ACE 4710 eHealth monitoring of context

Similar Messages

• Cisco ACE 4710 - Health Monitoring for Real Servers

  Hi,
  I have setup the following health probe to check for the existence of a specific web page.  My intention is that when the web page is removed, the health check fails and the rserver status changes to 'out of service'.  Unfortunately, when I remove the web page, I see the health check fail, and the rserver state change to 'PROBE-FAILED', however the rserver does not go 'out of service' and continues to respond to requests.
  Can anyone see where I'am going wrong?
  Health check probe config
  probe http live_http_int
    interval 15
    passdetect interval 60
    request method get url /loadbalancer/internal.html
    expect status 199 201
    open 10
  RSERVER config
  rserver host Server1
    description Server1
    ip address 10.10.10.1
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice
  rserver host Server2
    ip address 10.10.10.2
    conn-limit max 4000000 min 4000000
    probe live_http_int
    inservice

  Hi syannetwork,
  I think you have to "force" the failed server to close the connection when it has failed. Otherwise it will still serve the available HTML pages.
  Have a look at the "Configuring the ACE Action when a Server Fails" in the "Cisco Application Control Engine Module Server Load-Balancing Configuration Guide" and let me know if the following command helped:
  conf t
  serverfarm host ServerFarm
  failaction purge
  Have a good WE.
  Cheers
  LPL

• ACE 4710 health monitoring probe

  New to ACE4710
  Can someone please explain the effects.
  Associate the probe with one of the following:
  A real server.
  A real server and then associate the real server with a  server farm. You can associate a single probe or multiple probes with  real servers within a server farm.
  A server farm. All servers in the server farm receive probes of the associated probe types.

  Hi,
  Here is the expected operation for each of those cases:
  A real server.
  If the server is not associated with any serverfarm, the status will not be probed (the rserver will be marked as INACTIVE)
  A real server and then associate the real server with a  server farm. You can associate a single probe or multiple probes with  real servers within a server farm.
  The probe will only be applied to that specific server
  A server farm. All servers in the server farm receive probes of the associated probe types.
  The probe will be applied to all the servers in the serverfarm.
  Another thing to take into account is that (by default) if more than one probe is associated to a server (either directly or through a serverfarm), all the probes need to succeed to consider the server operational. You can also add the command "fail on all" to a serverfarm or rserver to change this behavior and only consider the server as down when all the probe fail
  I hope this answers your question
  Regards
  Daniel

• ACE 4710 - Monitoring Real Server Showing N/A

  I recently installed a Cisco ACE 4710 version A4(2.0) into our test network. Load balancing across a number of web servers appears to be working ok and serving pages to users. However, when i tried to check the real time stats via device manager (Monitor> virtual contexts> context > Real servers) a number of fields specifically "current connections", "total conns", "failed conns" etc were showing N/A. Do I need to enable this somehow i.e. polling, if so how?

  Hello Samson,
  You may try to reboot the entire ACE 4710, probably during a maintenance window, some java process might have gotten stuck.
  If the issue persists then open a TAC case since there are some software defects related to this behavior.
  Jorge

• Ace 4710 - same context routed and load-sharing

  Hi All
  Can an ACE 4710 have , in the same context - servers which are
  a. just being routed to
  b. a set of load-shared servers
  I have been told you may not be able to do this on this version
  Does anyone know if this is correct
  Thanks
  Steve

  Hi Boris
  I have been on the ACE course and before we install the 4700 box i have been
  asked to set up a test setup.
  This would involve have a context which would have one ip address range and
  a few pcs (pretending to be servers ) and one which would be just routed.
  A colleague of mine seemed to think that something had been said on the course
  to the effect that if the ACE was deployed  in line the you couldnt have some
  of your servers in load-sharing and some just routed on the same subnet and
  in the same context.
  Steve

• ACE 4710 - need help configuring backend server monitoring

  Currently running an ACE 4710, which is handling all of our inbound SSL connections and then forwarding requests thru
  to backend web servers. This all works fine.
  My question is this..Right now we are not load balancing any of the backen web servers. But I now have a requirement that should
  a web server crash or become unavailable I need to redirect that backend connection to another web server.
  Scenario is more like I have 2 web servers both serving same content, but I want one server to take all the connections unless it fails, at that point
  have all the connections forwarded to 2nd server.
  Is there a way to setup the load balancing where the 1st server gets all the connections until a failure happens ?
  Any help would be appreciated.
  Cheers
  Dave                  

