ACE Issue

Hello Experts,
As per my requirement I have to restrict Settlements using ACE control.
For the above purpose I have added Billing has new super object and linked it with Billing (CRM object) , I have created ACL,GRP and UTC tables along with custom class and assigned it to superobject.
I am using territory has Actor type and i have done all necessary steps for this object.( AFU class,OBF class ,AFO class ,rights and rule ).
When i run ACE_RUNTIME with my user i can see restricted number of settlements as per my scenario but when i search the for settlements in Web UI I can see all the settlements without any restriction. Please Advice.
Kind Regards,
Vinod

Hi Vinod,
I am also facing the similiar issue.
I have implemented ACE for CLaims, Trade Promotions, Funds, etc., it is working fine for them.
But with settlements I am facing the exact similiar issue.
Any pointers will be appreciated.
Thanks in advance,
Cheers,
Sharad

Similar Messages

ACE issue with compression when SSL Initiation is turned on?

We currently doing an evaluation of the Cisco ACE 4710 and have some sites where the backend is Tomcat and SSL is turned on. When we set Default L7 Load-Balancing Action to Load Balance with Compression Method Deflate (I haven't tried gzip yet), requests to these sites return badly mangled stuff. Like a gif image at 7,700 bytes comes back as a 7 bytes file, even default should only try compression on text/*.
Has anyone seen a similar issue?

It turned out the problem was a configuration issue and my understanding of the ACE works with compression, policies, etc.
In conjunction with this I seemed to have found a bug in the GUI, which is also still present in A3 (2.3). I now have a default L7 policy which just set SSL Initiation to ssl client. Added another L7 policy but when looking at the virtual server afterwards the GUI doesn't show that policy.
switch/Development# show running-config policy-map FORD-APP.PERF.AUTC.COM-l7slb
Generating configuration....
policy-map type loadbalance first-match F-APP.PERF.AUTC.COM-l7slb
class default-compression-exclusion-mime-type
serverfarm F-APP.PERF.AUTC.COM
compress default-method deflate
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
class class-default
serverfarm F-APP.PERF.AUTC.COM
insert-http rl_client_ip header-value "%is"
ssl-proxy client Backend
See attachment with screen shot of GUI

ACE Issue - while processing merged list

Hi guys,
After aplly the configuration, errors appeared in ACE
“jul 10 2012 19:44:21 : %ace-1-106028: warning: unknown error X while processing merged list. incomplete rule is currently applied on interface vlan120. configuration on this interface needs to be manually reverted”
“config application in progress. this command is queued to the system”
The configuration caused service break of several network components for no apparent reason. During about 10 minutes, which was not possible to perform configuration or rollback.
Can you help me?
Thanks

Hello Luis,
Here you have the explanation of the logging message:
106028
Error Message    %ACE-1-106028: String Incomplete rule is currently applied on
interface interface-name. Manual rollback to a previous access rule configuration
on this interface is needed.
Explanation    Possible String values are:
•WARNING: Access rules memory exhausted while processing component
•WARNING: Unknown error while processing component
Possible values for component are
•Access-list
•Service-policy
•Merged list
For example:
WARNING: Unknown error while processing service-policy. Incomplete rule is currently applied on interface VLAN100. Manual roll back to a previous access rule configuration on this interface is needed.
The access control list (ACL) compilation process has run out of memory, which does not allow new ACL entries to be applied to the specified interface. The ACL configuration downloaded in hardware for that interface may not be in a known state because of this failure.
Recommended Action    The ACL configuration downloaded to the network processors is incomplete. Remove and recreate the affected interface to recover to a known state. If the message is "Access rules memory exhausted," either allocate more memory to that context or remove some of the access group or service policy configuration to reduce the memory usage. If the message is "Unknown error," then there may be an issue with the configuration manager or the ACL merge process.
In order to make sure about what might have happened, then it might be required to replicate the issue and then run some debugs to get more useful data and a #show tech-support
Also, there are some bugs which are also related to the syslog message which you are reporting.
Hope this helps.
Jorge

