ACE 4710 - DM initialization failed
When trying to get to the device manager GUI on my ACE 4710 I get to the login screen. On entering credentials I am given an error
"DM initialization failed (Failed to import ACE configuration: Device discovery failed: unknown). Contact your technical support team."
I have tried "dm reload" but I am still getting the error.
Any help greatfully appreciated.
You are probably hitting CSCsv95366. This is fixed in A3(2.2).
You can get the details about this bug at
http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
HTH
Syed Iftekhar Ahmed
Similar Messages
-
Hi,
I have ACE 4710 Appliance, but it is failed and giving following error while login at console.....
I am suspecting hardware issue..most probably with harddrive.... Please let me know if it can be recoverable of only replacement is the solution..
switch login: init: failed to initialize modlock_init(): No such file or directo ry
eth2: ERROR while getting interface flags: No such device
perform_sysmgr_offline: unable to move MTS to MTS_STATE_OFFLINE: Invalid argumen t (error-id 0x801E0016).
init: failed to initialize modlock_init(): No such file or directory
eth2: ERROR while getting interface flags: No such device
perform_sysmgr_offline: unable to move MTS to MTS_STATE_OFFLINE: Invalid argumen t (error-id 0x801E0016).
init: failed to initialize modlock_init(): No such file or directory
eth2: ERROR while getting interface flags: No such device
perform_sysmgr_offline: unable to move MTS to MTS_STATE_OFFLINE: Invalid argumen t (error-id 0x801E0016).
/isan/sbin/sysmgr: symbol lookup error: /isan/lib/libutils.so: undefined symbol: tftp_callback_fn
Regards
NadeemHi,
I RMAed the appliace, i think it was hardware failure which casue this issue.
If some one face this issue please let me know...Thanks!
Regards
Nad -
I have an ACE 4710 that wont boot.
When booting the Linux starts boot, and then it just start write this in the console:
Waiting for lock /tmp/octeon-pci-lock
Waiting for lock /tmp/octeon-pci-lock
Waiting for lock /tmp/octeon-pci-lock
Waiting for lock /tmp/octeon-pci-lock
Waiting for lock /tmp/octeon-pci-lock
google aint much help.
Have any of you seen this before, and does any of you know what to do ??
Best Regards
MortenHi,
It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
As per the below example:
I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
serverfarm host 1313-GIN-GWAP-SDC-80
rserver RSERVER1
backup-rserver test1
inservice
rserver test1
inservice standby
rserver test2
inservice standby
regards,
Ajay Kumar -
ACE 4710 - show stats connection questions
Hi,
I have three questions regarding the "show stats connection" command in the ACE 4710:
1. What is the criteria for a connection to be added to the "Total Connections Failed" counter?
2. What is the criteria for a connection to be added to the "Total Connections Timed-out" counter?
3. Is there a command to get more information why the connection was failed or timed-out (e.g. to/from which IP, url accessed etc.)?
Thanks in advance for your help!
Best regards,
HarryHarry,
a connection failed if the server did not respond or resonded with a RST.
As long as the connection gets establised, it is counted as a success.
The connection timeout counter is incremented when the connection is idle for the configured timeout value or for L7 connections if it does not complete the 3-way handshale within the embryonic timeout interval.
Since this is clear why those counters are incrementing, the only way to get more information is to capture a sniffer trace to verify if the conditions above are met.
Gilles. -
Using the ACE 4710 for loadbalancing a Sharepoint site.
We currently have a HTTP probe setup to check the port 80 status of the rserver.
Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
Thanks for any information.Has anyone figure this out? I am tring to get healthchecks/probes setup in this same fashion. I have 2 servers with 1 IP but have many sites. I want to probe each side and ensure I get a 200 code. I also have to provide credentials to the site. It seems that if i open IE I can log in just fine to the site with the credentials. However there is an active x control box that is wanting to be installed. When I set this up on my ACE it seems I am getting a http 401 unauthorized error. I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that. Do you think this is a problem because of the active x control wanting to be downloaded? Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
probe http HTTP-80-OUR.DOMAIN.COM
interval 15
passdetect interval 60
credentials
request method get url http://our.domain.com/default.aspx
expect status 200 200
header Host header-value "our.domain.com"
open 1
rserver host SERVER-A
ip address X.X.X.47
inservice
rserver host SERVER-B
ip address X.X.X.48
inservice
serverfarm host FARM-AB
predictor leastconns
probe HTTP-80-OUR.DOMAIN.COM
rserver SERVER-A
inservice
rserver SERVER-B
inservice
ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
probe : HTTP-80-OUR.DOMAIN.COM
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : http://our.domain.com
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
real : SERVER-A[0]
X.X.X.47 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:18 2010
Last fail time : Wed Jun 2 13:37:04 2010
Last active time : Wed Jun 2 13:34:19 2010
real : SERVER-B[0]
X.X.X.48 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:20 2010
Last fail time : Wed Jun 2 13:37:06 2010
Last active time : Wed Jun 2 13:34:21 2010 -
ACE 4710 A3(2.0) and ACS - TACACS+
Hi.
