ACE Logging

Similar Messages

• ACE logging hassle - GLBP m-cast denies...

  Need some ideas:
  Have a pair of ACE's in front of a data center application.  The outside interfaces are properly denying GLBP m-cast traffic from the attached pair of 6509's on the same VLAN.
  2/14/2011,10:04:11 AM,10.147.254.2,???,LOCAL4,WARNING,:%ACE-4-106023: Deny udp src vlan2577:165.201.107.195/3222 dst undetermined:224.0.0.102/3222 by access-group "Public" [0xffffffff, 0x0]
  2/14/2011,10:04:11 AM,10.147.254.2,???,LOCAL4,WARNING,:%ACE-4-106023: Deny udp src vlan2577:165.201.107.194/3222 dst undetermined:224.0.0.102/3222 by access-group "Public" [0xffffffff, 0x0]
  These messages or normal and expected but the denies fill up the ACE log to the tune of 30MB per day. I've looked at...
  To tune out specific syslog messages:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/system/message/guide/config.html#wp1069411
  ACE Syslog message guide:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/system/message/guide/messags.html#wp1145672
  ...but it appears if I tune out this syslog message 106023, I lose all deny reporting - don't want to do that.
  Here is the existing ACL-list:
  access-list Public remark Inbound Traffic
  access-list Public line 1 extended permit icmp any any
  access-list Public line 10 extended permit tcp any any eq https
  access-list Public line 11 extended permit tcp any any eq www
  I really don't want to recommend passing this m-cast traffic through the ACE, no purpose for it behind the ACE. Nor do I want to slow down the GLBP hellos just to solve a log record annoyance.
  Any ideas on how I can reduce or eliminate these deny messages from the ACE log withough losing all deny visibility?
  Thanks,
  m.

  Still no joy on this one, but there was some faint hope with the solution below for ASA FW's that I got from engineering inside Cisco (Not TAC). Unfortunately, the ACE does not support the required 'shun' command. Thought I would just post the ASA solution in case folks run across this issue in other environments and maybe, just maybe, we can get the shun command on the ACE.
  Shunning allows you to black-hole or refuse particular traffic at an interface based upon source-destination addressing.  This action would also be logged, but with 'shun' you can also assign a unique SYSLOG ID to the shunned traffic and so tune it out completely from the logging. If it doesn't, then there is no elegant solution.
  So, check out whether the ACE has the shun command available  in it. If it has the command, then the following should apply:
  Possible workaround-
  shun 10.17.84.2 239.192.2.0 2222 2222
  That way you'll get different syslog message ID for shun traffic and you can disable logging for that traffic by-
  no logging message
  Reference
  http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logmsgs.html#wp1279897
  http://www.cisco.com/en/US/docs/security/asa/asa71/system/message/logconf.html#wp1067974

• ACE logging - rserver and probes

  on CSS I get an info if a server fails the keepalive and get in state "down, up or suspended". This is logged in the traplog file on the CSS.
  Is there any possibility on an ACE to have logs for rserver state changes like "PROBE-FAILED, OPERATIONAL and OUT-OF-SERVICE"
  thx in advance

  Hi Gilles,
  1. looks fine, but I miss the rserver Name in the log. it only appears the ip address of the server.
  So it looks like that the "ip address log" is implemented :-(
  b-sllb2001-09/db_bku-nK2# show rserver sthon
  rserver : sthon, type: HOST
  state : PROBE-FAILED
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  serverfarm: test.db.de
  172.24.100.98:0 8 PROBE-FAILED 0 0
  b-sllb2001-09/db_bku-nK2# show logging | i ACE-3
  Jun 25 2008 09:20:14 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  Jun 25 2008 09:20:23 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  Jun 25 2008 09:20:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  Jun 25 2008 09:21:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
  2. I can find nothing in the log when the probe gets "operational" or "out-of-service state".
  Is thos correct ?
  b-sllb2001-09/db_bku-nK2# show rserver sthon
  rserver : sthon, type: HOST
  state : OPERATIONAL
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  serverfarm: test.db.de
  172.24.100.98:0 8 OPERATIONAL 0 0