Cisco ACE Issue accessing SAP applications through ACE appliance

Hi,
I have website whose VIP resides on my ACE appliance. That site has many links on it which are SAP applications.
For one link, when i click it first time, user is asked for authentication which is not actually required and get blank page.
When I click back (go to main site again) and again click the same link, it opens normally without any authentication prompt.
Rest all links on the site have no issues and open normally.
I had same issue with acceptance for same application and below parameter map resolved the issue
parameter-map type http case_param
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
length-exceed continue
I tried using same parameter map with persistance rebalance disbaled but still it does not work.
What could be the issue in this case?

Hi,
The SAP has front end server to which ACE is sending traffic dstined to particular VIP. front end server then communicates with backend server for all date related to all applications. When client is using different applications, url in browser remains the same. All applications are working fine except this single application.
same setup is working fine with cisco CSS and even the accepatnce is working fine for same set of applications.
I am getting bad tcp checksum messges in capture output.
10.38.199.196 is client IP....10.36.64.40 is VIP and , 10.36.64.86 is nat ip and 10.36.32.55 is front end server which is user interface to various applications

CISCO ACE issue with MIBs

Dear All,
I know this might have discussed here million times.. but still i am behind this to get this done due to BU pressure to do the capacity management.
I am trying to get the following using SNMP
1) Real Server
2) Real Server Current Connection
3) Real Server IP address
I tried it with following MIBs and OIDs
CISCO-SLB-MIB
slbRealServerFarmName               .1.3.6.1.4.1.9.9.161.1.3.1.1.1
slbRealIpAddress                          .1.3.6.1.4.1.9.9.161.1.3.1.1.2
slbRealNumberOfConnections         .1.3.6.1.4.1.9.9.161.1.3.1.1.5
CISCO-ENHANCED-SLB-MIB
cesRserverName                         .1.3.6.1.4.1.9.9.470.1.1.1.1.1
cesRserverIpAddress                    .1.3.6.1.4.1.9.9.470.1.1.1.1.4
cesRserverCurrConns                   .1.3.6.1.4.1.9.9.470.1.1.1.1.19
Either of these MIBs /OIDs return any value.
When i raise a TAC case i got the information saying these cannot be retrieved.
Is there any way i can get these values from ACE MODULE , because this is very much required for the BU and they are behind us since long time.
Apppreciate support from all.
thanks,
Parvees

Hi Parvees,
I wasn't looking for values you're interested in, but everything you can get with show command you can get via HTTP(s) request in XML using .
For example, here's a "sh serverfarm ServerFarm1" query:
$ curl --user USER:PASSWD -d "xml_cmd=CONTEXT\">xml-show on%0A show serverfarm ServerFarm1" http://ACE_IP_ADDRESS/bin/xml_agent
I'm running curl on linux box, but I think it is available on other platforms. The code above is a one-line command, but you can write scripts/lists of commands and send them to your ACE with curl.
Here's a link provided in a neighbour discussion that gives more information: https://supportforums.cisco.com/docs/DOC-17849
Hope this help,
Alex

Ace with servers in VMware

Hi;
I have a customer who has a test site with one ACE doing load balancing for a small farm ( 8 servers). Recently the customer moved his servers to
to VMware. The customer claims that since that change, the ACE is causing for large delays. His claim is that when he points his clients http requests directly to the servers, bypassing the ACE, he receives normal response time. His claim is that the ACE is causing up to 30 sec delays. This was definitely not the case before they made their change.
I was wondering if anyone has any insight to this type of situation ? Are there any specific ACE issues and load balancing factors that may surface when working with VMware, which are not notticable with real servers?
The ACE is blade in 6500
Thanks for any help.
Mickey

Hi Mickey,
Because this is a ACE module, you can just sniff the ten gig interface on the ACE. This way you will get everything coming in and out of the ACE. Now if you have lot of traffic then this will be bit overwhelming. So may be you can find a lean period and do this exercise or possible pick a client PC from where you can repro the slowness and filter based on that.
Also as you will be using wireshark, you can write to multiple files so that you dont loose the interesting traffic.
I have attached the process of doing a ten gig capture to this post. Hope this helps
Cheers
V.K

Transparent Cache; Need separation for YouTube.

