ACE - Fiewall Loadbalancing
I have a problem understanding how ACE handels the Firewall Loadbalancing.
In the Doumentation is an example for a secure side and an insecure side.
serverfarm INSEC_SF
transparent
predictor hash address source 255.255.255.255
rserver FW_INSEC_1
inservice
rserver FW_INSEC_2
inservice
rserver FW_INSEC_3
inservice
serverfarm SEC_SF
predictor hash address destination 255.255.255.255
transparent
rserver FW_SEC_1
inservice
rserver FW_SEC_2
inservice
rserver FW_SEC_3
inservice
The ACE on the insecure side makes a hash of the source IP and selects one of 3 firewalls.
The ACE on the secure side makes a hash of the destination IP and selects one of 3 firewalls.
On what Information the ACE makes the hash? IP Adress of the firewalls on secure/insecure side are different.
Names of the real server are also different.
Best Regards
Sven
Hi Gilles,
thanks for your reply. You are right. But my question was on what the Hash does match?
There are 3 Firewalls.
The ACE only knows the local IP Address and name of the Firewall.
So the ACE on the Secure side knows a different IP-Adress than the ACE on the insecure side.
The Names are also different on both sides!
So how does the ACE modules know that rserver FW_INSEC_1 and rserver FW_SEC_1 are the same Firewalldevice? So it is not clear on what the ACE does match the computed HASH Value for SRC or DST IP.
On CSS Systems it is clear. The CSS knows local and remote IP of Firewall + Firewall Index and can compute the hash for both sides to the same firewall.
But on the ACE System i can not see where the match is done.
Is it done by the order of Configuration in the serverfarm?
Similar Messages
-
ACE 4710 Loadbalancer Weblogic Issues
Hi Guys,
Having some issues with my Loadbalancer and weblogic. Eventually i want to SSL Forwarding and everything set up but as of now I can only access the VIP under port 7001 (default weblogic port.) How would i get it so I can access via HTTP. My Config is below.
PA-ACE-4700-SLB/Admin# changeto Prod-Support
PA-ACE-4700-SLB/Prod-Support# show run
Generating configuration....
access-list allow line 8 extended permit ip any any
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP443_PROBE
port 443
interval 5
passdetect interval 5
receive 5
connection term forced
open 2
probe tcp TCP7001_PROBE
port 7001
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP80_PROBE
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host 228-WLS11host1
ip address 192.168.211.228
inservice
rserver host 229-WLS11host2
ip address 192.168.211.229
inservice
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1
inservice
rserver 228-WLS11host1 7001
rserver 229-WLS11host2
inservice
rserver 229-WLS11host2 7001
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm WLS11-7001
class-map type http loadbalance match-any L5
2 match http url .*
class-map match-all WLS11-7001-CLASS
2 match virtual-address 192.168.211.50 tcp any
policy-map type loadbalance first-match WLS11-7001-Policy
class L5
sticky-serverfarm 7001_STICKY
policy-map multi-match WLS11-SLB
class WLS11-7001-CLASS
loadbalance vip inservice
loadbalance policy WLS11-7001-Policy
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
interface vlan 1000
ip address 192.168.211.226 255.255.255.0
access-group input allow
nat-pool 1 192.168.211.50 192.168.211.50 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.211.235
Thanks for any help you can provide.Hummm,
Andy
1) Can you modify this?
class-map type http loadbalance match-any L5
2 match http url .*
to look like this:
class-map type http loadbalance match-any L5
2 match http url /.*
2)Can you do this:
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1 7001
inservice
rserver 229-WLS11host2 7001
inservice
3)Can you clear all the browser´s cookies and/or open a new browser window? It might be possible that some clients are stuck to the servers with does not have hardcoded the port.
4)Can you do: clear stats loadbalance?(won´t affect anything)
5)Then generate traffic
6)Then get:
#show service-policy WLS11-SLB class-map WLS11-7001-CLASS detail
#show stat http
Jorge -
ACE: RDP loadbalancing connection problem
I have a problem setting up RDP loadbalancing.
