ACE 4710 Disable server

Similar Messages

• ACE 4710 SSL server LB with stickiness

  I will be replacing 11500 CSS which are not doing SSL termination, just load-balancing SSL sessions terminated on servers with ACE 4710.
  On their CSS config, they were doing SSL-sticky. I understand the 4710 doesn't support SSL sticky, but can perform the same function by parsing the HTTP header. Has anyone done this config before and know where/how to parse the header to look for the SSL session# and stick connections to same server?
  THANKS!

  In Ace 2.x code GPP (Generic protocol parsing) was introduced that enables ACE to look into the Layer 4 payload.Which is how this stickiness id achieved.
  details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/sticky.html#wp1133923
  I dont think its currently available on ACE appliance yet.
  Syed

• ACE 4710 : Disable NAT

  Hi All,
  Currently Im using nat to translate client source ip address, nat pool is configured on server side vlan interface.
  but now I dont want to translate client source ip address:
  -I have changed real server gateway to ace interface ip.
  -I already remove nat configuration but now I cannot access to the vip using browser but I can ping vip.
  But now I cannot access to vip through browser, any idea?
  Design:
  client--------------CORE--------ACE------------------Real Server.
  Thanks

  Need help/advise regarding routing to make this method working.
  When I change server gateway to ace server vlan interface, my server cannot communicate with other vlans. From context, I can ping server vlan and other vlans.
  *Core interface -172.16.36.254 (server vlan),172.19.30.254(client vlan).
  *Lb interface - 172.16.36.70, 172.19.30.65
  *Real Server ip is using default gateway 172.16.36.70
  Routing what I have done:
  CORE- ip route 172.16.36.0 255.255.255.0 172.16.36.70
        ip route 172.19.30.0 255.255.255.0 172.19.30.65
  LB- ip route 0.0.0.0 0.0.0.0 172.19.30.254
  Can someone help me to verify this?
  Thanks

• [ACE 4710] accessing server on serverfarm

  hi,
  i have 2 servers in serverfarm.
  the real IP for this 2 server are 172.16.34.5 and 172.16.34.6
  the virtual IP is 172.16.33.1
  the ip for vlan on server side is 172.16.34.10. the gateway on the 2 servers is 172.16.34.10
  the network gateway for vlan 34 is 172.16.34.62
  my question is, how can we access the individual server inside the server farm if we are not from the same vlan as the server?

  Hi,
  you need to create a static route on your upstream router for the server VLAN with next-hop the ACE.
  In you case it will be something like this:
  ip route 172.16.34.0 255.255.255.0 "ACE IP address of VLAN34"
  In case you have fault tolerance configured, use the alias IP of the ACEs on VLAN34.
  Don't forget that your ACL on the ACE needs to allow this traffic.
  If you use permit any any it shouldn't be a problem.
  HTH,
  Dario

• Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710

  One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
  Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
  Traffic flow as follows
  ===============
  ACE 4710                                                       FWSM (Firewall static NAT)                    Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
                                               VIP
  Rserver 1   - 10.1.104.80       10.1.246.32           10.1.246.32  < - > 2.2.2.2                              1.1.1.1
  Rserver 2   - 10.1.104.81c
  ---------------------------------------------------------->           ------------------------------->                      - traffic flow from server to the device when we send msg
  Configs:
  ======
  rserver host server1
    ip address 10.1.104.80
    inservice
  rserver host server2
    ip address 10.1.104.81
    inservice
  serverfarm host SFARM
    failaction purge
    probe ICMP
    rserver server1
      inservice
    rserver server2
      inservice
  access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
  access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
  parameter-map type connection UDP_TIMEOUT
    set timeout inactivity 3600
  sticky ip-netmask 255.255.255.255 address source STKY-SFARM
    serverfarm SFARM
    timeout 180
    replicate sticky
  class-map match-all CLS-SFARM
    2 match virtual-address 10.1.246.32 udp eq 1120
  class-map match-all SERVERNAT
    2 match access-list TEST-1120
  policy-map type loadbalance first-match POL-SFARM
    class class-default
      sticky-serverfarm STKY-SFARM
  policy-map multi-match POL-LB
  class CLS-SFARM
      loadbalance vip inservice
      loadbalance policy POL-SFARM
      loadbalance vip icmp-reply active
      connection advanced-options UDP_TIMEOUT
  class SERVERNAT
     nat dynamic 1 vlan 244
  int vlan 244
  ip address 10.1.246.2 255.255.255.0
  service-policy input POL-LB
  nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
    mac-sticky enable
    no icmp-guard
  no shut
  interface vlan 2506
  ip address 10.1.104.2 255.255.255.0
  service-policy input POL-LB
    mac-sticky enable
    no icmp-guard
  no shut