  Hi Dave,
  You can use sorry-server or backup server feature. details can be found at
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1000264

• Access Server through VIP (ACE 4710) but very slow

  Re:  Access Server through VIP (ACE 4710) but very slow
  Hi Shiva
  Kindly  Help .....Accessing the server very slow.., Plz check my real  configuration... this configuration is for application server and after  this i have to configure more serverfarm for different server like  webmail etc. in this ACE 4710. I have only one ACE 4710 .
  ACE Version A4(2.0) = is there supports Probe with this version.???  without probe server will work but very slow. And plz guide Nat-pool is required
  VIP :-- 172.16.15.8
  LB/Admin# sh run
  Generating configuration....
  no ft auto-sync startup-config
  logging enable
  logging host 172.29.91.112 udp/514
  resource-class RC1
    limit-resource all minimum 10.00 maximum unlimited
  boot system image:c4710ace-mz.A4_2_0.bin
  hostname LB
  interface gigabitEthernet 1/1
    description Management
    speed 1000M
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    description clientside
    switchport access vlan 30
    no shutdown
  interface gigabitEthernet 1/3
    description serverside
    switchport access vlan 31
    no shutdown
  interface gigabitEthernet 1/4
    no shutdown
  context Admin
    description Management
    member RC1
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  probe http probe1
    description health check
    interval 5
    passdetect interval 10
    request method head
    expect status 200 200
    open 1
  rserver redirect https_redirect
    description redirect traffic to https
    webhost-redirection / 302
    inservice
  rserver redirect maintenance_page
    description maintenance page displayed
    webhost-redirection /sry.html 301
    inservice
  rserver host web1
    ip address 192.168.10.3
    inservice
  rserver host web2
    ip address 192.168.10.4
    inservice
  rserver host web3
    ip address 192.168.10.5
    inservice
  serverfarm host http
    rserver web1
      inservice
    rserver web2
      inservice
    rserver web3
      inservice
  serverfarm redirect https_redirect_farm
    description Redirect traffic to https
  serverfarm redirect maintenance_farm
    description send user to maintenance page
  parameter-map type connection paramap_http
    description parameter connection tcp
    exceed-mss allow
  sticky ip-netmask 255.255.255.0 address source Sticky_http
    timeout activeconns
    serverfarm http
  class-map match-all REMOTE-ACCESS
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  class-map match-all slb-vip
    2 match virtual-address 172.16.15.8 tcp eq www
  policy-map type management first-match remote_access
    class class-default
      permit
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match slb
    class class-default
      serverfarm http
  policy-map type inspect http all-match slb-vip-http
    class class-default
      permit
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply active
      inspect http policy slb-vip-http
      connection advanced-options paramap_http
  interface vlan 30
    description "Client Side"
    ip address 172.16.15.24 255.255.255.0
    access-group input everyone
    service-policy input client-vips
    no shutdown
  interface vlan 31
    description "Server Side"
    ip address 192.168.10.1 255.255.255.0
    service-policy input remote_access
    no shutdown
  interface vlan 1000
    description managment
    ip address 172.29.91.110 255.255.255.0
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.15.1
  snmp-server contact "PHQ"
  snmp-server community phq group Network-Monitor
  snmp-server trap-source vlan 1000
  username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/  role Admin domain
  default-domain
  username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR.  role Admin domain de
  fault-domain
  username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0  role Admin domain d
  efault-domain
  ssh key rsa 1024 force
  banner motd # "ro" #
  Regards,
  Prem

  Hi Shiva,
  plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
  Regards,
  Prem