Gurus,
here I'm again trying to get some insight to my clients cache issues:
We recently wanted to separate Youtube traffic from the global cache pool and make a separate 3-cache pool, we hit a major issue, the moment we added the paramters/class-maps/policy-maps, we saw ACE dropping 80% of normal existing traffic and we were left with an outage of the web, the ACE just wont pass traffic, even after we removed the class-maps and polices and reloading the ACE module , had to reboot the c6500s
Here the config:
YOUTUBE SERVERFARM:
rserver host BCXX
description BC-YOUTUBE-x
ip address X.X.X.X
inservice
rserver host BCYY
description BC-YOUTUBE-y
ip address Y.Y.Y.Y
inservice
rserver host BCZZ
description YOUTUBE -z
ip address Z.Z.Z.Z
inservice
serverfarm host LEASTCONNECTIONS_FARM
description Transparent Proxy Least Connection Farm
transparent
failaction purge
predictor leastconns slowstart 60
probe PORT_80
rserver BC05
inservice
rserver BC06
inservice
rserver BC07
serverfarm host YOUTUBE_FARM
transparent
failaction purge
predictor roundrobin
probe PORT_80
rserver BC-YOUTUBE-x
inservice
reserver BC-YOUTUBE-y
inservice
rserver BC-YOUTUBE-z
inservice
class-map type http loadbalance match-any YOUTUBE-1
2 match http header Host header-value "www.youtube.com"
class-map type http loadbalance match-any YOUTUBE-2
2 match http url /get_video.*
sticky ip-netmask 255.255.255.255 address both STICKY_SF
timeout 30
timeout activeconns
replicate sticky
serverfarm LEASTCONNECTIONS_FARM
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class YOUTUBE-1
serverfarm YOUTUBE_FARM
class YOUTUBE-2
serverfarm YOUTUBE_FARM
class class-default
sticky-serverfarm STICKY_SF
, We saw some buffer crunches but not sure, we are running A2(1.3) .
last year we had same config with ONLY mathcing URL /get_video.* and was working fine with dest_ip hashing,
this time we added the host www.youtube.com and 3 separate caches.
doesnt seem to make sense to us,
if anyone has worked to segregate U-tube , do share their config philosophy.
we are thinking about separate context or diff policies, but that's too much config related, still all options open.
do let me now champs..
Shukla.

if you had to reboot the cat6k this is not a ACE issue.
The ACE module sits inside the cat6k but should be considered as an external device.
To separate Youtube traffic you need a new feature of A2(1.4) to hash the secondary cookie value.
CSCsq99736: ACE predictor hash url should not stop parsing at "?" delimiter
All video in youtube comes from the same url but with an option "watch?v=9LMTClqvCGs"
What you need to do is hash the value which can be done with A2(1.4).
This will guarantee that you always get to the same cache for the same video.
But your total meltdown was not the result of ACE.
Sth else must have happened.
If ACE was the problem, a reboot of ACE w/ a known-working config should have been enough.
Try not to reboot as a way to fix problems.
Call the TAC and let them troubleshoot your issue live.
Gilles.

Facing Issue in ACE 4710 ..Secondary ACE showing as FSM_FT_STATE_STANDBY_COLD ...