I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
ACE 4710:
tacacs-server host 10.7.50.20 key 7 "fewhg"
aaa group server tacacs+ tacacs_server_group
server 10.7.50.20
deadtime 15
aaa authentication login default group tacacs_server_group local none
aaa accounting default group tacacs_server_group local
aaa authentication login error-enable
ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
Any help is appreciated and thanks in advance!are you using telnet or ssh ?
if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
http://tools.cisco.com/squish/03240 -
ACE 4710 bundle license backup
Hello,
Is it possible to backup ACE appliance licenses if product is bought as a bundle?
ACE-4710-BAS-SK-K9
Promo Bundle - ACE 4710 HW-1Gbps-1K SSL-100MbpsComp-5VC
Following is mentioned in the ACE documentation:
"If you need to replace the ACE, you can copy and install the license file for the license onto the replacement appliance."
But, when we try to backup licenses, we get following results:
ACE-1/Admin# sh license
ACE-1/Admin# copy licenses disk0:mylicenses.tar
Backing up license... failed: License file not found
ACE-1/Admin# sh license status
Licensed Feature Count
Compression Performance in Mbps 100
Web Optimization Concurrent Conns. 50
SSL transactions per second 1000
Virtualized contexts 5
Module bandwidth in Gbps 1.0
ACE-1/Admin# sh license usage
License Ins Lic Status Expiry Date Comments
Count
ACE-AP-C-UP1 No - Unused -
ACE-AP-C-UP2 No - Unused -
ACE-AP-C-UP3 No - Unused -
ACE-AP-01-LIC No - Unused -
ACE-AP-01-UP1 No - Unused -
ACE-AP-02-LIC No - Unused -
ACE-AP-02-UP1 No - Unused -
ACE-AP-04-LIC No - Unused -
ACE-AP-04-UP1 No - Unused -
ACE-AP-04-UP2 No - Unused -
ACE-AP-VIRT-5 No - Unused -
ACE-AP-500M-LIC No - Unused -
ACE-AP-VIRT-020 No - Unused -
ACE-AP-C-100-LIC No - Unused -
ACE-AP-C-500-LIC No - Unused -
ACE-AP-C-500-UP1 No - Unused -
ACE-AP-OPT-50-K9 No - Unused -
ACE-AP-C-1000-LIC No - Unused -
ACE-AP-C-2000-LIC No - Unused -
ACE-AP-OPT-LIC-K9 No - Unused -
ACE-AP-OPT-UP1-K9 No - Unused -
ACE-AP-SSL-05K-K9 No - Unused -
ACE-AP-SSL-07K-K9 No - Unused -
ACE-AP-SSL-100-K9 No - Unused -
ACE-AP-SSL-UP1-K9 No - Unused -
ACE-AP-SSLUP-5K-K9 No - Unused -
ACE-AP-VIRT-020-UP No - Unused -
I suppose licenses cannot be backuped because they are bundled and delivered with the bundle by default, and not installed...
Does anyone know what would be the procedure for this bundled licenses in case of ACE HW replacement needed?
Best regards,
JasminaHi Jasmina,
License file management is quite simple for ACE. Two methods; save original license email or copy from disk0:.
If you purchased and upgraded license, and followed procedure to generate it, you would have received your license via email. We recommend per documentation (License ordering section) that you:
"Step 5 Save the license key e-mail in a safe place in case you need it in the future (for example, to transfer the license to another ACE). "
Also, to apply, you copy the license file to disk0: on the ACE. This *.lic file resides on disk0: thereafter.