• Ace 4710 strange behaviour

  Hi, We have two ACE-4710-K9 (named LB01 and LB02) configured in HA mode. Besides Admin, on each of them there are tree context configured, named, ACADEMIC, COMMERCIAL, STREAMING. On LB01 the active context is ACADEMIC. On LB02 the active contexts are COMMERCIAL and STREAMING. Each context is configured with a FrontEnd and a BackEnd Vlan interface, and a "management" Vlan interface used for accessing and monitoring the device and for the downloading of the needed ssl certificates. Recently we upgraded the devices to Version A3(2.6) form a previous A3(2.4). After that upgrade we experienced some strange behaviour. From the context in STANDBY state we are not able to ping the host on the "management" Vlan interface, while there is no problem on the other Vlans. We see that the ICMP packets are sent to the Vlan, are replayed by the remote host BUT are not received at all on the LB01 or LB02. No messages in the log. Trying with 5 consecutive (failed) ping we can see that the counters of unicast packet output on LB01/LB02 Vlan is incremented by 5 BUT the unicast packets input counters is unchanged even if the remote host sent the replays. In the STREAMING context this behaviour isn't constant, ie the ping *sometimes* starts working for a few second and then returns to stop. In the other standby context the ping never works instead. In the active context all works fine. This strange problem prevents us to load the ssl certificates in the STANDBY context from the "management" Vlan. We was not able to find any reference to a similar problem in the Cisco documentation or Tac collection, so we are curious to know wheter someone else experienced such a behaviour. Thank you and best regards. Alessandro Asson - CINECA

  Thanks,
  I see you are using shared VLAN config in both ACE.
  Same VLAN 1000 is used for both Admin and streaming context.
  In this config, you may need to use the shared-vlan-host-id command as explained here:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/vlansif.html#wp1025243
  In fact as explained:
  'By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.'
  This would also reply to your question in the readme file:
  SHOW ARP TABLE ON THE D01,D02,D07 ROUTERS SHOWS THE SAME MAC ADDRESS FOR
  BOTH IP ADDRESSES OF LB01 AND LB02: is that normal ??
  Hope this helps,
  Dom.

• Need help to Configure Cisco ACE 4710 Cluster Deployment

  Dear Experts,
  I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between  two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
  http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
  This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
  This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
  My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
  Thanks....!
  -Amal-

  Dear Kanwal,
  I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
  Following detail required for configuring Oracle EBS Apps tier on HA:
  LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
  Suggested IP and Name for LBR:
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm detail for LBR Setup
  Following detail will be use for configuring the LBR:
  LBR IP and Name :
  IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
  ebiz.xxxx.lk [on port 80 for http protocol accessibility]
  This LBR IP & name must be resolve and respond on DNS network
  Server Farm Detail for LBR setup:
  Server 1 (EBS App1 Node, ap1ebs):
  IP : 172.25.45.19
  Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Server 2 (EBS App2 Node, ap2ebs):
  IP : 172.25.45.20
  Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
  Protocol: http
  Port: 8000
  Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
  Following are my latest config :
  probe http Get-Method
    description Check to url access /OA_HTML/OAInfo.jsp
    interval 10
    faildetect 2
    passdetect interval 30
    request method get url /OA_HTML/OAInfo.jsp
    expect status 200 200
  probe udp http-8000-iRDMI
    description IRDMI (HTTP - 8000)
    port 8000
  probe http http-probe
    description HTTP Probes
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    request method get url /index.html
    expect status 200 200
  probe https https-probe
    description HTTPS traffic
    interval 10
    faildetect 2
    passdetect interval 30
    passdetect count 2
    ssl version all
    request method get url /index.html
  probe icmp icmp-probe
    description ICMP PROBE FOR TO CHECK ICMP SERVICE
  rserver host ebsapp1
    description ebsapp1.xxxx.lk
    ip address 172.25.45.19
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  rserver host ebsapp2
    description ebsapp2.xxxx.lk
    ip address 172.25.45.20
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    probe http-probe
    inservice
  serverfarm host ebsppsvrfarm
    description ebsapp server farm
    failaction purge
    predictor response app-req-to-resp samples 4
    probe http-probe
    probe icmp-probe
    inband-health check log 5 reset 500
    retcode 404 404 check log 1 reset 3
    rserver ebsapp1 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
    rserver ebsapp2 80
      conn-limit max 4000000 min 4000000
      probe icmp-probe
      inservice
  sticky http-cookie jsessionid HTTP-COOKIE
    cookie insert browser-expire
    replicate sticky
    serverfarm ebsppsvrfarm
  class-map type http loadbalance match-any default-compression-exclusion-mime-type
    description DM generated classmap for default LB compression exclusion mime types.
    2 match http url .*gif
    3 match http url .*css
    4 match http url .*js
    5 match http url .*class
    6 match http url .*jar
    7 match http url .*cab
    8 match http url .*txt
    9 match http url .*ps
    10 match http url .*vbs
    11 match http url .*xsl
    12 match http url .*xml
    13 match http url .*pdf
    14 match http url .*swf
    15 match http url .*jpg
    16 match http url .*jpeg
    17 match http url .*jpe
    18 match http url .*png
  class-map match-all ebsapp-vip
    2 match virtual-address 172.25.45.21 tcp eq www
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match ebsapp-vip-l7slb
    class default-compression-exclusion-mime-type
      serverfarm ebsppsvrfarm
    class class-default
      compress default-method deflate
      sticky-serverfarm HTTP-COOKIE
  policy-map multi-match int455
    class ebsapp-vip
      loadbalance vip inservice
      loadbalance policy ebsapp-vip-l7slb
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 455
  interface vlan 455
    ip address 172.25.45.36 255.255.255.0
    peer ip address 172.25.45.35 255.255.255.0
    access-group input ALL
    nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
    service-policy input remote_mgmt_allow_policy
    service-policy input int455
    no shutdown
  ft interface vlan 999
    ip address 10.1.1.1 255.255.255.0
    peer ip address 10.1.1.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 999
  ft group 1
    peer 1
    no preempt
    priority 110
    associate-context Admin
    inservice
  ip route 0.0.0.0 0.0.0.0 172.25.45.1
  Hope you will reply me soon
  Thanks....!
  -Amal-