Hi All ,
I am facing problem with my ACE 4710 in active-standby environment . When I check Show ft group detail on my Active ACE , it shows peer state as
FSM_FT_STATE_STANDBY_COLD for Admin context . Below is the output :
Primary_ACE/Admin#sh ft group detail
FT Group                     : 1
No. of Contexts              : 1
Context Name                 : Admin
Context Id                   : 0
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 120
My Net Priority              : 120
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_STANDBY_COLD
Peer Config Priority         : 100
Peer Net Priority            : 100
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Tue Jan 1 05:32:55 2002
Running cfg sync enabled     : Enabled
Running cfg sync status      : Peer in Cold State. Error on Standby device when
applying configuration file replicated from active
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Peer in Cold State. Startup configuration sync ha
[7m--More--[m
s completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group                     : 2
No. of Contexts              : 1
Context Name                 : APP_Context
Context Id                   : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
My Config Priority           : 120
My Net Priority              : 120
My Preempt                   : Enabled
Peer State                   : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority         : 100
Peer Net Priority            : 100
Peer Preempt                 : Enabled
Peer Id                      : 1
Last State Change time       : Tue Jan 1 05:32:56 2002
Running cfg sync enabled     : Enabled
[7m--More--[m
Running cfg sync status      : Running configuration sync has completed
Startup cfg sync enabled     : Enabled
Startup cfg sync status      : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
Also when I give show ft config-errors on my secondary ACE it gives the following result .
Secondary_ACE/Admin#sh ft config-error
Mon Jun 10 00:04:11 IST 2002
`no 3 match virtual-address 10.40.3.15 tcp eq https`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.15 tcp eq 8082`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq www`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq https`
Error: LB action requires match vip command
`2 match virtual-address 10.40.3.21 tcp eq https`
Error: This configuration already exists
`2 match virtual-address 10.40.3.21 tcp eq www`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq 8082`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq https`
Error: This configuration already exists
Error(s) while applying config.
I am attaching the running configuration of both the ACE's . Kindly help me in resolving the issue .
Also I noticed one thing . There is configuration difference in Primary and Secondary ACE . I guess this is causing the issue .
Need help to fix this asap .
Following configuration is missing on the secondary ACE .
======================================================================
class-map match-all WEB_FARM_VIP-80
3 match virtual-address 10.40.3.15 tcp eq www
policy-map type loadbalance first-match WEB_FARM_VIP-80-l7slb
class class-default
    serverfarm HTTP-2-HTTPS
class WEB_FARM_VIP-80
    loadbalance vip inservice
    loadbalance policy WEB_FARM_VIP-80-l7slb
Thanks ,
Tushar

Dear all,
Pls help me out in this regard, I dont have much idea about ACE.
Regards,
Sashi

Issue with ACE HTTP class map

This is what I want to achieve USING the ACE as a reverse proxy.
User uses the url https://abc/password - gets to the destination server & the web page
If user tries to use any thing additional then the connection is dropped at the ACE such as
https://abc/password/test or any such variation.
Following is the config I have to achieve this
class-map type http loadbalance match-any L7-CLASS-TEST
match http url /password
match http url /password/
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url .*.*
policy-map type loadbalance first-match LBP-TEST
class L7-CLASS-TEST
    serverfarm FARM-TEST
    ssl-proxy client TEST
class L7-CLASS-TEST-deny
    drop
class class-default
    serverfarm FARM-TEST
    ssl-proxy client TEST
The problem with this is when the page opens I get broken links on all the images. If I use the following line
match http url /password.*
I get the images to work but the user can use the https://abc/password/test which is not what I want.
Has any one faced this issue ?
Any help will be appreciated.
Thanks in advance
Prasanna

Prasanna,
What about if you try it in HTTP and apply the following change?
class-map type http loadbalance match-any L7-CLASS-TEST-deny
2 match http url /.*
This should work in HTTP but not with HTTPS
Anyway, it should not work since everything seems to be encrypted, you may require either SSL-termination or END-TO-END SSL for this then the ACE can decrypt the request see what it needs to do and take the load balance decision.
Jorge

ACE load balancing issue

Hi,
I have ACE module and 2 servers the problem i am facing is only one server is been serviced by ACE the other server is not getting much traffic at all.
One server gets hit most of the time like 3 pkts goes to server 1 and 1 pkt goes to server 2.
Could anyone tell me why is this issue that unequal load balancing is occoring on my device.
Thanks in advance.