So if you did not happen to save the original email when you obtained the license, and the license has been installed, then you can simply copy the *.lic file off the ACE from disk0: to a safe place. Example copying file from ACE to FTP server:
Switch/Admin# copy disk0: ftp:
Enter source filename]? 1ACE2009060306445454.lic
Enter Address for the ftp server]? 10.2.3.4
Enter the destination filename]? [1ACE2009060306445454.lic]
Enter username]? anonymous
Enter the file transfer mode[bin/ascii]: [bin]
Enable Passive mode[Yes/No]: [Yes]
Password:
Passive mode on.
Hash mark printing on (1024 bytes/hash mark).
Switch/Admin#
Administrator Guide - Licenses on ACE:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/administration/guide/license.html#wp1010344
Hope this helps.
-pefrench -
Can't install ACE 4710 license
Hi,
I've tried to installed the license, but is not successful, below are the steps which i've taken to installed the license, with error messages. pls. assist.
CBJ6-LBDMZ2/Admin# copy tftp://10.2.18.66/ACE20090909090659371.lic disk0:
Enter the destination filename[]? [ACE20090909090659371.lic]
Trying to connect to tftp server......
TFTP get operation was successful
685 bytes copied
CBJ6-LBDMZ2/Admin# license install disk0:ACE20090909090659371.lic
Installing license... failed: Can't install this license with the current countCBJ6-LBDMZ2/Admin# show licen
ACE20090727112500202.lic:
SERVER this_host ANY
VENDOR cisco
INCREMENT ACE-AP-01-LIC cisco 1.0 permanent 1 \
VENDOR_STRING=1 HOSTID=ANY \
NOTICE="200907271125002021 \
1211J5CB363" SIGN=F2E3AFA69526
I think you have an HW appliance (code: ACE-4710-K9) with one a la carte license ( ACE-AP-01-LIC).
You bought a Bundle upgrade license, and this is not compatibly with you current license ( a la carte license).
To use the ACE-4710-BUN-UP2= ( 1G Bundle to 2G Bundle Upgrade License) you need to have a bundle product like the
ACE-4710-1F-K9.
Check this:
Table 1 ACE Licensing Bundles
License Model Description Upgrade Path
ACE-4710-0.5F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•0.5-Gbps throughput license (ACE-AP-500M-LIC)
•100-Mbps compression license (ACE-AP-C-100-LIC)
•100 SSL transactions per second (TPS) license (ACE-AP-SSL-100-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
You have the option to upgrade to the 1-Gbps, 2-Gbps, or 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP1=.
ACE-4710-1F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•1-Gbps throughput license (ACE-AP-01-LIC)
•500-Mbps compression license (ACE-AP-C-500-LIC)
•5000 SSL TPS license (ACE-AP-SSL-05K-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP2=.
ACE-4710-BAS-2PAK
This license bundle includes the following items:
•Two ACE 4710 appliances
•1-Gbps throughput license (ACE-AP-01-LIC)
ACE-4710-BAS-2PAK also includes the following default options:
•1000 SSL TPS
•100-Mbps compression
•5 virtual contexts
•Application acceleration (50 connections)
You have the option to upgrade to the 2-Gbps or 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP2=. Two upgrade licenses are required for upgrading two units of the ACE-4710-BAS-2PAK bundle.
ACE-4710-2F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•2-Gbps throughput license (ACE-AP-02-LIC)
•1-Gbps compression license (ACE-AP-C-1000-LIC)
•7500 SSL TPS license (ACE-AP-SSL-07K-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
You have the option to upgrade to the 4-Gbps bundle.
Start the upgrade with ACE-4710-BUN-UP3=.
ACE-4710-4F-K9
This license bundle includes the following items:
•ACE 4710 appliance
•4-Gbps throughput license (ACE-AP-04-LIC)
•2-Gbps compression license (ACE-AP-C-2000-LIC)
•7500 SSL TPS license (ACE-AP-SSL-07K-K9)
•5 virtual contexts license (ACE-AP-VIRT-5)
•Application acceleration license (50 connections) (ACE-AP-OPT-50-K9)
This is the highest value bundle.
ACE-4710-BUN-UP1
0.5 to 1-Gbps throughput bundle upgrade license
See the Upgrade Path outlined above.
ACE-4710-BUN-UP2
1 to 2-Gbps throughput bundle upgrade license
See the Upgrade Path outlined above.