• Cannot Telnet to ACE 4710 after upgrade to A4(2.3)

           I have a pair of ACE 4710s with 12 contexts sharing the load, running A4(2.1). Yesterday I upgraded one of them to A4(2.3)
  now I cannot telnet to the Admin context.Pings ok. I can telnet to other contexts on the box and everything seems to be working ok   
  when i do a " sh telnet"
  comes back with
  No Session Information is available
  sh telnet maxsessions
  telnet maxsessions 16
  Can anybody help?

  further this post, it was not a resource problem as had allocated 5% for the Admin context.
  I up graded IOS Saturday evening, could not Telnet in, tried again on Sunday same result,
  though this morning (Monday) Can now telnet in ok very strange
  I was connecting via the AUX line of a 2851 router to the console port.
  whe I disconnected this morning I saw the following message
  INIT: id "T0" respawning too fast : disabled for  5 minutes
  not sure if this is a 2851 message or an ACE message, but after getting that message is when I was able to Telnet in
  was it a coincidence
  anybody any ideas

• ACE 4710: Possible to allow a user to clear counters but nothing else?

  Hello all,
  Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc.  We would also like to allow this user to clear the interface error counters as well, but nothing else.  Is this possible?
  Thanks!

  Hello Brandon-
  Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats.  You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
  i.e.
  ACE# conif t
  ACE(config)# role MyRole
  ACE(config-role)# rule 1 permit modify feature ?
    AAA             AAA related commands
    access-list     ACL related commands
    connection      TCP/UDP related commands
    fault-tolerant  Fault tolerance related commands
    inspect         Appln inspection related commands
    interface       Interface related commands
    loadbalance     Loadbalancing policy and class commands
    pki             PKI related commands
    probe           Health probe related commands
    rserver         Real server related commands
    serverfarm      Serverfarm related commands
    ssl             SSL related commands
    sticky          Sticky related commands
    vip             Virtual server related commands
  You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
  Domains allow you to create containers for objects.  You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
  Regards,
  Chris Higgins

• ACE 4710 in bridge mode not working

  I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
  I am not able to ping servers as well as gateway. Below are the topology and context configuration:
  Router   (vlan 13: IP 172.16.11.254)
       |
  ACE     (int gig1/2)
       |
  L2 Switch
       |
  Servers (vlan 11: IP 172.16.11.1 and 11.2)
  Admin Context
  ===========
  resource-class rc1
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 0.20 maximum unlimited
  boot system image:c4710ace-mz.A3_2_4.bin
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    switchport trunk allowed vlan 11,13
    no shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 172.16.16.16 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.16.254
  context test
    allocate-interface vlan 11
    allocate-interface vlan 13
    member rc1
  test Context
  =========
  access-list bpdu-fixup ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  rserver host srv1
    ip address 172.16.11.1
    inservice
  rserver host srv2
    ip address 172.16.11.2
    inservice
  serverfarm host srv
    rserver srv1
      inservice
    rserver srv2
      inservice
  sticky ip-netmask 255.255.255.255 address both SG1
    timeout 120
    serverfarm srv
  class-map type management match-any remote-mgmt
    201 match protocol snmp any
    202 match protocol ssh any
    203 match protocol icmp any
    204 match protocol http any
    205 match protocol https any
    206 match protocol xml-https any
  class-map match-all slb-vip
    2 match virtual-address 172.16.11.10 any
  policy-map type management first-match remote-mgmt
    class remote-mgmt
      permit
  policy-map type loadbalance first-match slb
    class class-default
      sticky-serverfarm SG1
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply
  interface vlan 11
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    no shutdown
  interface vlan 13
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    service-policy input remote-mgmt
    service-policy input client-vips
    no shutdown
  interface bvi 1
    ip address 172.16.11.9 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.11.254
  Could you pls. suggest where I am doing wrong?
  Thanks,
  Pawan