here's the output of
sh serverfarm det
serverfarm : DNS, type: HOST
total rservers : 2
active rservers: 2
description : -
state : ACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
Probe(s) :
DNS_PROBE, type = DNS
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: DNS-118-1
10.0.0.1:0 8 OPERATIONAL 206 127901 1
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: DNS-118-2
10.0.0.2:0 8 OPERATIONAL 230 212332 4
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
here's the output of
sh service-policy L3L4_LOADB detail
Status : ACTIVE
Description: -----------------------------------------
Context Global Policy:
service-policy: L3L4_LOADB
class: CLASS_MAP
nat:
nat dynamic 1 vlan 118
curr conns : 325 , hit count : 340457
dropped conns : 5
client pkt count : 2697687 , client byte count: 179735431
server pkt count : 2694477 , server byte count: 535957631
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.0.0.3 tcp eq 53
10.0.0.3 udp eq 53
loadbalance:
L7 loadbalance policy: L7_LOADB
VIP Route Metric : 77
VIP Route Advertise : ENABLED-WHEN-ACTIVE
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 325 , hit count : 340462
dropped conns : 5
client pkt count : 2697687 , client byte count: 179735431
server pkt count : 2694477 , server byte count: 535957631
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : L7_LOADB
class/match : class-default
LB action: :
primary serverfarm: DNS
state: UP
backup serverfarm : -
hit count : 340457
dropped conns : 0

SIP load balancing issue with ACE 4710

SIP Load balancing Issue with ACE 4710
I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
rserver host CIN-VOX-31
ip address 172.20.130.31
inservice
rserver host CIN-VOX-32
ip address 172.20.130.32
inservice
serverfarm host CIN-VOX
probe SIP-5060
rserver CIN-VOX-31
    inservice
rserver CIN-VOX-32
    inservice
sticky sip-header Call-ID VOX_SIP_GROUP
timeout 1
timeout activeconns
replicate sticky
serverfarm CIN-VOX
class-map match-all CIN_VOX_L4_CLASS
2 match virtual-address 172.22.12.30 any
class-map match-all CIN_VOX_SIP_L4_CLASS
2 match virtual-address 172.22.12.30 udp eq sip
policy-map type loadbalance sip first-match CIN_VOX_LB_SIP_POLICY
class class-default
    sticky-serverfarm VOX_SIP_GROUP
policy-map multi-match GLOBAL_DMZ_POLICY
   class CIN_VOX_SIP_L4_CLASS
    loadbalance vip inservice
    loadbalance policy CIN_VOX_LB_SIP_POLICY
    loadbalance vip icmp-reply
class CIN_VOX_L4_CLASS
    loadbalance vip inservice
    loadbalance policy CIN_VOX_LB_SIP_POLICY
    loadbalance vip icmp-reply
interface vlan 20
description VIP_DMZ_VLAN
ip address 172.22.12.4 255.255.255.192
alias 172.22.12.3 255.255.255.192
peer ip address 172.22.12.5 255.255.255.192
access-group input PERMIT-ANY-LB
service-policy input GLOBAL_DMZ_POLICY
could you please help me on this...
thanks
Rakesh Patel

I mean there should be one more statement-
class-map type sip loadbalance match-any CIN_VOX_LB_SIP_POLICY
match sip header Call_ID header-value sip:
and that will be called under-
policy-map multi-match GLOBAL_DMZ_POLICY
   class CIN_VOX_SIP_L4_CLASS
    loadbalance vip inservice
    loadbalance policy CIN_VOX_LB_SIP_POLICY
    loadbalance vip icmp-reply
is that missing in your config ?

