to get healthchecks/probes setup in this same fashion.  I have 2 servers with 1 IP but have many sites.  I want to probe each side and ensure I get a 200 code.  I also have to provide credentials to the site.  It seems that if i open IE I can log in just fine to the site with the credentials.  However there is an active x control box that is wanting to be installed.  When I set this up on my ACE it seems I am getting a http 401 unauthorized error.  I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that.  Do you think this is a problem because of the active x control wanting to be downloaded?  Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
    probe http HTTP-80-OUR.DOMAIN.COM
      interval 15
      passdetect interval 60
      credentials
      request method get url http://our.domain.com/default.aspx
      expect status 200 200
      header Host header-value "our.domain.com"
      open 1
    rserver host SERVER-A
      ip address X.X.X.47
      inservice
    rserver host SERVER-B
      ip address X.X.X.48
      inservice
    serverfarm host FARM-AB
      predictor leastconns
      probe HTTP-80-OUR.DOMAIN.COM
      rserver SERVER-A
        inservice
      rserver SERVER-B
        inservice
    ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
    probe       : HTTP-80-OUR.DOMAIN.COM
    type        : HTTP
    state       : ACTIVE
    description :
       port      : 80      address     : 0.0.0.0         addr type  : -
       interval  : 15      pass intvl  : 60              pass count : 3
       fail count: 3       recv timeout: 10
       http method      : GET
       http url         : http://our.domain.com
       conn termination : GRACEFUL
       expect offset    : 0         , open timeout     : 1
       expect regex     : -
       send data        : -
                    ------------------ probe results ------------------
       associations ip-address      port  porttype probes   failed   passed   health
       ------------ ---------------+-----+--------+--------+--------+--------+------
       serverfarm  : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
         real      : SERVER-A[0]
                    X.X.X.47      80    DEFAULT  414      406      8        FAILED
       Socket state        : CLOSED
       No. Passed states   : 1         No. Failed states : 2
       No. Probes skipped  : 0         Last status code  : 401
       No. Out of Sockets  : 0         No. Internal error: 0
       Last disconnect err : Received invalid status code
       Last probe time     : Wed Jun  2 17:44:18 2010
       Last fail time      : Wed Jun  2 13:37:04 2010
       Last active time    : Wed Jun  2 13:34:19 2010
         real      : SERVER-B[0]
                    X.X.X.48      80    DEFAULT  414      406      8        FAILED
       Socket state        : CLOSED
       No. Passed states   : 1         No. Failed states : 2
       No. Probes skipped  : 0         Last status code  : 401
       No. Out of Sockets  : 0         No. Internal error: 0
       Last disconnect err : Received invalid status code
       Last probe time     : Wed Jun  2 17:44:20 2010
       Last fail time      : Wed Jun  2 13:37:06 2010
       Last active time    : Wed Jun  2 13:34:21 2010

  • ACE 4710 MAC Address

    All physical interfaces on ACE 4710 share the same MAC address. Also, VIP addresses share the same MAC address. ACE 4710 is connected to a switch. How is the switch supposed to know which interface to send the packet to if it is doing layer2 switching.
    Thank you in advance for the explanation.

    You can't put 2 interfaces in the same vlan
    switch/Admin(config-if)# switchport access vlan 20
    vlan 20 is associated with GigabitEthernet 1/3.
    switch/Admin(config-if)#
    So, the L2 switch will have an entry for the mac-address in each vlan and this entry can point to different interfaces.
    Gilles.

  • Ace 4710 strange behaviour

    Hi, We have two ACE-4710-K9 (named LB01 and LB02) configured in HA mode. Besides Admin, on each of them there are tree context configured, named, ACADEMIC, COMMERCIAL, STREAMING. On LB01 the active context is ACADEMIC. On LB02 the active contexts are COMMERCIAL and STREAMING. Each context is configured with a FrontEnd and a BackEnd Vlan interface, and a "management" Vlan interface used for accessing and monitoring the device and for the downloading of the needed ssl certificates. Recently we upgraded the devices to Version A3(2.6) form a previous A3(2.4). After that upgrade we experienced some strange behaviour. From the context in STANDBY state we are not able to ping the host on the "management" Vlan interface, while there is no problem on the other Vlans. We see that the ICMP packets are sent to the Vlan, are replayed by the remote host BUT are not received at all on the LB01 or LB02. No messages in the log. Trying with 5 consecutive (failed) ping we can see that the counters of unicast packet output on LB01/LB02 Vlan is incremented by 5 BUT the unicast packets input counters is unchanged even if the remote host sent the replays. In the STREAMING context this behaviour isn't constant, ie the ping *sometimes* starts working for a few second and then returns to stop. In the other standby context the ping never works instead. In the active context all works fine. This strange problem prevents us to load the ssl certificates in the STANDBY context from the "management" Vlan. We was not able to find any reference to a similar problem in the Cisco documentation or Tac collection, so we are curious to know wheter someone else experienced such a behaviour. Thank you and best regards. Alessandro Asson - CINECA

    Thanks,
    I see you are using shared VLAN config in both ACE.
    Same VLAN 1000 is used for both Admin and streaming context.
    In this config, you may need to use the shared-vlan-host-id command as explained here:
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/vlansif.html#wp1025243
    In fact as explained:
    'By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.'
    This would also reply to your question in the readme file:
    SHOW ARP TABLE ON THE D01,D02,D07 ROUTERS SHOWS THE SAME MAC ADDRESS FOR
    BOTH IP ADDRESSES OF LB01 AND LB02: is that normal ??
    Hope this helps,
    Dom.

Maybe you are looking for

  • Build a report through SQVI but not working

    Dear Expert, Kindly help me on this issue. I tied to build a report using SQVI to output vendor details. Below is the table I linked. LFA1 -> ADRC -> ADR6 LFA1 -> LFM1 LFA1  -> LFB1 LFB1 -> LFBK -> BNKA LFB1 -> LFZA LFB1 -> LFBW Once I executed the r

  • Hyperlink to PDF file

    I need to create a hyperlink in Excel sheet stored in our LAN network to PDF document stored on web (several hyperlinks in same Excel sheet to different chapters in the same PDF file). My question is if there is another possibility how to get through

  • Creating a ad-hoc calculation using sql query

    Hi All, I want to know if its possible some way to create a ad-hoc sql query inside a workbook so as to create a calculation using that sql. I have a folder which gives me balance for any period. My requirement is to display current period balance al

  • Snap to point

    Hello, I don't know how to snap objects. Of course I have enabled snap to point and show center options. The thing is that it seems to work, but it isn't something I would call really snap to point. It doesn't find centers, and f.ex. I cannot snap gu

  • System Monitoring: Navigation to Satellite System

    Hello All, I have configured System Monitoring. In SolMan -> Monitoring Graphic -> I check Alerts Now, for some Alerts itallows me to click the Alert and navigate to that particular Transaction in Satellite System. The Alert itself is a Link(Blue Fon