• Ace Logs from url or serverfarm

  We are doing analysis on  blocking the source IP's, the actual usage from this source IP's, to what URL's,
  authenticated / non  authenicated etc
  is there any solution to trace out the User requests & url response from particular farm behind the source nat
  referring the below discussion for my problem , can it be helpful for me
  ACE: how do I check what status code does URL returns

  Hi Anand,
  The short answer is no. You cannot get this information from the ACE because it doesn't include any transaction logging feature
  The thread you were mentioning was regarding probes. For those it's actually possible to see the last return code returned by the server, but the ACE will neither show you this information for client connections.
  I wish I could provide you a more satisfactory answer.
  Best regards
  Daniel

• ASA 5200 ACE logs

  I am tightening some of the existing ACLs in the Cisco ASA.
  At the moment I am logging the traffic to see what type of traffic I am getting and configure new ACEs from there. So I am keeping the more open rule at the end while doing the logging.
  I am noticing that even though I have an ACL for access to a Specific Host, still hits from that ACE (let's call it line 1) are appearing in the logs for the more open ACL (which is further down in the list - lets' call it line-10). The ACL line-1 has a very high hit rate - about 10 hits per second. Is this normal, that the hits seem to 'overflow' to other ACEs? I am revieing the log with teh Real-Time Log viewer for ASDM 6.4.
  Any advice will be appreciated.

  Do you by chance have Netflow configured on the ASA? If so, try to uncheck "disable redundant syslog messages" check box.
  Path in ASDM: Configuration > Device Management > Logging > NetFlow
  Please remember to select a correct answer and rate helpful posts

• "exception" code in ACE logs

  Hello,
  We are having an issue with http based application loadbalanced by ACE - sometimes one of the page in the browser is partialy blank (some of the code referenced in main html document seems to be missing). We've discovered the following syslog message from ACE in regard to such http session:
  Jul  8 2010 09:24:03 : %ACE-6-302023:  Teardown TCP connection 0xd7f1 for vlan10:10.1.1.1/1783 to  vlan20:10.1.2.1/443 duration 0:00:00 bytes 45497 Exception
  What can be told about this "exception" code? Documentation isn't especially helpful in this case...
  thanks
  WM

  The error code states connection setup error which could be a number of things.
  https://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/system/message/guide/messags.html#wp1147957
  Can you post the ACE config you are using first and any details of the webserver. Would be a good place to start.
  Dave

• ACE sending malformed requests?

  Hi,
  Our ACE has several contexts, and in one of them we are seeing a single probe fail at random times, to a single particular rserver.
  The logs of the ACE and the affected rserver at the same time are:
  ACE logs:
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, received invalid status code
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, received invalid status code
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, server reply timeout
  %ACE-3-251010 Health probe failed for server 10.254.20.52 on port 80, server reply timeout
  rserver log:
  [Mon Oct 13 18:02:12 2008] [error] [client 10.254.20.11] Client sent malformed Host header
  [Mon Oct 13 19:35:37 2008] [error] [client 10.254.20.11] Client sent malformed Host header
  [Mon Oct 13 20:32:30 2008] [error] [client 10.254.20.11] request failed: error reading the headers
  [Mon Oct 13 21:36:22 2008] [error] [client 10.254.20.11] request failed: error reading the headers
  The strange thing is that it is always the same target rserver that reports this error. Naturally, I've asked the server admins to look at this rserver, but they've seen the 'client request' errors in their logs and are suggesting the ACE is at fault.
  This rserver also hosts other IP addresses that are used in the same context in different serverfarms - and it behaves as normal without error....it is just this single destination IP that seems to have a problem. Other IPs in the same serverfarm are ok.
  Are there any more in-depth checks that I can do at the ACE level to verify that all is OK with the ACE?
  The probe is setup like:
  probe http 80-checker
  interval 10
  passdetect interval 3
  request method get url /ping
  expect status 200 200
  Thanks
  Cameron

