ACE FT Vlan Down

Similar Messages

• ACE Redundancy FT Vlan down

  Hi All,
  Simple question.
  Assuming to have two ACE load balancer installed in two different Catalyst 6500.
  The two Catalyst are directly connected over a L2 connection and  all the flow-state information and the redundancy heartbeat information are transmitted over this connection.
  One LB is in active and the second one in stand by. The two load balancer processing traffic for the same virtual devices, of course.
  Assuming now that the link is in shutdown state.
  In this case both ACE LB will be in the Active state.
  Could you please briefly describe what are the impact of having two load balancer active at the same time?
  Thank you.

  Hi Tom,
  It looks the vlan and the physical interface are up. You can anyway check the following to confirm:
  sh interface gi 1/4
  sh interface vlan 12
  In "sh interface gi 1/4 counters", do you see the "RX packets" counter increasing?
  You should be able to ping 192.168.12.2 from 192.168.12.1 and vice versa. Which ip did you assign to the other peer. Should be:
  ft interface vlan 12
    peer ip address 192.168.12.2 255.255.255.0
    ip address 192.168.12.1 255.255.255.0
    no shutdown
  You can check as well "sh ft stats" and see if the heartbeats counter are increasing.
  Regarding to other interfaces, you mention that you can't ping devices on the ACE adjacent vlans. Are you allowing icmp traffic? For instance:
  policy-map type management first-match management
    class management
      permit
  class-map type management match-any management
    match protocol icmp any
  service-policy input management
  Finally, did you check whether you are able to resolve mac addresses?
  I hope it helps,
  Olivier

• ACE - Query VLAN Interfaces Status

  Hi,
  I am wondering what the status of the query vlan interface means in the command 'show ft peer detail':
  Query Vlan IF State          : UP, Manual validation - please ping peer
  I am pretty sure that I did not see this status when I configured query vlan last time. Current version is A2(2.3).
  Unfortunately this status does not seem to be documented anywhere on CCO.
  I appreciate any help!
  Thanks,
  Daniel

  Hi Daniel,
  The FT Query VLAN interface is an optional, yet very good, feature to be used when using redundant ACE modules or appliances. Without it, if the FT VLAN was to go down, the standby ACE will no longer receive FT heartbeats from the active ACE and therefore take the active role.  However, if the active ACE is still running fine in the active role, then you don't want the standby ACE to take over as active because that will put them into an active/active scenario, which may lead to connectivity issues.
  This is where the FT Query VLAN interface comes in.  If the FT VLAN goes down, the standby ACE will notice this, but before taking the active role, it will ping it's peer IP address configured on the interface that is designated as the FT Query VLAN.  If the ping is successful, then it will stay in the standby role, thereby saving you some headaches.
  The status that you are seeing is the ACE's way of telling you that the interface is UP, but if you want to know if it can successfully ping the peer IP address, then you would have to manually ping the peer IP address from the CLI.  The ACE does not periodically check the ping connectivity through any automatic mechanism.  The automatic mechanism is only triggered by the FT VLAN going down.
  Does this help?
  Sean

• Cisco ACE default vlan

  Hello everybody,
  I am installing a ACE 4700 in a customer but when i started to work and saw their topology, then i realized that i had a problem. The problem is that i cannot create the interface vlan 1 and assign an ip address to it. I saw some documments is cisco.com site that the ACE hide this vlan.
  Follows my topology:
  Servers vlan are the vlan 1
  Clients vlans are 5
  Management vlan is 8
  As i undertood, the ACE has to have at least one interface in the servers vlan, but i cant create the VLAN 1. So my problem is, how do i unhide the vlan 1 in the ACE so i can configure an ip address on it.
  Leandro

  If you can't have the customer migrate the servers into a different VLAN, you need to trick a bit, as VLAN1 is not usable on the ACE.
  Pick a VLAN number that you will use inside the ACE for the outer VLAN1. Say, VLAN101.
  If you have an access port connecting to the server segment, just set it to 101:
       switchport access vlan 101
  If you connect via a trunk, set your native VLAN to 101:
       switchport trunk native vlan 101