ACE-4710-BUN-UP3
2 to 4-Gbps throughput bundle upgrade license
See the Upgrade Path outlined above.
Table 2 ACE Licensing Options
Feature License Model Description
Performance Throughput
Default
1-Gbps throughput.
ACE-AP-500M-LIC
0.5-Gbps throughput.
ACE-AP-01-LIC
1-Gbps throughput.
ACE-AP-02-LIC
2-Gbps throughput.
ACE-AP-04-LIC
4-Gbps throughput.
ACE-AP-02-UP1
Upgrade from 1-Gbps to 2-Gbps throughput.
ACE-AP-04-UP1
Upgrade from 1-Gbps to 4-Gbps throughput.
ACE-AP-04-UP2
Upgrade from 2-Gbps to 4-Gbps throughput.
Virtualization
Default
1 admin/5 user contexts.
ACE-AP-VIRT-020
1 admin/20 user contexts.
SSL
Default
100 TPS.
ACE-AP-SSL-05K-K9
5000 TPS.
ACE-AP-SSL-07K-K9
7500 TPS.
ACE-AP-SSL-UP1-K9
Upgrade from 5000 TPS to 7500 TPS.
HTTP Compression
Default
100-Mbps.
ACE-AP-C-500-LIC
500-Mbps.
ACE-AP-C-1000-LIC
1-Gbps.
ACE-AP-C-2000-LIC
2-Gbps.
ACE-AP-C-UP1
Upgrade from 500-Mbps to 1 Gbps.
ACE-AP-C-UP2
Upgrade from 500-Mbps to 2 Gbps.
ACE-AP-C-UP3
Upgrade from 1 Gbps to 2 Gbps.
Application Acceleration Feature Pack License
ACE-AP-OPT-LIC-K9
Application acceleration and optimization. By default, the ACE performs up to 50 concurrent connections. With the application acceleration and optimization software feature pack installed, the ACE can provide greater than 50 concurrent connections.
This license increases the operating capabilities of the following features:
•Delta optimization
•Adaptive dynamic caching
•FlashForward
•Dynamic Etag
ACE-AP-02-LIC=
Upgrade Performance License 2 Gbps Spare -
I am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and compares to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?By adding SAML assertions to outgoing requests, the ACE XML Gateway can act as an asserting party for systems that rely on SAML credentials. The SAML assertions generated by the ACE XML Gateway can be in the form of a SAML 1.0, SAML 1.1, or SAML 2.0 credential.
The following url may help you;
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_xml_gateway/v52/user/guide/axg_ug_backendauth.html#wp1049962 -
Hi, We have two ACE-4710-K9 (named LB01 and LB02) configured in HA mode. Besides Admin, on each of them there are tree context configured, named, ACADEMIC, COMMERCIAL, STREAMING. On LB01 the active context is ACADEMIC. On LB02 the active contexts are COMMERCIAL and STREAMING. Each context is configured with a FrontEnd and a BackEnd Vlan interface, and a "management" Vlan interface used for accessing and monitoring the device and for the downloading of the needed ssl certificates. Recently we upgraded the devices to Version A3(2.6) form a previous A3(2.4). After that upgrade we experienced some strange behaviour. From the context in STANDBY state we are not able to ping the host on the "management" Vlan interface, while there is no problem on the other Vlans. We see that the ICMP packets are sent to the Vlan, are replayed by the remote host BUT are not received at all on the LB01 or LB02. No messages in the log. Trying with 5 consecutive (failed) ping we can see that the counters of unicast packet output on LB01/LB02 Vlan is incremented by 5 BUT the unicast packets input counters is unchanged even if the remote host sent the replays. In the STREAMING context this behaviour isn't constant, ie the ping *sometimes* starts working for a few second and then returns to stop. In the other standby context the ping never works instead. In the active context all works fine. This strange problem prevents us to load the ssl certificates in the STANDBY context from the "management" Vlan. We was not able to find any reference to a similar problem in the Cisco documentation or Tac collection, so we are curious to know wheter someone else experienced such a behaviour. Thank you and best regards. Alessandro Asson - CINECA
Thanks,
I see you are using shared VLAN config in both ACE.
Same VLAN 1000 is used for both Admin and streaming context.