  I would like you to run sniffer on the Rserver and look into the HTTP Header of Probe request from ACE.
  Check if the parameters expected by the RServer are in line with the http request used by ACE probe.
  For example if RServer is expecting "www.xyz.com" as HOST then is ACE really using
  "HOST:www.xyz.com" in the HTTP request header.
  Thanks
  Syed Iftekhar Ahmed

• Cisco Ace asymetric routing - DNS traffic

  Hi,
  I am wondering if Ace supports asymetric routing.
  In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
  Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
  So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
  When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
  Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
  So just wondering if there are any other options advisable ?
  Thanks

  Is it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
  Try adding a static route onto the destination server along the lines of ...
  route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
  This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
  That's just what I would do but I understand that it may not be the option you want.
  Good luck

• Cisco ACE A2(2.0) - webhost-redirection

  Hello,
  We are currently running the version ACE A2(2.0), pretty old one on Cisco ACE Module.  We have applied webhost-redirection https://%h%p 302 but it doesn't seem to take effect and always go back to the host header value.
  Is it a bug or a missing feature within A2(2.0) build ?
  Please assist.
  Thanks.

  Also is there a way to check in ACE logs as to what are the redirects taking place to identify any issues etc.
  Thanks.

• Unable to view logging information on the context

  Unable to see the ogging message on the user context on ACE,but able to view the logging on the Admin Context.
  Admin# sh logging
  Message logging:                none
  Buffered logging:               enabled (level - debugging) maximum size 1048576
  Buffer info: current size - 1048576 global pool - 1048576 used pool - 1048576
                  min - 0 max - 1048576
                  cur ptr = 916918 wrapped - yes
  messages are displayed on the logging screen
  production# sh logging
  Message logging:                none
  Buffered logging:               enabled (level - information) maximum size 0
  Buffer info: current size - 0 global pool - 1048576 used pool - 1048576
                  min - 104448 max - 0
                  cur ptr = 0 wrapped - yes
  on the production context  cur ptr=0 and  no message are displayedon the screen
  not sure if I am missing any config

  No logging message on ACE ,these are the commands issues on ACE
  logging enable
  logging fastpath
  logging console 6
  logging timestamp
  logging history 7
  logging buffered 7
  logging monitor 6
  This is the output I am getting
  ace2/Admin# sh logging
  Syslog logging:                 enabled
  Facility:                       20
  History logging:                enabled (level- debugging)
  Trap logging:                   enabled (level - information)
  Timestamp logging:              enabled
  Fastpath logging:               enabled
  Persist logging:                disabled
  Standby logging:                disabled
  Rate-limit logging:             disabled (min - 0 max 100000 msgs/sec)
  Console logging:                enabled (level - information)
  Monitor logging:                enabled (level - information)
  Device ID:                      disabled
  Message logging:                none
  Buffered logging:               enabled (level - debugging) maximum size 0
  Buffer info: current size - 0 global pool - 1048576 used pool - 0
                  min - 0 max - 1048576
                  cur ptr = 0 wrapped - no
  ace2/Admin#

• Can't DPV, log file error

  I keep getting:
  Err no - 7091, DPV and LACSLink Required Parameter. THe Log File Directory must be writable when either DPV or LACSLink is enabled.
  I am running Windows 7 64-bit. Initially at install the auto updates didn't work. I got that fixed but now I get this.
  Has anyone run into this issue before? I set security on all postalsoft folders to allow all for all groups. I don't think SAP supports windows 7 yet.