My setup is a WS-C6509-E with IOS 12.2(33)SXI5 and a ACE20-MOD-K9 running
A2(3.3).
I have the ACE in two-arm-mode, I can connect to the real servers via RDP. The
real servers use a MS Terminal Server Session Broker with routing tokens.
The serverfarm is operational:
# show serverfarm FARM-TSFARM1 det
serverfarm : FARM-TSFARM1, type: HOST
total rservers : 4
active rservers: 4
description : srv-f1-tsX.mydomain.de
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 1
total conn-dropcount : 0
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: RS-SRV-F1-TS1
10.7.43.201:0 8 OPERATIONAL 0 1 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS2
10.7.43.202:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS3
10.7.43.203:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: RS-SRV-F1-TS4
10.7.43.204:0 8 OPERATIONAL 0 0 0
description : -
max-conns : 500 , out-of-rotation count : 0
min-conns : 500
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
The service policy is active, it shows an increasing hit count for the VIP
connections (47 as shown below), no drop-count, no dropped connections, but
zero bytes server packets and no hit counts for the L7 policy:
# show service-policy VIP-TSFARM1 detail
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 44
service-policy: VIP-TSFARM1
class: VIP-TSFARM1-RDP
VIP Address: Protocol: Port:
10.7.44.106 tcp eq 3389
loadbalance:
L7 loadbalance policy: VIP-TSFARM1-RDP-l7slb
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 47
dropped conns : 0
client pkt count : 221 , client byte count: 10996
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-TSFARM1-RDP-l7slb
class/match : class-default
LB action: :
primary serverfarm: FARM-TSFARM1
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
I never get a "Built TCP connection" syslog message.
When I make a VIP with "policy-map type loadbalance generic" instead of
"policy-map type loadbalance rdp" everything works as expected, apart from the
fact that users cannot be redirected to the correct server if they have an
active session on one of them.
Here is the config of the rdp setup:
rserver host RS-SRV-F1-TS1
description srv-f1-ts1.mydomain.de
ip address 10.7.43.201
conn-limit max 500 min 500
rate-limit connection 10000
rate-limit bandwidth 12500000
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS2
description srv-f1-ts2.mydomain.de
ip address 10.7.43.202
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS3
description srv-f1-ts3.mydomain.de
ip address 10.7.43.203
conn-limit max 500 min 500
probe PING_PROBE
inservice
rserver host RS-SRV-F1-TS4
description srv-f1-ts4.mydomain.de
ip address 10.7.43.204
conn-limit max 500 min 500
probe PING_PROBE
inservice
serverfarm host FARM-TSFARM1
description srv-f1-tsX.mydomain.de
rserver RS-SRV-F1-TS1
inservice
rserver RS-SRV-F1-TS2
inservice
rserver RS-SRV-F1-TS3
inservice
rserver RS-SRV-F1-TS4
inservice
class-map match-all VIP-TSFARM1-RDP
2 match virtual-address 10.7.44.106 tcp eq 3389
policy-map type loadbalance rdp first-match VIP-TSFARM1-RDP-l7slb
class class-default
serverfarm FARM-TSFARM1
policy-map multi-match VIP-TSFARM1
class VIP-TSFARM1-RDP
loadbalance vip inservice
loadbalance policy VIP-TSFARM1-RDP-l7slb
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 44
service-policy input VIP-TSFARM1
Any ideas?Ralf,
You are running into the following defect:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl63354
Workaround:
use a layer 4 loadbalance policy and configure source ip sticky.
Joel Lamousnery
Cisco TAC -
ACE multiple loadbalancing policies help
Hi
I've configured my ACE to loadbalance all hits on a 2 servers farm. It's working, fine.