Microsoft ACE & Office compatibility issue

Here is our situation:
We have a 32 bit VC++ application that operated both with:
- Access to store data via ADO
- Excel for result output via OLE Embedded and OLE Automation
Our application is in the market of imaging.
Because of the interest of our users to work with more & bigger images, we can't stay with a 32 bit application.
We started the migration to x64 but we have a problem:
1. Data access requires Microsoft ACE OLEDB provider x64
2. Most of our users run Excel 32 bits (Microsoft continue to recommend the use of Office 32 bits).
The problem is that the Microsoft ACE OLEDB provider x64 is not compatible with Office 32 bits.
Can you please confirm?
Is there a way to workaround, for example by using another x64 OLEDB provider that would not have any issue running on the same machine as Office 32 bits?
Or maybe this is a case where Microsoft would tell us to use the x64 version of Office.

Hi EddyDelpierre,
>>The problem is that the Microsoft ACE OLEDB provider x64 is not compatible with Office 32 bits. Can you please confirm?
Yes, the 64-bit Microsoft ACE driver cannot co-exist with 32-bit versions of Microsoft Office, you must use 64-bit Microsoft Office.
The relate article:
http://blogs.msdn.com/b/farukcelik/archive/2010/06/04/accessing-excel-files-on-a-x64-machine.aspx
>>Is there a way to workaround, for example by using another x64 OLEDB provider that would not have any issue running on the same machine as Office 32 bits?
You could try the solution suggested by Applied Maths in this thread:
https://social.msdn.microsoft.com/Forums/en-US/abf34eea-1029-429a-b88e-4671bffcee76/why-cant-32-and-64-bit-access-database-engine-aceoledb-dataproviders-coexist?forum=adodotnetdataproviders
As a reminder, the ADO.NET Managed Providers forum will be a better place for your question:
https://social.msdn.microsoft.com/Forums/en-US/home?forum=adodotnetdataproviders
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

ACE 4710 Loadbalancer Weblogic Issues

Hi Guys,
Having some issues with my Loadbalancer and weblogic. Eventually i want to SSL Forwarding and everything set up but as of now I can only access the VIP under port 7001 (default weblogic port.) How would i get it so I can access via HTTP. My Config is below.
PA-ACE-4700-SLB/Admin# changeto Prod-Support
PA-ACE-4700-SLB/Prod-Support# show run
Generating configuration....
access-list allow line 8 extended permit ip any any
probe icmp PROBE_SERVICE_ICMP
interval 5
passdetect interval 5
receive 5
probe tcp TCP443_PROBE
port 443
interval 5
passdetect interval 5
receive 5
connection term forced
open 2
probe tcp TCP7001_PROBE
port 7001
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP80_PROBE
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host 228-WLS11host1
ip address 192.168.211.228
inservice
rserver host 229-WLS11host2
ip address 192.168.211.229
inservice
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1
    inservice
rserver 228-WLS11host1 7001
rserver 229-WLS11host2
    inservice
rserver 229-WLS11host2 7001
sticky http-cookie ACE_COOKIE-7001 7001_STICKY
cookie insert browser-expire
replicate sticky
serverfarm WLS11-7001
class-map type http loadbalance match-any L5
2 match http url .*
class-map match-all WLS11-7001-CLASS
2 match virtual-address 192.168.211.50 tcp any
policy-map type loadbalance first-match WLS11-7001-Policy
class L5
    sticky-serverfarm 7001_STICKY
policy-map multi-match WLS11-SLB
class WLS11-7001-CLASS
    loadbalance vip inservice
    loadbalance policy WLS11-7001-Policy
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 1000
interface vlan 1000
ip address 192.168.211.226 255.255.255.0
access-group input allow
nat-pool 1 192.168.211.50 192.168.211.50 netmask 255.255.255.255 pat
service-policy input WLS11-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.211.235
Thanks for any help you can provide.