  I see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
  portmap disable in ACE 4710
  Disabling Port Mapping
  By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
  For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services,

• ACE 4710 A3(2.0) and ACS - TACACS+

  Hi.
  I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
  ACE 4710:
  tacacs-server host 10.7.50.20 key 7 "fewhg"
  aaa group server tacacs+ tacacs_server_group
      server 10.7.50.20
      deadtime 15
  aaa authentication login default group tacacs_server_group local none
  aaa accounting default group tacacs_server_group local
  aaa authentication login error-enable
  ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
  The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
  It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
  https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
  Any help is appreciated and thanks in advance!

  are you using telnet or ssh ?
  if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
  http://tools.cisco.com/squish/03240

• ACE 4710 - can I dynamically sticky all traffic to 1 server based on URL?

  Hello all, I'm new to the ACE 4710 and need to know some details about stickyness.
  As background, we are a small company with a SaaS product and a pair of webservers.
  I have set up the loadbalancing default L7 Load-balancing rule to sticky based on a Cookie based Stickey Group.
  That seems to be working and session traffic is sticking to a server during the user's session.
  Based on a request from our outsourced developer they would like the Loadbalancer to not only sticky the users sessions, but also sticky a url to a server.
  I would like this to happen dynamically as each of our clients will have their own url based on our standard domain like clientname.fixeddomain.com and I don't want to have to come back to the loadbalancer every time we add a client.
  As I said, I'm new to these devices but understand the concepts, and am in the position of having to make it work little to no tranining on this hardware and no budget at this point to pay someone else for configuration and setup.
  I just need to know at this point if I can stick all requests for a specific URL to a server to avoid caching issue while those sessions are active and have new connections to other client urls balanced among the webservers.
  Hopefully this request makes sense.
  Thanks,
  Mark Steeves.

  Daniel,
  Thanks for the reply, but I cannot reach the URL you included.  It gives me a 403.
  Therfore without reading the article, I wanted to ask if the proper setup would be:
  1. Default L7 load-balancing action: Primary action: Sticky: Stickey Group using
  Type = HTTP Header: Header name = Host
  2. Server Farm: Predictor: Least Connections or Round Robin to distribute the load between the 2 web servers.
  Using this setting in testing, it looks like all the traffic keeps going to 1 server only.  Granted there is not much traffic t the servers, but I have 2 different url being tested. url1.ourdomain.com & url2.ourdomain.com
  If you have another link for the above document, please let me know.
  Thanks,
  Mark Steeves.

• ACE 4710 - Gracefully Shutting Down a Server

  Hi,
  Recently I had to stop an RServer to allow for software upgrades. I entered a no inservice command in the rserver config and all the connections on the serverfarm disappeared. I thought the no inservice should allow existing connections to finish. Is there another way of taking a server out of service?
  We are running on an ACE 4710 version A3(2.5). We offload SSL on the ACE and use sticky connections using cookie insert
  Thanks for your help

  Hi,
  To gracefully shutdown use the "no inservice" on the rserver within the serverfarm rather than on the rserver definition.
  HTH
  Cathy

• ACE 4710: Find out the response time of a real server

  Hi to everyone,
  I have a couple of ACE 4710 and I need to find out what is the response time of a real server.
  Is there a way for this?
  Thank you for any answer!
    giorgio romano