Now I want to loadbalance hits with a specific url on another farm, and it's not working (hits with the specific url are not logged in the new policy)
Here is what I've added :
1. A class-map to get my url :
class-map type http loadbalance match-all CLASSMAP_L7match http header Host header-value my.domain.com
2. A policy-map :
policy-map type loadbalance first-match POLICYMAP_L7 class CLASSMAP_L7 serverfarm FARM_2
3. A policy-map to get the L7 policy map :
policy-map multi-match POLICYMAP_L3L4 class L4-WEB-IP loadbalance vip inservice loadbalance policy POLICYMAP_L7 appl-parameter http advanced-options HTTP_PARAMETER_MAP
4. added the service policy on my interface
interface vlan 265 service-policy input ALREADY_EXISTING_POLICIES service-policy input POLICYMAP_L3L4
I have to precise my class-map L4-WEB-IP is defined as
class-map match-all L4-WEB-IP 2 match virtual-address 17x.xx.xxx.xxx tcp eq www
So basically, when I'm trying a show service-policy POLICYMAP_L3L4 summary, I've got 0 hits.
So the other service policy (implementing the same class L4-WEB-IP, of course) is taking all the traffic.
Any thoughts ? Thanks for the help.Hi Pablo
Thanks for the answer.
You're right, I'd deleted it since I was testing. I have put it back now, and... same result.
(loading subdomain.domain.com)
show service-policy POLICYMAP_L3L4 summary => Hit Count doesn't change
show service-policy WEB-to-vIPs summary => Hit Count increase
To be ok, here is the full configuration again, with the corrections.
probe tcp PROBE_TCP interval 30 passdetect interval 60rserver host 55LABS ip address 172.16.0.1 inservicerserver host MICHELINE ip address 172.16.0.2 inserviceserverfarm host FARM_55LABS predictor leastconns probe PROBE_TCP rserver 55LABS inservice rserver MICHELINE inserviceserverfarm host FARM_PHP predictor leastconns probe PROBE_TCP rserver MICHELINE inserviceparameter-map type http HTTP_PARAMETER_MAP persistence-rebalanceclass-map match-all CLASSMAP_L3L4 2 match virtual-address xxx.xxx.xxx.161 tcp eq wwwclass-map type http loadbalance match-all CLASSMAP_L7 2 match http header Host header-value "subdomain.domain.com"class-map match-all L4-HTTPS-IP 2 match virtual-address xxx.xxx.xxx.161 tcp eq httpsclass-map match-all L4-WEB-IP 2 match virtual-address xxx.xxx.xxx.161 tcp eq wwwclass-map type management match-all REMOTE_ACCESS 2 match protocol ssh anyclass-map type management match-all TEST 2 match protocol icmp anypolicy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permitpolicy-map type management first-match TEST_ALLOW class TEST permitpolicy-map type loadbalance http first-match HTTPS_POLICY class class-default serverfarm FARM_55LABS insert-http x-forward header-value "%is"policy-map type loadbalance first-match POLICYMAP_L7 class CLASSMAP_L7 serverfarm FARM_PHPpolicy-map type loadbalance http first-match WEB_L7_POLICY class class-default serverfarm FARM_55LABS insert-http x-forward header-value "%is"policy-map multi-match POLICYMAP_L3L4 class CLASSMAP_L3L4 loadbalance vip inservice loadbalance policy POLICYMAP_L7 loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPpolicy-map multi-match WEB-to-vIPs class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAP class L4-HTTPS-IP loadbalance vip inservice loadbalance policy HTTPS_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPinterface vlan 265 ip address xxx.xxx.xxx.170 255.255.255.240 peer ip address xxx.xxx.xxx.171 255.255.255.240 access-group input ANY service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input WEB-to-vIPs service-policy input POLICYMAP_L3L4 class CLASSMAP_L3L4 loadbalance vip inservice loadbalance policy POLICYMAP_L7 loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPpolicy-map multi-match WEB-to-vIPs class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAP class L4-HTTPS-IP loadbalance vip inservice loadbalance policy HTTPS_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAPinterface vlan 265 ip address xxx.xxx.xxx.170 255.255.255.240 peer ip address xxx.xxx.xxx.171 255.255.255.240 access-group input ANY service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input WEB-to-vIPs service-policy input POLICYMAP_L3L4 no shutdowninterface vlan 2369 ip address 172.31.255.250 255.240.0.0 alias 172.31.255.249 255.240.0.0 peer ip address 172.31.255.251 255.240.0.0 access-group input ANY nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat service-policy input TEST_ALLOW no shutdownft track interface VLAN265 track-interface vlan 265 peer track-interface vlan 265 priority 50 peer priority 5
Thanks again.