  Alex,
  This information can be found in our knowledge base...
  Install the most current version of software again with Full Administrator Rights and make sure there are full read and write permissions to the C:\Postalsoft installation directory.
  OR
  Open Windows Explorer and go to C:\Postalsoft. Create a new directory "folder" under Postalsoft called ACE. Then create a new folder under ACE called Log. The path would be C:\Postalsoft\ACE\Log.
  The directory tree would then look like this:
  + Local Disk (C):
  + Postalsoft
  + ACE
  + Log
  If your Postalsoft program is installed elsewhere, make sure you create this ACE\Log path under Postalsoft.
  For future reference you may want to check the knowledge base first... hopefully this will save you some time and trouble.  To get to the knowledge base go to https://service.sap.com/bosap-support - click on the link that says "Search the knowledge base of known issues: SAP Notes".  Then you can type in the error or phrase you are looking for information on.
  Hope this helps!
  Thanks,
  Kendra

• Cisco 6500 ACE ARP / mac-stick enable

  Hi,
  We recently found two entries on our ACE logs constantly complaining about ip/arp collisions(%ACE-4-405001), and on further investigation we saw that these IP's related to the mac addresses no longer existed anywhere in our network.
  1              5              2014-06-07 06:00:03         2014-06-08 02:00:04         WARNING            LOCAL4 ACE-CORE1:         %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy on interface vlan5
  2              4              2014-06-07 10:59:48         2014-06-08 02:59:49         WARNING            LOCAL4 ACE-CORE1:         %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy  on interface vlan5
  3              2              2014-06-07 06:59:48         2014-06-07 22:59:48         WARNING            LOCAL4 ACE-CORE1:         %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy  on interface vlan5
  4              1              2014-06-07 10:00:04         2014-06-07 10:00:04         WARNING            LOCAL4 ACE-CORE1:         %ACE-4-405001: Received ARP RESPONSE collision from x.x.x.x yy.yy.yy.yy.yy.yy  on interface vlan5
  I exhausted the search for these two "ghost" ip's in our network, and finally remembered that our ACE configuration had a context we removed a few months back.
  From this context we had the following configured on the interface:
  interface vlan 18
    description CHAT-DMZ-FW
    bridge-group 1
    mac-sticky enable
    no shutdown
  I want to confirm with you guys if anyone has seen something similar, or knows of this, but I believe the IP's learned mac addresses got "sticky" on the ACE admin context due to the mac-sticky enable command, even after we removed the context these entries persisted?
  I finally used this command to remove the "ghost" IP's related to the mac addresses:
  clear arp x.x.x.x no-refresh

  Dear Friend,
  Also confirm if the IP addresses were reachable though  and as far as the Ghost synonym is referred, I can say there can be virtual mac-addresses, Ip addresses therein the network.
  Thats it !
  Parvesh

• Cisco Ace parser.

  Is there anyone who has an custom parser for Cisco ACE ?.
  Can't understand why it isn't included by default as supported device in Cisco MARS.

  Hi.
  I'm trying to make an custom parser for ACE logs.
  And it works fine except denied icmp traffic, The problem is the event-id is the same in ACE (%ACE-4-106023).
  The parser check for protocol type and src ip,src port and so on. Icmp however is logged without src port (pretty obvius) but the parser breaks if it dosn't get an src port.
  %ACE-4-106023: Deny icmp src  vlanx:x.x.x.x dst undetermined:y.y.y.y (type 11, code 0) by access-group "access-list" [0x20c017d8, 0x0]
  %ACE-4-106023: Deny udp src vlanx:x.x.x.x/6155 dst undetermined:y.y.y.y/6155 by access-group "access-list" [0xffffffff, 0x0]
  So what i am missing in my parser is an "IF proto=ICMP don't match src&dst ports".
  Any ideas how i can make this work.

• Transparent ACE - 2 VLAN's, 1 context, 2 VIPs

  Hi,
  We have a 3 tier application that needs to be load balanced from client to middleware and from middleware to backend.
  Usually we do this with multiple context's on the ACE.
  This time we are doing this with multiple VLAN's within the same context. Is this possible?
  setup
  client VIP = 10.0.103.3 which is mapped to IRIS_Reporting serverfarm in VLAN47
  middleware VIP = 10.0.103.4 which is mapped to IRIS_Web serverfarm in VLAN41
  client VIP hits 10.0.103.3 and then middleware box then hits 10.0.103.4. First part is working fine but middleware cannot open connection to 10.0.103.4 VIP over tcp/80. In the ACE log i see the connection timing out...
  Oct  5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to vl
  an47:10.0.103.4/80 (10.0.103.4/80)
  Oct  5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to vla
  n341:10.0.103.4/80 (10.0.2.149/80)
  Oct  5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to
  vlan47:10.0.103.4/80 (10.0.103.4/80) duration 0:00:05 bytes 104 SYN Timeout
  Oct  5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to
  vlan341:10.0.103.4/80 (10.0.2.149/80) duration 0:00:05 bytes 232 TCP Reset
  thanks,
  John.