  Hi,
  Kindly add the following line in your serverfarm configuration:
  predictor response syn-to-synack
  Suppose your serverfarm looks like this:
  serverfarm host AAA_FARM
  predictor response syn-to-synack
  probe HTTP_PROBE
  probe TCP9001_PROBE
  rserver SC106
  inservice
  rserver SC107
  inservice
  rserver SC108
  inservice
  rserver SC109
  inservice
  rserver SC110
  inservice
  rserver SC111
  inservice
  rserver SC112
  inservice
  rserver SC113
  inservice
  rserver SC114
  inservice
  rserver SC120
  inservice
  rserver SC131
  inservice
  And then use the following command to see the average response time from your rserver as follows:
  ACE1/prod# show serverfarm AAA_FARM detail
  serverfarm     : AAA_FARM, type: HOST
  total rservers : 11
  active rservers: 11
  description    : ServerFarm AAA
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 0
  num times back inservice : 0
  total conn-dropcount : 0
  Probe(s) :
  HTTP_PROBE,  type = HTTP
  TCP9001_PROBE,  type = TCP
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC106
  x.x.x.x.:0        8      OPERATIONAL  2          1125       0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
  average response time (usecs) : 81   ----> thats what you might be looking for
  From other day :
  rserver: SC114
  x.x.x.x:0        8      OPERATIONAL  70         10903      2
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 1334                       ----> thats what you might be looking for
  For Serverfarm BBB_FARM
  serverfarm     : BBB_FARM, type: HOST
  total rservers : 1
  active rservers: 1
  description    : ServerFarm BBB
  state          : ACTIVE
  predictor      : RESPONSE
  method            : syn-to-synack
  samples           : 8
  failaction     : -
  back-inservice    : 0
  partial-threshold : 0
  num times failover       : 1
  num times back inservice : 1
  total conn-dropcount : 0
  Probe(s) :
  ----------connections-----------
  real                  weight state        current    total      failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: SC208
  x.x.x.x:0        8      OPERATIONAL  0          0          0
  max-conns            : 4000000   , out-of-rotation count : 0
  min-conns            : 4000000
  conn-rate-limit      : -         , out-of-rotation count : -
  bandwidth-rate-limit : -         , out-of-rotation count : -
  retcode out-of-rotation count : -
  load value           : 0
           average response time (usecs) : 0   ----> thats what you might be looking for
  Use more detials for response predictor:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1068831
  Configuring the Application Response Predictor
  To instruct the ACE to select the server with the lowest average response time for the specified response-time measurement based on the current connection count and server weight (if configured), use the predictor response command in server farm host or redirect configuration mode. This predictor is considered adaptive because the ACE continuously provides feedback to the load-balancing algorithm based on the behavior of the real server.
  To select the appropriate server, the ACE measures the absolute response time for each server in the server farm and averages the result over a specified number of samples (if configured). With the default weight connection option configured, the ACE also takes into account the server's average response time and current connection count. This calculation results in a connection distribution that is proportional to the average response time of the server.
  The syntax of this command is as follows:
  predictor response {app-req-to-resp | syn-to-close | syn-to-synack}[samples number]
  The keywords and arguments are as follows:
  •app-request-to-resp—Measures the response time from when the ACE sends an HTTP request to a server to the time that the ACE receives a response from the server for that request.
  •syn-to-close—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server.