• CSM VLANs down on 6513

  Hi
  I configured a CSM for a customer on a 6513 a couple of weeks ago and it worked fine. It's configured in routed mode with a client and server VLAN. There are no clients on the client VLAN and no servers on the server VLAN as they are all mutilpe hops away.It's not in prodcution yet as they want to do some testing.
  Today I got an email saying taht it had stopped working and when the client looked at the 6500 both the client and server VLANs showed as down.
  To fix it he recreated the VLANs on the CSM module and it all burst into life. Unfortunatley they don't have suslog on the 6500 so there is no record of any errors.
  Has anyone seen anything like this before ?
  Thanks
  Pat

  Hi Pat,
  This problem description is too vague to comment on. Would help to know:
  -version of chassis IOS and CSM code.
  -relevant configuration snippet.
  -for 'when looked at 6500 both client & server VLANs showed down':
      -what command(s) showed this?
      -provide actual output seen here?
  -for 'it stopped working':
      -what type of traffic was it? LB or pass through?
  -did this config disappear or did they do delete/recreate?
  Best regards.

• ACE ; server vlan

  Hi,
  do we always have to layer-3 interface of the server vlan on the ACE so as to setup a load balancing?
  i.e. support i have server 1 (10.10.1.1) and server 10.10.1.2).
  do I always have to define server vlan for these servers (that's default gateway of the server vlan) on the ACE? or I can default it any where on our network (i.e. define it on the switch)?
  if I can define it on any switch than how would ACE send client traffic to these server?
  Thanks in advance...

  Hello Gavin,
  Here you have some links and details of each type of design, you can take a look of that and find out which one matches with your design.
  Routed Mode:
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Bridge Mode
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  One Arm Mode
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Hope this helps
  Jorge

• Transparent ACE - 2 VLAN's, 1 context, 2 VIPs

  Hi,
  We have a 3 tier application that needs to be load balanced from client to middleware and from middleware to backend.
  Usually we do this with multiple context's on the ACE.
  This time we are doing this with multiple VLAN's within the same context. Is this possible?
  setup
  client VIP = 10.0.103.3 which is mapped to IRIS_Reporting serverfarm in VLAN47
  middleware VIP = 10.0.103.4 which is mapped to IRIS_Web serverfarm in VLAN41
  client VIP hits 10.0.103.3 and then middleware box then hits 10.0.103.4. First part is working fine but middleware cannot open connection to 10.0.103.4 VIP over tcp/80. In the ACE log i see the connection timing out...
  Oct  5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to vl
  an47:10.0.103.4/80 (10.0.103.4/80)
  Oct  5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to vla
  n341:10.0.103.4/80 (10.0.2.149/80)
  Oct  5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to
  vlan47:10.0.103.4/80 (10.0.103.4/80) duration 0:00:05 bytes 104 SYN Timeout
  Oct  5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to
  vlan341:10.0.103.4/80 (10.0.2.149/80) duration 0:00:05 bytes 232 TCP Reset
  thanks,
  John.