Hummm,
Andy
1) Can you modify this?
class-map type http loadbalance match-any L5
2 match http url .*
to look like this:
class-map type http loadbalance match-any L5
2 match http url /.*
2)Can you do this:
serverfarm host WLS11-7001
probe TCP7001_PROBE
rserver 228-WLS11host1 7001
inservice
rserver 229-WLS11host2 7001
inservice
3)Can you clear all the browser´s cookies and/or open a new browser window? It might be possible that some clients are stuck to the servers with does not have hardcoded the port.
4)Can you do: clear stats loadbalance?(won´t affect anything)
5)Then generate traffic
6)Then get:
#show service-policy WLS11-SLB class-map WLS11-7001-CLASS detail
#show stat http
Jorge

ACE FTP issues with "inspect ftp"

Hello.
My clients want to access an FTP server, via ACE, and I am having some issues. They can login and issue only one command... the second command will not be accepted an after a few seconds the prompt shows the message "connection closed by remote host".
I have sniffed traffic and I see that the connection between the client and the ACE has a strange behaviour because ACE open connection to data using an source port of 1039 (it should be 20, since we are usind an active mode client); between the ACE and the real server runs in active mode (I see normal ftp-data packets).
Other strange thing is that I have FWSM and they let traffic pass from ACE to client (they should expect traffic comming from port 20 and not 1039)
I am doing source NAT and ACE is doing all the necessary changes on source IP adresses.
Anyone has seen similar behaviour?
Any help would be appreciated.
In attach I send my config and traffic sniffing.
Thanks in advance.
Joao Ribau
P.S. - client is 10.1.44.98; VIP is 10.1.9.150; real server 10.1.36.124

Hello.
I didn´t mentioned this before but the gateway of all my networks is an ACE that is loadbalancing traffic to two firewall clusters. I think this is not important because I have a "catch all" VIP in all my interfaces; I assume that ACE forwards traffic with no restrictions or inspections leaving the inspection job to the firewalls and to the ACE that I use to load balance services.
Don´t think this could be the problem but just to make sure I decided to post it.
Best regards,
Joao Ribau.
P.S. - my configs on the ACE that loadbalance traffic to the firewalls are very straightforward. Serverfarms (interfaces of the firewalls), a class-map with a "catch-all" VIP, policy-map to for the serverfarm, a policy-map to tie the class to the serverfarm and finally a service-policy apllied to each interface.

HTTP sticky timeout issue in ACE .

Hi All ,
We are facing the dis connectivity issue in the the http session ( sticky configuration )
As per the customer requirement we configured the http sticky with the connection time out 60 min ( one hour ) .
But as per the test with the tool cookie manager , they identified as the http sessions are getting timed out in 20 to 30 minuits .
Please find the sticky configuration
sticky http-cookie FRONT_SESSION_ID TEST_FRONT
cookie insert
timeout 60
replicate sticky
serverfarm TEST_FRONT
We also did the http persistence as below .
parameter-map type http HTTP_Persistence_Rebalance
persistence-rebalance
Parameter-map : HTTP_Persistence_Rebalance
Description : -
Type : http
    server-side connection reuse       : disabled
    case-insensitive parsing           : disabled
    persistence-rebalance              : enabled
    header modify per-request          : disabled
    cookie-error-ignore                : disabled
    header-maxparse-length             : 4096
    content-maxparse-length            : 4096
    parse length-exceed action         : drop
    urlcookie-delimiters               : /&#+
    urlcookie-start                    : ?
We have also tested the session directly with the Rserver .But it is not getting disconnected ( As we doubt is it any server related issue )
Also please find the below resource allocation .
resource-class TEST-FRONT
limit-resource all minimum 0.00 maximum unlimited
limit-resource buffer syslog minimum 0.50 maximum equal-to-min
limit-resource sticky minimum 2.00 maximum unlimited
So can any one please suggest me is there any configuration mistakes here .
If the configuration is ok please suggest me what more I have to do for making the stickiness around 60 min .
Regards ,
Sinjish.K

Sinjish-
Can you use the capture utiliy on ACE to gather a trace of the entire session - then filter out the traffic to just the client IP or the server IP and attach it to this thread? A showtech would also be useful to see if there are any anomolies.
Regards,
Chris Higgins

ACE Issue

Similar Messages

Maybe you are looking for