  •syn-to-synack—Measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server.
  •samples number—(Optional) Specifies the number of samples over which you want to average the results of the response time measurement. Enter an integer from 1 to 16 in powers of 2. Valid values are 1, 2, 4, 8, and 16. The default is 8.
  For example, to configure the response predictor to load balance a request based on the response time from when the ACE sends an HTTP request to a server to when the ACE receives a response back from the server and average the results over four samples, enter:
  host1/Admin(config)# serverfarm SFARM1
  host1/Admin(config-sfarm-host)# predictor response app-req-to-resp
  samples 4
  To reset the predictor method to the default of round-robin, enter:
  host1/Admin(config-sfarm-host)# no predictor
  To configure an additional parameter to take into account the current connection count of the servers in a server farm, use the weight connection command in server farm host predictor configuration mode. By default, this command is enabled. The syntax of this command is as follows:
  weight connection
  For example, enter:
  host1/Admin(config)# serverfarm SF1
  host1/Admin(config-sfarm-host)# predictor response app-request-to-resp
  samples 4
  host1/Admin(config-sfarm-host-predictor)# weight connection
  To remove the current connection count from the calculation of the average server response time, enter:
  host1/Admin(config-sfarm-host-predictor)# no weight connection
  You can use threshold milliseconds parameter which is optional Specifies the required minimum average response time for a server. If the server response time is greater than the specified threshold value, the ACE removes the server from the load-balancing decision process (takes the server out of service).
  Enter an integer from 1 to 300000 milliseconds (5 minutes). The default is no threshold (servers are not taken out of service).
  In case if you have measures the response time from  when the ACE sends a TCP SYN to a server to the time that the ACE receives a CLOSE from the server  use syn-to-close      (already discussed previously)
  If you have to measures the response time from when the ACE sends a TCP SYN to a server to the time that the ACE receives the SYN-ACK from the server use syn-to-synack   (already discussed previously)
  SAMPLES parameter is optional and  specifies the number of samples that you want to average from the results of the response time measurement and response time is used to select the server with the lowest response time for the requested response-time measurement. If you do not specify a response-time measurement method, the ACE uses the HTTP app-req-to-response method.
  Whenever a server's load reaches zero, by default, the ACE uses the autoadjust feature to assign a maximum load value of 16000 to that server to prevent it from being flooded with new incoming connections. The ACE periodically adjusts this load value based on feedback from the server's SNMP probe and other configured options.
  Using the least-loaded predictor with the configured server weight and the current connection count option enabled, the ACE calculates the final load of a real server as follows:
  final load = weighted load × static weight × current connection count
  where:
  •weighted load is the load reported by the SNMP probe
  •static weight is the configured weight of the real server
  •current connection count is the total number of active connections to the real server
  The ACE recalculates the final load whenever the connection count changes, provided that the (config-sfarm-host-predictor) weight connection command is configured. If the (config-sfarm-host-predictor) weight connection command is not configured, the ACE updates the final load when the next load update arrives from the SNMP probe.
  If two servers have the same lowest load (either zero or nonzero), the ACE load balances the connections between the two servers in a round-robin manner.
  HTH
  Plz rate if u find it useful.
  Sachin