  Hi Ivan,
  Here is the config,
  access-list BPDU ethertype permit bpdu
  access-list everyone line 10 extended permit ip any any
  parameter-map type http HTTP_PARAM
    server-conn reuse
    case-insensitive
    persistence-rebalance
  parameter-map type generic SSLID_PARAM
    set max-parse-length 70
  parameter-map type ssl SSL_PARAM
    session-cache timeout 300
  parameter-map type connection TCP_PARAM
    syn-data drop
    exceed-mss allow
  rserver host BL-VAN-CDMSPBI1
    description IRIS Sharepoint Reporting Server
    ip address 10.0.4.15
    inservice
  rserver host BL-VAN-CDMSPBI2
    description IRIS Sharepoint Reporting Server
    ip address 10.0.4.18
    inservice
  rserver host BL-VAN-ITSM03
    description ITSM Reporting Server
    ip address 10.0.4.16
    inservice
  rserver host BL-VAN-ITSM04
    description ITSM Reporting Server
    ip address 10.0.4.17
    inservice
  rserver host VM-VAN-CDMSPNT1
    description IRIS Sharepoint Web Server
    ip address 10.0.2.148
    inservice
  rserver host VM-VAN-CDMSPNT2
    description IRIS Sharepoint Web Server
    ip address 10.0.2.149
    inservice
  serverfarm host IRIS_Reporting
    description IRIS Reporting Servers
    failaction reassign
    fail-on-all
    rserver BL-VAN-CDMSPBI1 80
      inservice
    rserver BL-VAN-CDMSPBI2 80
  serverfarm host IRIS_Web
    description IRIS Front End Web Servers
    failaction reassign
    fail-on-all
    rserver VM-VAN-CDMSPNT1 80
      inservice
    rserver VM-VAN-CDMSPNT2 80
      inservice
  serverfarm host ITSM_Reporting
    description ITSM Reporting Servers
    failaction reassign
    rserver BL-VAN-ITSM03 80
      inservice
    rserver BL-VAN-ITSM04 80
      inservice
  class-map match-all IRIS_REPORTING_HTTP
    2 match virtual-address 10.0.103.3 tcp eq www
  class-map match-all IRIS_WEB_HTTP
    2 match virtual-address 10.0.103.4 tcp eq www
  class-map match-all ITSM_HTTP
    2 match virtual-address 10.0.103.1 tcp eq www
  class-map type management match-any PING
    10 match protocol icmp any
    20 match protocol snmp any
  policy-map type management first-match PING-POLICY
    class PING
      permit
  policy-map type loadbalance first-match IRIS_REPORTING_HTTP-l7slb
    class class-default
      serverfarm IRIS_Reporting
  policy-map type loadbalance first-match IRIS_WEB_HTTP-l7slb
    class class-default
      serverfarm IRIS_Web
  policy-map type loadbalance first-match ITSM_HTTP-l7slb
    class class-default
      serverfarm ITSM_Reporting
  policy-map multi-match int41
    class IRIS_WEB_HTTP
      loadbalance vip inservice
      loadbalance policy IRIS_WEB_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      appl-parameter http advanced-options HTTP_PARAM
      connection advanced-options TCP_PARAM
  policy-map multi-match int47
    class ITSM_HTTP
      loadbalance vip inservice
      loadbalance policy ITSM_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
    class IRIS_REPORTING_HTTP
      loadbalance vip inservice
      loadbalance policy IRIS_REPORTING_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      appl-parameter http advanced-options HTTP_PARAM
      connection advanced-options TCP_PARAM
  interface vlan 41
    description Client-Side VIP for Internal WEB LB
    bridge-group 2
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    service-policy input int41
    no shutdown
    ip route inject vlan 41
  interface vlan 47
    description Client-Side VIP for Gen Applications LB
    bridge-group 1
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    service-policy input int47
    no shutdown
    ip route inject vlan 47
  interface vlan 341
    description Server-Side for Internal WEB
    bridge-group 2
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    no shutdown
  interface vlan 347
    description Server-Side for Gen Applications
    bridge-group 1
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    no shutdown
  interface bvi 1
    ip address 10.0.4.58 255.255.255.192
    alias 10.0.4.59 255.255.255.192
    peer ip address 10.0.4.57 255.255.255.192
    no shutdown
  interface bvi 2
    ip address 10.0.2.186 255.255.255.192
    alias 10.0.2.187 255.255.255.192
    peer ip address 10.0.2.185 255.255.255.192
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.4.62

• Layer 3 Vlans Down!