  Hi Ivan,
  Here is the config,
  access-list BPDU ethertype permit bpdu
  access-list everyone line 10 extended permit ip any any
  parameter-map type http HTTP_PARAM
    server-conn reuse
    case-insensitive
    persistence-rebalance
  parameter-map type generic SSLID_PARAM
    set max-parse-length 70
  parameter-map type ssl SSL_PARAM
    session-cache timeout 300
  parameter-map type connection TCP_PARAM
    syn-data drop
    exceed-mss allow
  rserver host BL-VAN-CDMSPBI1
    description IRIS Sharepoint Reporting Server
    ip address 10.0.4.15
    inservice
  rserver host BL-VAN-CDMSPBI2
    description IRIS Sharepoint Reporting Server
    ip address 10.0.4.18
    inservice
  rserver host BL-VAN-ITSM03
    description ITSM Reporting Server
    ip address 10.0.4.16
    inservice
  rserver host BL-VAN-ITSM04
    description ITSM Reporting Server
    ip address 10.0.4.17
    inservice
  rserver host VM-VAN-CDMSPNT1
    description IRIS Sharepoint Web Server
    ip address 10.0.2.148
    inservice
  rserver host VM-VAN-CDMSPNT2
    description IRIS Sharepoint Web Server
    ip address 10.0.2.149
    inservice
  serverfarm host IRIS_Reporting
    description IRIS Reporting Servers
    failaction reassign
    fail-on-all
    rserver BL-VAN-CDMSPBI1 80
      inservice
    rserver BL-VAN-CDMSPBI2 80
  serverfarm host IRIS_Web
    description IRIS Front End Web Servers
    failaction reassign
    fail-on-all
    rserver VM-VAN-CDMSPNT1 80
      inservice
    rserver VM-VAN-CDMSPNT2 80
      inservice
  serverfarm host ITSM_Reporting
    description ITSM Reporting Servers
    failaction reassign
    rserver BL-VAN-ITSM03 80
      inservice
    rserver BL-VAN-ITSM04 80
      inservice
  class-map match-all IRIS_REPORTING_HTTP
    2 match virtual-address 10.0.103.3 tcp eq www
  class-map match-all IRIS_WEB_HTTP
    2 match virtual-address 10.0.103.4 tcp eq www
  class-map match-all ITSM_HTTP
    2 match virtual-address 10.0.103.1 tcp eq www
  class-map type management match-any PING
    10 match protocol icmp any
    20 match protocol snmp any
  policy-map type management first-match PING-POLICY
    class PING
      permit
  policy-map type loadbalance first-match IRIS_REPORTING_HTTP-l7slb
    class class-default
      serverfarm IRIS_Reporting
  policy-map type loadbalance first-match IRIS_WEB_HTTP-l7slb
    class class-default
      serverfarm IRIS_Web
  policy-map type loadbalance first-match ITSM_HTTP-l7slb
    class class-default
      serverfarm ITSM_Reporting
  policy-map multi-match int41
    class IRIS_WEB_HTTP
      loadbalance vip inservice
      loadbalance policy IRIS_WEB_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      appl-parameter http advanced-options HTTP_PARAM
      connection advanced-options TCP_PARAM
  policy-map multi-match int47
    class ITSM_HTTP
      loadbalance vip inservice
      loadbalance policy ITSM_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
    class IRIS_REPORTING_HTTP
      loadbalance vip inservice
      loadbalance policy IRIS_REPORTING_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      appl-parameter http advanced-options HTTP_PARAM
      connection advanced-options TCP_PARAM
  interface vlan 41
    description Client-Side VIP for Internal WEB LB
    bridge-group 2
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    service-policy input int41
    no shutdown
    ip route inject vlan 41
  interface vlan 47
    description Client-Side VIP for Gen Applications LB
    bridge-group 1
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    service-policy input int47
    no shutdown
    ip route inject vlan 47
  interface vlan 341
    description Server-Side for Internal WEB
    bridge-group 2
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    no shutdown
  interface vlan 347
    description Server-Side for Gen Applications
    bridge-group 1
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    no shutdown
  interface bvi 1
    ip address 10.0.4.58 255.255.255.192
    alias 10.0.4.59 255.255.255.192
    peer ip address 10.0.4.57 255.255.255.192
    no shutdown
  interface bvi 2
    ip address 10.0.2.186 255.255.255.192
    alias 10.0.2.187 255.255.255.192
    peer ip address 10.0.2.185 255.255.255.192
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.4.62