• Access Server through VIP (ACE 4710) but very slow

  Re:  Access Server through VIP (ACE 4710) but very slow
  Hi Shiva
  Kindly  Help .....Accessing the server very slow.., Plz check my real  configuration... this configuration is for application server and after  this i have to configure more serverfarm for different server like  webmail etc. in this ACE 4710. I have only one ACE 4710 .
  ACE Version A4(2.0) = is there supports Probe with this version.???  without probe server will work but very slow. And plz guide Nat-pool is required
  VIP :-- 172.16.15.8
  LB/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging host 172.29.91.112 udp/514
  resource-class RC1
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname LB
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description clientside
    switchport access vlan 30
    no shutdown
  interface gigabitEthernet 1/3
    description serverside
    switchport access vlan 31
    no shutdown
  interface gigabitEthernet 1/4
    no shutdown
  context Admin
    description Management
    member RC1
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe http probe1
    description health check
    interval 5
    passdetect interval 10
    request method head
    expect status 200 200
    open 1
  rserver redirect https_redirect
    description redirect traffic to https
    webhost-redirection / 302
    inservice
  rserver redirect maintenance_page
    description maintenance page displayed
    webhost-redirection /sry.html 301
    inservice
  rserver host web1
    ip address 192.168.10.3
    inservice
  rserver host web2
    ip address 192.168.10.4
    inservice
  rserver host web3
    ip address 192.168.10.5
    inservice
  serverfarm host http
    rserver web1
      inservice
    rserver web2
      inservice
    rserver web3
      inservice
  serverfarm redirect https_redirect_farm
    description Redirect traffic to https
  serverfarm redirect maintenance_farm
    description send user to maintenance page
  parameter-map type connection paramap_http
    description parameter connection tcp
    exceed-mss allow
  sticky ip-netmask 255.255.255.0 address source Sticky_http
    timeout activeconns
    serverfarm http
  class-map match-all REMOTE-ACCESS
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  class-map match-all slb-vip
    2 match virtual-address 172.16.15.8 tcp eq www
  policy-map type management first-match remote_access
    class class-default
      permit
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match slb
    class class-default
      serverfarm http
  policy-map type inspect http all-match slb-vip-http
    class class-default
      permit
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply active
      inspect http policy slb-vip-http
      connection advanced-options paramap_http
  interface vlan 30
    description "Client Side"
    ip address 172.16.15.24 255.255.255.0
    access-group input everyone
    service-policy input client-vips
    no shutdown
  interface vlan 31
    description "Server Side"
    ip address 192.168.10.1 255.255.255.0
    service-policy input remote_access
    no shutdown
  interface vlan 1000
    description managment
    ip address 172.29.91.110 255.255.255.0
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.15.1
  snmp-server contact "PHQ"
  snmp-server community phq group Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/  role Admin domain
  default-domain
  username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR.  role Admin domain de
  fault-domain
  username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0  role Admin domain d
  efault-domain
  ssh key rsa 1024 force
  banner motd # "ro" #
  Regards,
  Prem

  Hi Shiva,
  plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
  Regards,
  Prem

• Server-conn reuse stats on ACE 4710?

  Hi,
  Does anyone know if it's possible to get the server-conn reuse stats on an ACE 4710 appliance?  I'd like to confirm that it's working and ideally see the number of resued connections.
  Thanks,
  Jim

  Scimitar1/Admin# show np 1 me-stats "-socm -v" | i [uU][sS][eE]
  Reuse retrieve link update conn invalid           0             0
  Reuse retrieve link update conn not on r          0             0
  Reuse retrieve success but conn invalid:          0             0
  Reuse retrieve miss:                              0             0
  Reuse conns retrieved:                            0             0
  Scimitar1/Admin#
  The last 2 indicates if a new connection is needed (miss) or if we could retrieve an existing one.
  Gilles.

• ACE 4710 - need help configuring backend server monitoring

  Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru
  to backend web servers. This all works fine.
  My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should
  a web server crash or become unavailable I need to redirect that backend connection to another web server.
  Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point
  have all the connections forwarded to 2nd server.
  Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
  Any help would be appreciated.
  Cheers
  Dave                  

  Hi Dave,
  You can use sorry-server or backup server feature. details can be found at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000264

• ACE 4710 - Monitoring Real Server Showing N/A

  I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?

  Hello Samson,
  You may try to reboot the entire ACE 4710, probably during a maintenance window, some java process might have gotten stuck.
  If the issue persists then open a TAC case since there are some software defects related to this behavior.
  Jorge

• Ace 4710 active/standby SNMP config

  We have 2 x Ace 4710 deployed in Active/Standby config. Since the configuration mode is disabled on the Standby unit, how can we configure the SNMP settings (such as location etc.) on the standby unit different from the active unit?
  The 2 devices are in physically separated data centers so the SNMP location settings need to be set differently on both units. The standby unit does not allow any configuration.