  Folks,
  Could someone please tell me why my layer 3 interfaces (vlan interfaces) are down??version 12.2
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  service counters max age 10
  hostname Chicago
  enable password cisco
  no aaa new-model
  ip subnet-zero
  no ip domain-lookup
  ip vrf vlan40-10
  rd 40:10
  route-target export 40:10
  route-target import 40:10
  --More-- !
  ip vrf vlan50-20
  rd 50:20
  route-target export 50:20
  route-target import 50:20
  ip vrf vlan60-30
  rd 60:30
  route-target export 60:30
  route-target import 60:30
  mls ip multicast flow-stat-timer 9
  no mls flow ip
  no mls flow ipv6
  mls cef error action freeze
  --More-- !
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  diagnostic cns publish cisco.cns.device.diag_results
  diagnostic cns subscribe cisco.cns.device.diag_commands
  redundancy
  mode sso
  main-cpu
  auto-sync running-config
  vlan internal allocation policy ascending
  vlan access-log ratelimit 2000
  interface Loopback0
  ip address 1.1.1.1 255.255.255.0
  ip router isis
  interface GigabitEthernet6/1
  no ip address
  shutdown
  --More-- interface GigabitEthernet6/2
  no ip address
  shutdown
  interface GigabitEthernet7/1
  no ip address
  shutdown
  interface GigabitEthernet7/2
  ip address 100.100.100.1 255.255.255.0
  ip router isis
  tag-switching ip
  interface Vlan1
  no ip address
  interface Vlan40
  ip vrf forwarding vlan40-10
  ip address 40.40.40.1 255.255.255.0
  interface Vlan50
  ip vrf forwarding vlan50-20
  ip address 50.50.50.1 255.255.255.0
  interface Vlan60
  ip address 60.60.60.1 255.255.255.0
  router eigrp 100
  network 40.0.0.0
  network 50.0.0.0
  network 60.0.0.0
  no auto-summary
  router isis
  net 10.0010.0000.0002.00
  --More-- router bgp 100
  no synchronization
  bgp log-neighbor-changes
  neighbor 2.2.2.2 remote-as 100
  neighbor 2.2.2.2 update-source Loopback0
  no auto-summary
  address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
  exit-address-family
  address-family ipv4 vrf vlan60-30
  no auto-summary
  no synchronization
  exit-address-family
  address-family ipv4 vrf vlan50-20
  no auto-summary
  no synchronization
  exit-address-family
  address-family ipv4 vrf vlan40-10
  --More-- redistribute connected metric 100 route-map vlan40-10
  no auto-summary
  no synchronization
  exit-address-family
  ip classless
  no ip http server
  route-map vlan40-10 permit 1
  match interface Vlan40
  control-plane
  dial-peer cor custom
  --More-- !
  line con 0
  line vty 0 4
  password cisco
  login
  end

  Do you have any devices in those VLANs? If not, due to auto-state feature, the L3 VLAN interfaces will be down.
  http://www.cisco.com/warp/public/473/188.html

• CSM to ACE - vserver vlan

  Greetings,
  Can someone please help converting the following CSM config to ACE config. Need to understand how vlans under vservers would be included for ACE. Also how is the nat client natpool configured on ACE? Thanks.
  CSM#
  vlan 10 client
  ip address 192.168.18.3 255.255.255.0 alt 192.168.18.4 255.255.255.0
  vlan 11 server
  ip address 192.168.18.3 255.255.255.0 alt 192.168.18.4 255.255.255.0
  natpool POOL_FEtoLOC 111.1.0.1 111.1.0.200 netmask 255.255.255.0
  serverfarm FARM
  nat server
  no nat client
  real name R1 8090
  inservice
  real name R2 8090
  inservice
  serverfarm FARM_N
  nat server
  nat client POOL_FEtoLOC
  real name R1 8090
  inservice
  real name R2 8090
  inservice
  vserver VIP
  virtual 192.168.10.6 tcp www
  vlan 10
  serverfarm FARM
  replicate csrp connection
  persistent rebalance
  inservice
  vserver VIP_N
  virtual 192.168.11.6 tcp www
  vlan 11
  serverfarm FARM_N
  replicate csrp connection
  persistent rebalance
  inservice

  with ace the policy [vserver] is configured globally or on the interface vlan.
  So, if in your CSM config there is a vlan specified under the vserver, it means you apply the policy to a specific vlan only.
  So, in ACE you would have
  interface vlan 11
  service-policy input VIP_N
  interface vlan 10
  service-policy input VIP
  The client nat function in ace works differently than the CSM.
  It's not per serverfarm but per interface/policy.
  So, first define the client pool on the outbound interface [interface towards server]
  interface vlan x
  natpool 1 x.x.x.x ....
  Then on your policy, select the natpool
  policy-map multimatch VIP_N
  class ...
  nat dynamic 1 vlan x
  But, do you know that ACE comes with a CSM -> ACE config converter onboard ?
  Easier than having to figure this out if you don't have time.
  Gilles.

• Interface VLAN down

  I add VLAN and interface vlan with no shutdown command on MSFC but when i put show ip interface brief comand I have down and down. What cause this problem ??