In this config, you may need to use the shared-vlan-host-id command as explained here:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/vlansif.html#wp1025243
In fact as explained:
'By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.'
This would also reply to your question in the readme file:
SHOW ARP TABLE ON THE D01,D02,D07 ROUTERS SHOWS THE SAME MAC ADDRESS FOR
BOTH IP ADDRESSES OF LB01 AND LB02: is that normal ??
Hope this helps,
Dom. -
ACE 4710 - need help configuring backend server monitoring
Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru
to backend web servers. This all works fine.
My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should
a web server crash or become unavailable I need to redirect that backend connection to another web server.
Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point
have all the connections forwarded to 2nd server.
Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
Any help would be appreciated.
Cheers
DaveHi Dave,
You can use sorry-server or backup server feature. details can be found at
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000264 -
ACE 4710 - Monitoring Real Server Showing N/A
I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?
Hello Samson,
You may try to reboot the entire ACE 4710, probably during a maintenance window, some java process might have gotten stuck.
If the issue persists then open a TAC case since there are some software defects related to this behavior.
Jorge -
Hello,
I am running redundant ACE 4710 appliances running A3(2.7). I have five FT groups configured along with FT Tracking and when the vlans fail due to physical links being down, the contexts to do not failover. If one of the ACE boxes fail completely, failover works fine. I have included the FT config from one of the contexts below. I have a case open with TAC and the Engineer is suggesting the use of a query interface in additon to FT Tracking. We have had two incidents on separate contexts where we lost a physical interface on the primary ACE, one for the maintenance of the core switch, the other was a cable disconnect and we are unable to understand why the indivdual context didn't failover. Any ideas would be much appreciated. Let me know if more info/configs are needed.
Dave
ft interface vlan 900
ip address 10.10.10.1 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 900
ft group 3
peer 1
no preempt
priority 210
peer priority 120
associate-context XYZ
inservice
FT Group : 3
No. of Contexts : 1
Context Name : XYZ
Context Id : 2
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 210
My Net Priority : 210
My Preempt : Disabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 120
Peer Net Priority : 120
Peer Preempt : Disabled
Peer Id : 1
Last State Change time : Wed Jan 11 13:14:16 2012
Running cfg sync enabled : Enabled
Running cfg sync status : Running configuration sync has completed
Startup cfg sync enabled : Enabled
Startup cfg sync status : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
show int
vlan424 is up, VLAN up on the physical port
Hardware type is VLAN
MAC address is 00:1e:68:1e:ba:b7
Virtual MAC address is 00:0b:fc:fe:1b:03
Mode : routed
IP address is 10.104.224.6 netmask is 255.255.255.0
FT status is active
Description:"New Server VIP and real"
MTU: 1500 bytes
Last cleared: never
Last Changed: Sun Mar 11 01:13:12 2012
No of transitions: 3
Alias IP address is 10.104.224.5 netmask is 255.255.255.0
Peer IP address is 10.104.224.7 Peer IP netmask is 255.255.255.0
Assigned on the physical port, up on the physical port
Previous State: Sun Mar 11 00:04:57 2012, VLAN not up on the physical port
Previous State: Sun Sep 18 10:21:15 2011, administratively up
3991888419 unicast packets input, 23734607976687 bytes
20246934 multicast, 174801 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
1609345958 unicast packets output, 23690663385228 bytes
7 multicast, 55807 broadcast
0 output errors, 0 ignoredDave,
For tracking to work you need to have preempt enabled. Can you try enabling preempt under the ft group and test your tracking again? Another potential issue you may run into is if your tracking is not lowering the priority enough when it fails. The difference between the active and standby device is 100. If you are not decrementing the priority greater than this value even if priority is enabled it will not lower it enough to force the failover. If after enabling preempt on this group the tracking still does not work as expected send you whole config for us to look at.
Regarding the query interface; This is not a bad idea. It will help prevent an active active situation if there is a problem with the ft link between the two modules.
Thanks
Jim -
reposted from another forum:
Am using an ACE 4710 and am converting incoming WSS username tokens to SAML Tokens - authenicating against Tivoli directory.
The receiving web service is attempting to validate the SAML token but fails on digest verification. i.e. calculates the digest value over the SAML token and fails when comparing to the digest in the Xml Signature block.
Is anybody else using SAML tokens?
Has anyone else seen a similar problem?You are right we are using transport encryption (SSL) to protect the WSS Password.