  " I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
  What is the setup on the switch ? Trunk or access vlan ?
  What is the status of the interface ? up ? down ?
  Do you see something in your arp table ?
  Gilles.

• ACE 4710. Unable to clear ssh sessions

  Hi.
  Once in the CLI of an ACE 4710, using the command "clear ssh session id" I am unable to clear/kill any of the remote ssh sessions established.
  According to the administration guide, the "clear ssh .." command must clear the sessions, but it does not, or maybe I am missing something?
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/administration/guide/access.html#wp1050335
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Tabla normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  ACE/CONTEXTO_A# show ssh session-info
  Session ID     Remote Host         Active Time
  13728          222.98.54.158:50556   67:43:38
  13732          200.44.158.70:46172   67:43:36
  13735          200.44.158.70:46174   67:43:36
  13737          200.44.158.70:46177   67:43:36
  ACE/CONTEXTO_A#
  ACE/CONTEXTO_A# clear ssh 13728
  ACE/CONTEXTO_A# clear ssh 13732
  ACE/CONTEXTO_A# clear ssh 13735
  ACE/CONTEXTO_A# clear ssh 13737
  ACE/CONTEXTO_A# show ssh session-info
  Session ID     Remote Host         Active Time
  13728          222.98.54.158:50556   67:43:54
  13732          200.44.158.70:46172   67:43:52
  13735          200.44.158.70:46174   67:43:52
  13737          200.44.158.70:46177   67:43:52

  Hello,
  Seems to be working for me in my tests.  Works in the Admin context and a user context, and when clearing connections from console connection or one of the SSH sessions.
  ace-appliance-15/CTX1# sho ssh sess
  Session ID     Remote Host         Active Time
  24705          161.44.77.245:1586     0: 1:42
  25100          161.44.77.245:1589     0: 0:27
  25116          161.44.77.245:1590     0: 0:16
  ace-appliance-15/CTX1# clear ssh 25116
  ace-appliance-15/CTX1#
  ace-appliance-15/CTX1# sho ssh sess
  Session ID     Remote Host         Active Time
  24705          161.44.77.245:1586     0: 2: 5
  25100          161.44.77.245:1589     0: 0:50
  What version of software are you running on your 4710?  I am running the latest A3(2.4).  Can you try this version?
  Thanks,
  Sean

• Facing Issue in ACE 4710 ..Secondary ACE showing as FSM_FT_STATE_STANDBY_COLD ...