Laurent -
ACE - UDP loadbalancing without NAT
HI, I want to get source port of client from Real server, but it is changed by ACE
matched port of VIP set to 8070 same as RIP, it is fine.
I want to know is it posible to keep souce port unchanged when port translation is configured
any help will be appreciated
below is the config
probe udp udp-8070
port 8070
interval 5
rserver server01
ip address 192.168.1.15
inservice
rserver server02
ip address 192.168.1.16
inservice
serverfarm host sf-UDP-8070
failaction purge
probe udp-8070
rserver server01 8070
inservice
rserver server02 8070
inservice
policy-map type loadbalance first-match pL7-UDP-8070
class class-default
serverfarm sf-UDP-8070
class-map match-any c4-UDP-1270
match virtual-address 192.168.2.100 udp eq 1270
policy-map multi-match pL4-UDP
class c4-UDP-1270
loadbalance vip inservice
loadbalance policy pL7-UDP-8070
loadbalance vip icmp-reply
interface vlan 211
service-policy input pL4-UDPDears,
I had this issue with SIP traffic
to solve the Impicit PAT issue you may try the following,
1) Direct Server Return on ACE Configure servers with VIP address as a secondary IP address on interfaces
directly connected to the ACE (that is, interfaces which have an ARP entry
for the ACE.) Then configure the ACE to forward to that VIP address as a
transparent serverfarm.
or 2) Configure the "hw-module cde-same-port-hash" on the Admin context, this will disable Hashing based on Src. and Dst. port the ACE will use a new Hash method -
ACE HTTP loadbalancing problem
What i'm trying to achieve with the below config is
any request coming in with "programming" in the URL
will be mapped to one server and all else mapped to
a different. So what i see happening is that i can
get to the main page but not the page with "programming"
in the URL. I have to clear the connections to get
mapped to the serverfarm with that handles all requests
with "programming". I thought is was related to the
sticky serverfarm i had configured before so i reverted
to a ordinary serverfarm and it still doesn't work. Any
thoughts or suggestions????
rserver host TEST_01
ip address 10.10.204.200
inservice
rserver host TEST_02
ip address 10.10.204.201
inservice
serverfarm host TEST/PROG_SF
rserver TEST_02
inservice
serverfarm host TEST_SF
rserver TEST_01
inservice
class-map match-any TEST_VS
2 match virtual-address 10.10.215.27 tcp eq www
3 match virtual-address 10.10.215.27 tcp eq https
class-map type http loadbalance match-any TEST/PROG
3 match http url (/programming.*)
4 match http url /programming.*
policy-map type loadbalance first-match TEST_L7SLB
class TEST/PROG
serverfarm TEST/PROG_SF
class class-default
serverfarm TEST_SF
policy-map multi-match VIPS
class TEST_VS
loadbalance vip inservice
loadbalance policy TEST_L7SLB
loadbalance vip icmp-reply
interface vlan 215
service-policy input VIPSyou need to activate persistent rebalance which is not on by default so that subsequent requests inside the same tcp connection can be remapped to a different server if matching a different rule.
parameter-map type http HTTP-PARAM
persistence-rebalance
policy-map multi-match VIPS
class TEST_VS
appl-parameter http advanced-options HTTP-PARAM
Gilles. -
How to test a cisco ACE loadbalancer.