We then use LDAP to authenticate the username/password and create a SAML token using attributes from LDAP. The ACE Xml Gateway creates this SAML token, signs it and inserts into the SOAP header that is forwarded to our service.
At our service we are trying to verify the signed SAML token. The error we are seeing is the Xml signature digest created by the ACE XML Gateway is wrong.
With XML signature some Xml referenced by an ID is canonicalised, hashed (digest created) and then this digest is encrypted using the private key of some certificate.
On receipt we repeat the process, canonicalise and hash the Xml referenced and compare our computed digest to the one created by the ACE device. This is where we get the error. We are using the standard canonicalisation and hashing algorithms (c14n and SHA1 respectively). Our code can successfully verify SAML tokens from other sources. -
NOT POSSIBLE TO START ESSBASE WHEN SSO INITIALIZATION FAILS
Version is 11.1.1.3. My Essbase is not starting. Issues from the logs and what I have attempted are as follows. I have highlighted the relevant areas in bold.
When Starting Essbase from products/Essbase/bin/start.bat:
C:\Hyperion\products\Essbase\bin>start.bat
C:\Hyperion\products\Essbase\bin>REM eis
C:\Hyperion\products\Essbase\bin>net start "Hyperion Integration Services"
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.
C:\Hyperion\products\Essbase\bin>REM APS
C:\Hyperion\products\Essbase\bin>call C:\Hyperion\products\Essbase\aps\bin\start.bat
C:\Hyperion\products\Essbase\bin>REM aps
C:\Hyperion\products\Essbase\bin>net start HyS9aps
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.
C:\Hyperion\products\Essbase\bin>REM EAS
C:\Hyperion\products\Essbase\bin>call C:\Hyperion\products\Essbase\eas\bin\start.bat
C:\Hyperion\products\Essbase\bin>REM eas
C:\Hyperion\products\Essbase\bin>net start HyS9eas
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.
C:\Hyperion\products\Essbase\bin>REM EssbaseAgent
C:\Hyperion\products\Essbase\bin>net start hypservice_1
The service name is invalid.
More help is available by typing NET HELPMSG 2185.
C:\Hyperion\products\Essbase\bin>REM EssbaseStudio
C:\Hyperion\products\Essbase\bin>C:\Hyperion\products\Essbase\EssbaseStudio\Server\startServer.bat
C:\Hyperion\products\Essbase\bin>setlocal
C:\Hyperion\products\Essbase\bin>set CONFIGTOOL_HOME="C:\Hyperion\common\config\9.5.0.0"
C:\Hyperion\products\Essbase\bin>call ""C:\Hyperion\common\config\9.5.0.0"\setJavaRuntime.bat"
Logging configuration file is not found. Expected filename is C:\Hyperion\products\Essbase\bin\.\server.properties
Log file location is:
C:\Hyperion\logs\esbstudio\server.log
13:23:09 11/01/11 INFO Starting up
13:23:09 11/01/11 INFO Oracle Essbase Studio Server. Version 11.1.1.3.00, Bui
ld 090, June 25 2009
13:23:16 11/01/11 (system) WARNING Failed to load driver for sap
13:23:16 11/01/11 (system) SEVERE Cannot load Teradata connector
13:23:16 11/01/11 (system) WARNING Failed to load driver for teradata
13:23:16 11/01/11 (system) WARNING Failed to load driver for mysql
13:23:16 11/01/11 (system) WARNING Failed to load driver for netezza
Essbase.log:
[Tue Oct 25 11:26:31 2011]Local/ESSBASE0///Error(1051223)
Single Sign On function call [css_init] failed with error [CSS Error: CSS method invocation error: com.hyperion.css.CSSSystem.<init>]
[Tue Oct 25 11:26:31 2011]Local/ESSBASE0///Info(1051198)
Single Sign-On Initialization Failed !
[Tue Oct 25 11:26:31 2011]Local/ESSBASE0///Info(1051232)
Using English_UnitedStates.Latin1@Binary as the Essbase Locale
[Tue Oct 25 11:26:31 2011]Local/ESSBASE0///Error(1051527)
In Shared Services Security mode it is not possible to start Essbase when single sign on initialization fails.