  Hi All ,
   I am facing problem with my ACE 4710 in active-standby environment . When I check Show ft group detail on my Active ACE , it shows peer state as
  FSM_FT_STATE_STANDBY_COLD for Admin context . Below is the output :
  Primary_ACE/Admin#sh ft group detail
  FT Group                     : 1
  No. of Contexts              : 1
  Context Name                 : Admin
  Context Id                   : 0
  Configured Status            : in-service
  Maintenance mode             : MAINT_MODE_OFF
  My State                     : FSM_FT_STATE_ACTIVE
  My Config Priority           : 120
  My Net Priority              : 120
  My Preempt                   : Enabled
  Peer State                   : FSM_FT_STATE_STANDBY_COLD
  Peer Config Priority         : 100
  Peer Net Priority            : 100
  Peer Preempt                 : Enabled
  Peer Id                      : 1
  Last State Change time       : Tue Jan  1 05:32:55 2002
  Running cfg sync enabled     : Enabled
  Running cfg sync status      : Peer in Cold State. Error on Standby device when
  applying configuration file replicated from active
  Startup cfg sync enabled     : Enabled
  Startup cfg sync status      : Peer in Cold State. Startup configuration sync ha
  [7m--More--[m
  s completed
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  FT Group                     : 2
  No. of Contexts              : 1
  Context Name                 : APP_Context
  Context Id                   : 1
  Configured Status            : in-service
  Maintenance mode             : MAINT_MODE_OFF
  My State                     : FSM_FT_STATE_ACTIVE
  My Config Priority           : 120
  My Net Priority              : 120
  My Preempt                   : Enabled
  Peer State                   : FSM_FT_STATE_STANDBY_HOT
  Peer Config Priority         : 100
  Peer Net Priority            : 100
  Peer Preempt                 : Enabled
  Peer Id                      : 1
  Last State Change time       : Tue Jan  1 05:32:56 2002
  Running cfg sync enabled     : Enabled
  [7m--More--[m
  Running cfg sync status      : Running configuration sync has completed
  Startup cfg sync enabled     : Enabled
  Startup cfg sync status      : Startup configuration sync has completed
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  Also when I give show ft config-errors on my secondary ACE it gives the following result .
  Secondary_ACE/Admin#sh ft config-error
  Mon Jun 10 00:04:11 IST 2002
  `no 3 match virtual-address 10.40.3.15 tcp eq https`
  Error: LB action requires match vip command
  `no 3 match virtual-address 10.40.3.15 tcp eq 8082`
  Error: LB action requires match vip command
  `no 3 match virtual-address 10.40.3.21 tcp eq www`
  Error: LB action requires match vip command
  `no 3 match virtual-address 10.40.3.21 tcp eq https`
  Error: LB action requires match vip command
  `2 match virtual-address 10.40.3.21 tcp eq https`
  Error: This configuration already exists
  `2 match virtual-address 10.40.3.21 tcp eq www`
  Error: This configuration already exists
  `2 match virtual-address 10.40.3.15 tcp eq 8082`
  Error: This configuration already exists
  `2 match virtual-address 10.40.3.15 tcp eq https`
  Error: This configuration already exists
  Error(s) while applying config.
   I am attaching the running configuration of both the ACE's . Kindly help me in resolving the issue .
  Also I noticed one thing . There is configuration difference in Primary and Secondary ACE . I guess this is causing the issue .
  Need help to fix this asap .
   Following configuration is missing on the secondary ACE .
  ======================================================================
  class-map match-all WEB_FARM_VIP-80
    3 match virtual-address 10.40.3.15 tcp eq www
  policy-map type loadbalance first-match WEB_FARM_VIP-80-l7slb
    class class-default
      serverfarm HTTP-2-HTTPS
    class WEB_FARM_VIP-80
      loadbalance vip inservice
      loadbalance policy WEB_FARM_VIP-80-l7slb
  Thanks ,
  Tushar

  Dear all,
  Pls help me out in this regard, I dont have much idea about ACE.
  Regards,
  Sashi

• ACE 4710 Connectivity help?

  I'm using an ACE 4710 in a new datacenter, with the following setup:
  2/4 physical ethernet interfaces port channeled into port-channel 1
  2/4 physical ethernet interfaces port channeled into port-channel 2
  I have the following vlans defined:
  1001 - admin     - interface ip: 10.53.136.70
  400 - client side - interface ip: 10.53.136.100
  500 - server side - interface ip: 192.168.128.1
  999 - fault tolerance - interface ip: 192.168.11.2
  My problem is I am trying to nat ssh and web server traffic from the client side, to the server side, but it's never getting to the server.  For example, if I ssh to 10.53.136.102, it times out.  (10.53.136.102 should get nat'd to 192.168.128.2)
  Also, I can connect to the ACE 4710 via telnet using 10.53.136.70, but cannot connect to 10.53.136.100.
  I'm thinking there is either something wrong with the port-channels, or the access lists.  On the other hand there could be something wrong with the nat'ing, but I had it working before switching over to the port-channels.
  Any thoughts?
  Thanks,
  Brent

  I've attached the two contexts which we are using.  The admin context is new_lb_config.txt and the second context where the loadbalancing occurs is in the new_lb_config_VC_WBPX.txt file.
  From the load balancer, I am able to ping the real server ips in the 192.168. ip range.  The 4710 recognizes that they are in service.
  I believe the ACL for the VLAN 400 is set to permit all traffic, but I don't know if the service policies are preventing something from happening.
  Right now, I have disconnected the two 4710s and I am only working on one of them to see if I can get the basic connectivity going.  Once I accomplish that, I will work on high availability.  I'll have to check whether it thinks it is in passive mode...not entirely sure how to do that, but I will check it out.
  Thanks,
  Brent