Hello guys, I am new on this site. I have deployed a Cisco ACE 4710 loadbalancer, and it is loadbalancing 2 real servers. Is there any way or commands I can use to see if it is loadbalancing properly.
"show serverfarm" will show you the load-balanced connections to each real. Also try "show service-policy <> class-map <> detailed" and check client and server hits counts.
"show connection" also. -
ACE show serverfarm - failure counter does not incremented on Probe-Failure event
Hi,
Despite of probe-failure the failure counter is not incremented. Is there any correlation between the configured probe and the failure counter?
(Custom script probe is used for this serverfarm)
# sh serverfarm xxxxxSt
serverfarm : xxxxxSt, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: xxxxx6
10.222.0.90:8000 8 OPERATIONAL 13 157 0
rserver: xxxxx7
10.222.0.92:8000 8 PROBE-FAILED 0 0 0
Thanks,
AttilaHi Attila,
The Connection Failure counter under show serverfarm is for Loadbalanced Connections which are failing.
If Probes are failing, this counter will not increment.
The Connection failure counter can increment for various reasons some of them are,
- Server not responding to the SYN packet sent by ACE for Loadbalanced connection
- Server sending Reset to the SYN packet sent by ACE for Loadbalanced connection
To check on stats for Probe, you can run "show probe detail" command.
Hope this helps,
Best Regards,
Rahul -
I am having some trouble getting the difference of the AVS Appliance vs. the ACE Modul for the Cat6K.
Our ACE Moduls are already about to be shipped so i am looking forward to get my hands on those. Checking the Application Solution Section there is also the "new aquired" AVS Appliance listed.
A: Is the AVS a Supplement to the ACE Modul in Areas of HTTP,SSL Compression etc. and more granular Payload Inspection?
B: Is the AVS a "rival" product with different features?
We have some discussions regarding the enhancement of our Portal-Infrastructure and some guys are always putting Netscaler from Citrix on the Agenda. I am sure it is a nice product but i like to keep my Enviroment as far Cisco as i can.
That's why it would be nice to get some advice on how to rate, position or compare the ACE,AVS vs. the Netscaler Solution. I have the feeling some of the features which are in the mentioned Netscaler are splitted into two Cisco products.
Points of interest are...
+Payload/Packet-Inspection
+Compression
Thanks for reading...Can anyone Comment on my impressions listed below and also on my problems in the above Posting?
AVS: Security, TCP Multiplexing, Compression and NO Loadblancing.
ACE: Security, Loadbalancing, Virtualization and TCP Multiplexing but NO Compression? Could Compression be added in future SW Releases?
vs.
Netscaler: Security, TCP Multiplexing, Compression and Loadbalancing
C: If you would combine the ACE and AVS are you supposed to put the AVS behind the ACE for the use of its security features or in Front of a Cat6K with ACE Modul?
D: If you put it behind the ACE is the Idea of running it transparent as more less IDS with App-Accelration and Caching an approach?
E: If you use the Security features of both devices you have more or less a double inspection of the Payload with the AVS going into more depth than the ACE?
Would be great if someone had any experience or advice.
Roble -
I have a new ACE 4710. I am unable to get the mail server to send mail through the ACE. I have even set the ACL to any any both inside and outside. The mail server worked fine when it was behind the ALTEON load balancer.
Don't know what I am missing any ideas would be greatly appreciated.It shouldn't be any problem.SMTP is nothing but a LAyer4 traffic on port 25.
Are you simply routing the SMTP traffic through the ACE or Loadbalancing the SMTP traffic?
Is the ACE in routed/bridged mode ?
what is the default gateway on SMTP server?
Syed -
Cisco ACE loadbalancing matching more than one header in L7 class map
Dear All,
This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
So for above configuration, when traffic is coming for abhisar.com, it is working fine.
Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
abhisarindia.com
indiaabhi.com
So new configuration will be
class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
4 match http header Host header-value ".*abhisarindia.com*"
6 match http header Host header-value ".*indiaabhi.com*"
So just want to confirm if this is fine.
Thank You,
Abhisar.Dear Rajesh,
Thank you for reply. I will let you know once I carry out this activity.
Thank You,
Abhisar. -
Standby cisco ACE loadbalancer issues (network connectivity)
Hi ALL,
We are having issues with the secondary (standby) load balancer ACE module on a 6500 switch. We see that the loadblanacer is not able to get onto the network which leads to problem with fault tolerance as well. Following is the ft status found on the load balancer for one of the contexts (this is the same pattern seen on all the contexts).
switch/Admin# sh ft group status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_UNKNOWN
Peer Id : 1
No. of Contexts : 1
Sh arp on all the contexts shows the gateway/rserver to be unreachable. Please find the screenshot below for one of the contexts (the same pattern is seen on the LB for all other contexts)
switch/1_Context# sh arp
Context CSD_Context
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.21.128.97 00.00.00.00.00.00 vlan942 GATEWAY - dn
172.21.128.103 00.0b.fc.fe.1b.09 vlan942 ALIAS LOCAL _ up
172.21.128.105 00.12.43.dc.93.23 vlan942 INTERFACE LOCAL _ up
7.0.0.4 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.6
172.21.147.196 00.0b.fc.fe.1b.09 vlan943 ALIAS LOCAL _ up
172.21.147.198 00.12.43.dc.93.24 vlan943 INTERFACE LOCAL _ up
172.21.147.200 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.202 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.204 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.206 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.208 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.210 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.212 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.214 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.216 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
7.0.0.1 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.3
The problem is that we see the problem only on the secondary loadbalancer. primary is just running file
also i can see some traffic denial in admin context for resource usage
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 160000 6560000 0
mgmt-connections 0 46 2000 82000 0
proxy-connections 0 4 20972 859830 0
xlates 0 0 20972 859830 0
bandwidth 0 17715713 10000000 535000000 5799749
throughput 0 17710993 10000000 410000000 5799749
mgmt-traffic rate 0 4720 0 125000000 0
connection rate 0 43 20000 820000 0
ssl-connections rate 0 0 100 4100 0
mac-miss rate 0 1 40 1640 0
inspect-conn rate 0 0 120 4920 0
acl-memory 56336 56336 1570072 64460552 6
sticky 0 0 83886 0 0
regexp 0 0 20972 859832 0
syslog buffer 82944 82944 82944 3447808 0
syslog rate 0 44 2000 82000 25
Context: INTEGRATION_Context
conc-connections 0 3934 160000 0 0
mgmt-connections 0 98 2000 0 0
proxy-connections 0 33 20972 0 0
xlates 0 0 20972 0 0
bandwidth 0 10019910 10000000 125000000 40857
throughput 0 10000000 10000000 0 40857
mgmt-traffic rate 0 19910 0 125000000 0
connection rate 0 49 20000 0 0
ssl-connections rate 0 0 100 0 0
mac-miss rate 0 32 40 0 0
inspect-conn rate 0 58 120 0 0
acl-memory 11920 11920 1570072 0 0
sticky 0 1 83886 0 0
regexp 0 0 20972 0 0
syslog buffer 0 82944 82944 3447808 0
syslog rate 0 312 2000 0 0
these above 2 contexts are the only one which has bandwidth resource usage exceeding the limit. but i somehow am not sure if this is the issue. as there is just no traffic on the secondary .. then how can the bandwidth reach the threshold? can anyone throw some light on the below issue?