AND
C:\Hyperion\logs\essbase\SharedServices_Security_Client.log com.hyperion.css.CSSSystem.<init>(Unknown Source)
2011-10-25 11:26:11,039 INFO [main] Configure CSS with registry com.hyperion.css.CSSSystem.initCSSSystem(Unknown Source)
2011-10-25 11:26:11,039 INFO [main] Initializing CSS from Registry. com.hyperion.css.common.configuration.CSSConfigurationManager.getConfiguration(Unknown Source)
2011-10-25 11:26:11,085 INFO [main] Trying to get Registry Instance com.hyperion.css.registry.RegistryManager.<init>(Unknown Source)
2011-10-25 11:26:31,023 ERROR [main] 20:1092:Failed to initialize EPM System registry. *[Root Cause: java.sql.SQLException: [Hyperion][SQLServer JDBC Driver]Error establishing socket to host and port: machinex:1433. Reason: Connection refused: connect ] com.hyperion.css.registry.RegistryManager.<init>(Unknown Source)*
*2011-10-25 11:26:31,023 ERROR [main] Arguments: param1={}, param2=null, param3=C:\Hyperion\logs\essbase\,* com.hyperion.css.CSSSystem.initCSSSystem(Unknown Source)
2011-10-25 11:26:31,023 INFO [main] CSS system intialization failed. : [21484 ms] com.hyperion.css.CSSSystem.initCSSSystem(Unknown Source)
What I have attempted:
- Attempted to connect to Shared Services, Workspace url's - YES
- Checked openLDAP & my Database is running - YES
- Added following to Configuration File :
SharedServicesLocation machinex 28080
AUTHENTICATIONMODULE CSS http://machinex:28080/interop/framework/getCSSConfigFile YES, but same error
- Changed essbase.bak to essbase.sec YES but same error
- netstat -an to check for 1423. Port 1423 is not listening, although ALL TCP Ports have been enabled. So YES but same error.
- Read Knowledgebase article # 954322.1 - the suggested things in there don't seem to apply to my case, unless I am missing something.
At this point does anybody have any suggestions ?An update: Just for kicks, I tried restarting Essbase using Start->Programs-EPMSystem->Essbase->EssbaseServer->Essbase.bat and apparently now Essbase is started.
EAS, Studio and Planning however are down.
Excerpt from the HyS9eas-sysout.log:
[ERROR] RegistryUtils - SQL Exception when trying to create a new connection [Hyperion][SQLServer JDBC Driver]Error establishing socket to host and port: machinex:1433. Reason: Connection refused: connect
* CRITICAL ERROR: Common Security Services initialization failed. Please *
* make sure that a valid entry is provided for SECURITY_CONFIGURATION in *
* OlapAdmin.properties. This is required if Shared Services is enabled. *
* Please restart the server after the changes. *
Stopping DAO factory!
HBR Configuration has not been initialized. Make sure you have logged in sucessfully and there are no exceptions in the HBR log file.
java.lang.ExceptionInInitializerError
.... bunch of java code.
This is really strange. There is NOTHING that I changed, started or stopped which could have caused Essbase to start magically all of a sudden.
Any insights into the cause of all this ?
Maybe you are looking for
-
Pages '08 Export does not honor the "Hide extension" checkbox
I have noticed that Pages '08, even with the latest update (3.0.3), does not honor the state of the "Hide extension" checkbox in the Export save dialog (or "sheet" that slides out from the title bar). Specifically, I have seen this happen when export
-
How Can I report a Production Error
When I want to report a Production error in Support portal, I got a error like this Currently you do not have authorization to use this function. To request the authorization, please contact one of the administrators at your company: S0004554480
-
Need guidance in where caluse of a select query.Please suggest.
Hi All, I have a internal table IT_INPUT which includes multiple cost centers . Now for all entries in IT_INPUT-COst center i want to selct the records from COP table. The issue i am fasing is - Cost center is concatenated with some other values and
-
8800 - OS doesn't seem to upgrade
This is rather weird... My 8800 lists the version as v4.2.1.72 (in options->about) I've downloaded 4.2.1.79 from blackberry.com: I've run the install routine several times, apparently successfully. However options-> about still lists the version as 4
-
Usually, my settings have it so my usernames/Id's are saved upon shutdown, but not passwords. In the last two weeks, everytime I startup, nothing has been saved/remembered and I must fully logon to ALL my favorites......and I haven't done anything wi