  Comments inline:
  Since this is the admin context,  we would better not do this. As i understand correctly, this will turn  off the config sync on the 2 units and we may end up with some issues.
  KM - Correct, you need to manually manage the configurations of both devices. 
  Also,  if at a later stage, we sync the configs again in the admin context, it  will overwrite the different config on the standby unit with that from  the active unit?
  KM - Correct, the device with the lower priority will be overwritten when config-sync is re-enabled.  This is one of the reasons you need to be careful in the Admin context.  For example: Ff the lower priority device has contexts defined that the primary does not, they would be removed when you re-enablethis command.
  Since  my requirement is just the SNMP location config, I do not think i  should go for this; rather i can have some descriptive location setting  identifying the 2 units in cluster mode...
  KM - This would be more ideal than disabling config sync.  You could also put both locations like this:
  snmp-server location "San Jose, CA & Seattle, WA"
  Regards
  Kris

• ACE 4710 FT failover failure

  Hello,
  I am running redundant ACE 4710 appliances running A3(2.7).  I have five FT groups configured along with FT Tracking and when the vlans fail due to physical links being down, the contexts to do not failover.  If one of the ACE boxes fail completely, failover works fine.  I have included the FT config from one of the contexts below.  I have a case open with TAC and the Engineer is suggesting the use of a query interface in additon to FT Tracking.  We have had two incidents on separate contexts where we lost a physical interface on the primary ACE, one for the maintenance of the core switch, the other was a cable disconnect and we are unable to understand why the indivdual context didn't failover.  Any ideas would be much appreciated.  Let me know if more info/configs are needed.
  Dave
  ft interface vlan 900
    ip address 10.10.10.1 255.255.255.0
    peer ip address 10.10.10.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 900
  ft group 3
    peer 1
    no preempt
    priority 210
    peer priority 120
    associate-context XYZ
    inservice
  FT Group                     : 3
  No. of Contexts             : 1
  Context Name                 : XYZ
  Context Id                   : 2
  Configured Status           : in-service
  Maintenance mode             : MAINT_MODE_OFF
  My State                   : FSM_FT_STATE_ACTIVE
  My Config Priority           : 210
  My Net Priority             : 210
  My Preempt                   : Disabled
  Peer State                   : FSM_FT_STATE_STANDBY_HOT
  Peer Config Priority         : 120
  Peer Net Priority           : 120
  Peer Preempt                 : Disabled
  Peer Id                     : 1
  Last State Change time       : Wed Jan 11 13:14:16 2012
  Running cfg sync enabled     : Enabled
  Running cfg sync status     : Running configuration sync has completed
  Startup cfg sync enabled     : Enabled
  Startup cfg sync status     : Startup configuration sync has completed
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  show int
  vlan424 is up, VLAN up on the physical port
  Hardware type is VLAN
  MAC address is 00:1e:68:1e:ba:b7
  Virtual MAC address is 00:0b:fc:fe:1b:03
  Mode : routed
  IP address is 10.104.224.6 netmask is 255.255.255.0
  FT status is active
  Description:"New Server VIP and real"
  MTU: 1500 bytes
  Last cleared: never
  Last Changed: Sun Mar 11 01:13:12 2012
  No of transitions: 3
  Alias IP address is 10.104.224.5 netmask is 255.255.255.0
  Peer IP address is 10.104.224.7 Peer IP netmask is 255.255.255.0
  Assigned on the physical port, up on the physical port
  Previous State: Sun Mar 11 00:04:57 2012, VLAN not up on the physical port
  Previous State: Sun Sep 18 10:21:15 2011, administratively up
       3991888419 unicast packets input, 23734607976687 bytes
       20246934 multicast, 174801 broadcast
       0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
       1609345958 unicast packets output, 23690663385228 bytes
       7 multicast, 55807 broadcast
       0 output errors, 0 ignored

  Dave,
  For tracking to work you need to have preempt enabled. Can you try enabling preempt under the ft group and test your tracking again? Another potential issue you may run into is if your tracking is not lowering the priority enough when it fails. The difference between the active and standby device is 100. If you are not decrementing the priority greater than this value even if priority is enabled it will not lower it enough to force the failover. If after enabling preempt on this group the tracking still does not work as expected send you whole config for us to look at.
  Regarding the query interface; This is not a bad idea. It will help prevent an active active situation if there is a problem with the ft link between the two modules.
  Thanks
  Jim