thanks and regards
kiranvlan on Standby_ACE switch
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,4,12,13,
svclc vlan-group 1 968
svclc vlan-group 12 132
svclc vlan-group 13 367-372,374,375,379,380,538,805,807,808,818,913,915
svclc vlan-group 13 917-920,922-924,933,934,937,938,942-949,972,976-979,983
svclc vlan-group 13 984
ip subnet-zero
no ip source-route
vlans on standby ACE
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan132 vlan360 vlan367-375 vlan379-380 vlan538 vlan805 vlan807-808 vlan818 vlan913 vlan91
5 vlan917-920 vlan922-924 vlan930 vlan933-934 vlan937-938 vlan942-949 vlan968 vlan971-972 v
lan976-979 vlan983-984
switch/Admin#
Active_LB_host_switch is the switch hosting the active ACE thats connected on ten7/4 and 8/4 which is bundeled and made into
port-channel (po72)
CDP neighbor hosting the active ACE
Active_LB_host_switch
Ten 7/4 148 R S I WS-C6513 Ten 7/4
Active_LB_host_switch
Ten 8/4 156 R S I WS-C6513 Ten 8/4
Po72 allows all the vlans which is the configured for ACE modules.
Port Vlans allowed on trunk
Po72 132,140,181,359-383,538,668,702,805-808,815-816,818-820,836,907,909-920,922-925,
929-935,937-949,967-973,976-984,987,3212
vlan 968 is the FT vlan and the same hass been allowed on the trunk port.
everything looks good to me but still not sure why isnt the ACE module not coming to the network. it was working fine
a few months back but all of a sudden it lost the network connectivity. i am not even able to ping the physical ip of the
ACE module.
thanks and regards
kiran -
ACE MODULE IN BRIDGE MODE NOT LOADBALANCING
Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
AttachCheck my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles. -
ACE: Routing in addition to Loadbalancing
I'm planning to route some traffic while loadbalancing other traffic.
For guidance, what can I refer for simple routing in ACE.
In addition, both routing and loadbalancing traffics need to pass a same Vlan in the ACE.
In the attached Steps 1,2,3 doing loadbalancing via vlan80
Steps 4,5,6 doing routing via same VLAN 80
Is simple routing possible in ACE?
Regards
SSas long as you permit the traffic with an access-list inside the access-group, ace will route the traffic that does not match any class-map.
This is the default and no particular config is required.
Gilles. -
Loadbalancing ldaps on ACE module
Is it possible to configure loadbalancing of ldaps with end-to-end mode (encryption from end to end) on ACE module ?
And if yes, do i have to use a special script for health checking ?Please correct me if this is wrong or bad design: I have ldaps running just by permitting the port in the ACLs and VIP class. Customer says it works fine.
I'm sure you're aware of the health probe scripts you can get from Cisco (attached). This script defaults to ldap port (386) if none is specified. So you can specify the port under the "probe scripted LDAP_PROBE" config to use ldaps (636). Perhaps you should use both scripted probes together so that if one port is unavailable the server will be taken out of service.
Maybe you are looking for
-
MySQL Exception in WL 8.1 - Can't call commit when autocommit=true
Thanks in advance. Any help would be appreciated as I'm new to Weblogic. I've created a database control and get the following error at run time that I can't seem to get around: An unexpected exception occurred while attempting to locate the run-time
-
JCO call to RFC returns incorrect value
Hello Experts, I am using JCO to call an RFC from java. One of the returned fields is a timestamp. When I invoke the RFC from within the SAP system, I get a correct timestamp value. But, when I invoke the RFC using JCO, the timestamp value returned h
-
Good Morning: I am accesing the DataBase from a Perl Script. In the Insert sentence, I want to use some pl/sql functions: $stmt = "insert into my_table(field_1) values ( replace('$s_column_name[$i]',CHR(39),CHR(39)||CHR(39)))"; But the function repla
-
Adding new feature without recompiling
i have a question i have this program in java that translates one language to another now i want to be able to add another translator later if i required at runtime without recompiling the whole thing.that is i should have the provision of adding new
-
DocRecrypt program closes in its own
I downloaded the DocRecrypt tool to remove a password I forgot. Yet, when I open the DocRecrypt, the window opens for 1 second and then closes. (It flashes on and then closes.) Am I using this tool correctly?