• ACE LB SSL Session ID in onearm mode

  I am trying to set-up SSL stickyness using the session ID in a onearm configuration mode and can not access the website via the vip.  I can browse to both servers directly.
  The ACE is connected to a Cat 6500, via a 4 gigabit ethernet port-channel and only the management and onearm context vlan is trunked down the port-channel.
  From the OneArm Mode context i am able to ping the MSFC (VLAN980) default gateway and both rservers.  The rservers, Server Farm and Service Policy are all showing as in service.   I am also able to ping the vip from any device on the network.
  The incoming connection is establish and nat appears to take place, although the return session is report as init.
  I have posted the configuration below and was hoping someone could make a few suggestions.   One of the things i notice is on the MSFC the nat address isn't in the arp table, although, it's showing on the ACE.
  logging enable
  logging buffered 7
  access-list everyoneline 1 extended permit ip any any
  script file name SSL_PROBE_SCRIPT
  probe scripted ssl443
    port 443
    interval 60
    passdetect interval 60
    script SSL_PROBE_SCRIPT
  parameter-map type generic sslidparam
    set max-parse-length 70
  rserver host host1
    ip address 192.168.20.129
    inservice
  rserver host host2
    ip address 192.168.20.130
    inservice
  serverfarm host ssl-443
    rserver host1
      weight 10
      probe ssl443
      inservice
    rserver host2
      weight 10
      probe ssl443
      inservice
  sticky layer4-payload sticky-443
    timeout 720
    serverfarm ssl-443
    response sticky
    layer4-payload offset 43 length 32 begin-pattern "\x20"
  class-map type management match-any MANAGEMENT
    2 match protocol icmp any
    3 match protocol http any
    4 match protocol https any
    5 match protocol ssh any
    6 match protocol telnet any
  class-map match-any slb-vip
    3 match virtual-address 192.168.198.50 tcp eq https
  policy-map type management first-match MANAGEMENT-POLICY
    class MANAGEMENT
      permit
  policy-map type loadbalance generic first-match slb-vip
    class class-default
      sticky-serverfarm sticky-443
  policy-map multi-match SSL-STICKY
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb-vip
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 980
      appl-parameter generic advanced-options sslidparam
  interface vlan 980
    ip address 192.168.198.4 255.255.255.0
    peer ip address 192.168.198.5 255.255.255.0
    access-group input everyone
    nat-pool 1 192.168.198.6 192.168.198.6 netmask 255.255.255.255 pat
    service-policy input MANAGEMENT-POLICY
    service-policy input SSL-STICKY
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.198.1
  sh conn
  total current connections : 2
  conn-id    np dir proto vlan source                destination           state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  19828      1  in  TCP   98   192.168.18.139:2411    192.168.198.50:443      ESTAB
  19829      1  out TCP   98   192.168.20.129 :443    192.168.198.6:1059     INIT

  The problem was caused by an incorrect nat pool.   Correct Mask was 255.255.255.0.