  I guess I should have been more clear in my answer but didn't want to cause confusion.
  Now I have not tried this lately on a catos box so it may be different
  If a port is down/down it means there is no entry in the vlan database for it. It normally also means that there is no port assigned to that vlan also but you can accomplish this by assigning a port and then deleteing the vlan database. Either way you will get a down/down condition.
  Once you add the vlan to the database the interface will go UP/DOWN. This means there is no active access port on the switch and the vlan is not allowed on any trunks that may be up.
  Once a vlan becomes active either on a trunk or access port it goes to up/up
  Part of the confusion with this is that cisco adds entries to the vlan database automatially when you add access ports to a unkown vlan.
  The problems come when someone sees this down/down condition on a switch and checks that they allow all vlans on a active trunk port and it still doesn't work. In this case all you do is add the vlan database entry and it will come up.

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• ACE - Port-channel High Availability

  We have configured two ACEs with high Availability. ACEs link with our cores, switches cat6500, through a port-channel, ACE’s ports G1/1 and G1/2. High availability works fine if some vlan down but it doesn’t work if an interface down, only if both interfaces get down because then, all vlans of the channel port get down two.
  If possible get an interface port-channel high availability?
  Thanks for your help in advance.

  Thanks for your answer. I have two Cat6500, no VSS possibility. I have two ACEs so each one has configured a port-channel with one Cat6500 (two ports). It works fine. Any problem with that. My issue is when one port-channel of both port is down, failover doesn’t works then, only if both ports are down or vlans are down. I think high availability is only possible in vlan interfaces, not in physical interfaces.
  Regards my friend.

• Standby ACE unresponsive

  Hello,
  My standby ACE has gone to unresponsive mode and shows something like this
  peer state: FSM_FT_STATE_UNKNOWN
  This is for all the contexts in the slot module. My question is how do we bring it back to HOT_STANDBY when all contexts are unresponsive
  AND
  How do we bring it to HOT_STANDBY when just one context is unresponsive
  Thanks
  SID

  HI Sid,
  It is very similar to the previous response of your query.
  As I am seeing one error message here in your mail:
  peer state: FSM_FT_STATE_UNKNOWN
  Upon failure of the fault tolerant link between Services Chassis's the peer standby ACE begins to query the status of its peer active ACE. Six consecutive ping requests occur approximately every five seconds across the query interface VLAN while the fault tolerant link is down. The output from the show ft group detail command shown below indicates that the fault tolerant link is down; the primary peer state is unknown but the primary peer is still reachable. As a result, the standby peer remains in FSM_FT_STATE_STANDBY_COLD. When the fault tolerant link is recovered the query ping tests cease.
  dca-ss2-ace/Admin# show ft group detail
  FT Group : 1
  No. of Contexts : 1
  Context Name : Admin
  Context Id : 0
  Configured Status : in-service
  Maintenance mode : MAINT_MODE_OFF
  My State : FSM_FT_STATE_STANDBY_COLD
  My Config Priority : 50
  My Net Priority : 50
  My Preempt : Enabled
  Peer State : FSM_FT_STATE_UNKNOWN
  Peer Config Priority : Unknown
  Peer Net Priority : Unknown
  Peer Preempt : Unknown
  Peer Id : 1
  Last State Change time : Wed Jun 11 14:46:08 2008
  Running cfg sync enabled : Disabled
  Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Startup cfg sync enabled : Disabled
  Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  FT Group : 2
  No. of Contexts : 1
  Context Name : dca-ace-one
  Context Id : 1
  Configured Status : in-service
  Maintenance mode : MAINT_MODE_OFF
  My State : FSM_FT_STATE_STANDBY_COLD
  My Config Priority : 50
  My Net Priority : 50
  My Preempt : Enabled
  Peer State : FSM_FT_STATE_UNKNOWN
  Peer Config Priority : Unknown
  Peer Net Priority : Unknown
  Peer Preempt : Unknown
  Peer Id : 1
  Last State Change time : Wed Jun 11 14:46:08 2008
  Running cfg sync enabled : Disabled
  Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Startup cfg sync enabled : Disabled
  Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
  alternate interface
  Bulk sync done for ARP: 0
  Bulk sync done for LB: 0
  Bulk sync done for ICM: 0
  All fault tolerant groups will honor the results of the query tests and remain in a FSM_FT_STATE_STANDBY_COLD state on the standby peer ACE.
  The Admin context allows the network administrator to assemble virtual contexts into failover groups. A failover group is a container, which permits a pair of ACE modules to define several failover characteristics and apply them to all virtual context assigned to the container, including the Admin context. These defining features include:
  •The associated peer ACE
  •The priority or preference value for each ACE module in the redundant pairing
  •Preemption (enabled by default)
  •The virtual context(s) coupled to the group
  Sachin Garg

• Loadbalance for servers thats belongs from different Vlan

  Hi,
  We are using FWSM and ACE module in our switch. We have to configure our new application in cisco ACE. Our exiciting servers and vip are in vlan5 and new servers and vips are in vlan 6. vlan 6 is defined in FWSM. We have craeated one interface vlan 6 for the application. While checking the interface status  through "show interface vlan 6" we are getting the following error.
    Not assigned from the Supervisor, down on Supervisor
  We have already assigned vlan group to supervisor. We have allocated same interfce vlan to context also.
  kindly suggest what chould be the issue.
  Kindly suggest can we do the loadbalance for servers thats belongs from different Vlan???
  Thanks in advance.
  Regards,
  Ranjith

  Hi Daniel,
  We are using cisco 6509 switch with FWSM and ACE module.
  We have created interface VLAN 6 in FWSM and ACE and assigned the IP as follows.
  FWSM Interface VLAN 6 is 10.6.10.55 and ACE Interfce VLAN 6 is 10.6.10.60.
  We have 2 servers in the same vlan (.49 and .50). and they are physicaly connected to switch vlan 6 and logicaly connected to FWSM interface vlan 6.
  We have defined the VIP as 10.6.10.51 and that is not pinging from our network.
  Server default gateway and ACE default gateway is FWSM interface vlan 6 IP(ie, 10.6.10.55).
  We dont want to change the server gateway as ACE interface vlan 6 ip.
  KIndly suggest how can i achive the loadbalancing with out changing my server gateway to ACE IP.
  Thanks in advance.
  Regards,
  Ranjith

• Ace fail over / synchronization question

  Hey all,
  I have a customer who has a ace HA pair, the primary ace is shut down, and they've been making changes to the standby ace which has been working ok.
  They want to bring up the primary ace again, but I just want to confirm the process so I don't overwrite the configuration of the current standby ace when the primary ace is brought back online.
  I don't have any experience with these boxes yet. But I was thinking about turning preemption off and increases the standby priority to make it the primary?
  Thoughts?
  Many thanks.
  Sent from Cisco Technical Support iPad App

  Hi,
  If you want to sync the config then you dont have to use the following command.
  no ft auto-sync running-config
  no ft auto-sync startup-config
  Start as follows:
  (1) Configure a FT VLAN interface & FT PEER on “new replacement ACE”.
  Configure all FT groups BUT DO NOT “configure them “inservice”.      
  Make sure you have IP connectivity OVER FT VLAN to “currently ACTIVE ACE”.
  Make sure there is a TCP connection setup OVER FT VLAN (show conn should provide you that information).
  (2)  Please make sure “preemption” is NOT enabled for the FT group.  If  enabled please do remove it and re-add after the module is  successfully  replaced.
  Example:
  Example:
                 ft group 1
                                      peer 1
                                      no preempt  <=====================
                                      peer priority 150
                                      associate-context test
  (3)  Once you have IP connectivity over FT VLAN to “primary ACE”, now mark the FT GROUP “inservice”.
  Example:
                 ft group 1
                                      peer 1
                                      no preempt
                                      peer priority 150
                                      associate-context test
                            inservice <===============================
  (4)   At this time I expect the “auto-sync” to “sync” configs between “currently ACTIVE ACE” & “new standby ACE”.
  show ft group detail
  show ft peer detail
  These “show commands” should help you with verifying the state of FT configuration.
  (5) Repeat the above procedure for all context one by one ( Bring Admin context FT "inservice" at the end )
  In case if you have are using SSL offloading in any context refer the following thread:
  https://supportforums.cisco.com/thread/2156101?tstart=0&viewcondensed
  Hope that helps.
  regards,
  Ajay Kumar