ACE Module and IPSEC

Hi,
can i Loadbalance IPSEC to a Couple of Routers via the ACE Module?
Sven

Yes, the ACE module supports ipsec.
You need stickyness based on src ip to guarantee that the isakmp traffic goes to the same router as the ipsec traffic.
Gilles.

Similar Messages

Can ACE module and 4710 appliance work redundant together

Hi.
I am setting up a testlab for ACE loadbalancing and need to test functionality on both the ACE module and the 4710 appliance.
Can one of each of these two be set up redundant together with full functionality? Or do I have to test redundancy for 2x ACE modules and 2x 4710 appliances seperate?
Thanks in advance for any help!

It won't work.
The code checks if the devices are the same during the HA negotiation.
If you do a 'show ft peer detail' you should see at the end :
SRG Compatibility : WARM_COMPATIBLE
License Compatibility : INCOMPATIBLE
These 2 entries indicate if the box are compatible to run HA between each other.
The version is checked and the license.
Both would be different between an ACE module and ACE appliance.
Gilles

Difference between ACE module and ACE appliance

Hi All,
Can someone help to understand the difference between ACE module and ACE appliance, as i am observing ACE module is providing more throughput when compared the ACE appliance, Is the only advantage we getting with contexts ....
thanks inadvance,
Narayana Mallidi

Hi Narayan,
Apart from providing throughput, ACE module has more to offer ,
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_ACE_Resource_Limits
The above link will provide a comparision of ACE module and Ace appliance interms of scalability. Apart from that legacy modules wont support compression, but ACE 30 module can support compression.
The major advantage of ACE 30 module is with resepct to SSL throughput, SSL TPS, L4 & L7 CPS, & Concurent Connections per second, apart from the increased contexts
ACE 4710 Data Sheet :
http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/Data_Sheet_Cisco_ACE_4710.html
ACE20 Data Sheet
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/product_data_sheet0900aecd8045861b.html
ACE 30 Data Sheet
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/data_sheet_c78_632383.html
Regards
Abijith

ACE Module and Limiting Connections

We currently use the ACE module to Load-balancing IPSEC connection into SPA's. Since the SPA's only support 60 new connections per second. I was looking for a way to limit the amount of connecitons from the ACE to the SPA's.

Hello,
Have a look at the Configuring Real Server Rate Limiting section of the ACE documentation. I think this will meet your needs.
Hope this helps,
Sean

ACE module and inspect http

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
I find information on Cisco.COM how to perform the deep packet inspection of Layer 7 HTTP but I don’t want to use such deep inspection so I decided to use inspect http without policy Layer7 and I don’t know what ACE performs. Could you tell me what ACE checks? Is it possible to customize?
I have to be honest. I found something like this “the ACE performs a general set of Layer 3 and Layer 4 HTTP fixup actions and internal RFC “ but I couldn’t image how HTTP could be fixup and what is internal RFC.
Regards
Falcon

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:Standardowy;
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi Chris,
I’ m so grateful to you for answering to me but I still have a problem “inspect http”. In my case I would like to check only method. I don’t want to check URL parsing or header parsing etc. Is it possible? I ask because the owner of webside is not sure about standard in URL or Header response.
Cheers,
Falcon

ACE module, TLS and smtp

Hello,
On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.
If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.
So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.
There are absolutely no lines in the log that could help me find out what's happening.
I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...
So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?
Thanks a lot for any help you can give me!
Regards,
Marc.

SMTP over TLS is not supported in ACE currently.
SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.
In case of SMTP client needs to open a new conn.
So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.
You can get more details at
http://tools.ietf.org/html/rfc2487
Syed

ACE modules not syncing up

Hi,
I was adding logging and snmp to my ACE modules this weekend. I first made the changes to the primary ACE module and did a wr mem; I then went to my secondary module and noticed that the modules did not sync.
After some troubleshooting; I decided to reboot the secondary module, when the module came back, it was in sync.
As anyone run into this issue before? What is the command that will show me who is my primary module and the state of the modules?
I am running ACE code: A2.1.2
Regards,
John...

Thank you for your reply; I think that this was my problem:
14:1007 => Feb 01 07:57:27: ha_process_message:1818 Running sync info: mode 0, s
tatus 0, reason Detected license mismatch with peer, disabling running-config au
to sync
14:1008 => Feb 01 07:57:27: ha_process_message:1822 Startup sync info: mode 0, s
tatus 0, reason Detected license mismatch with peer, disabling running-config au
to sync
I first upgraded the license on my primary and made my changes, then tried to sync. The only problem I see here is that when I did the wr mem the module starting to sync and said that the sync process was complete.
John...

ACE Module

Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.
ACE1/10.0.0.0_Network# sho run
Generating configuration....
access-list ALL line 8 extended permit ip any any
rserver host CE-565-1
ip address 10.0.2.83
inservice
serverfarm host Content_Engine_SF
rserver CE-565-1
inservice
class-map match-all Content_Engine_VIP
2 match virtual-address 10.0.18.101 any
class-map type management match-any Remote_Management
2 match protocol http any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
policy-map type management first-match rmt_mgt_policy
class Remote_Management
permit
policy-map type loadbalance first-match Content_Engine_VIP-l7slb
class class-default
serverfarm Content_Engine_SF
policy-map multi-match int18
class Content_Engine_VIP
loadbalance vip inservice
loadbalance policy Content_Engine_VIP-l7slb
loadbalance vip icmp-reply active
access-group input ALL
interface vlan 3
description Server_Side
ip address 10.0.3.240 255.255.254.0
mac-sticky enable
no shutdown
interface vlan 18
description Client Side Network
ip address 10.0.18.251 255.255.255.0
mac-sticky enable
service-policy input int18
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.18.1
if I telnet to the vip from my machine 172.16.6.222 it works fine. If I telnet from 10.0.18.30 it works fine. However when I telnet from a machine on the vlan 3 10.0.2.188 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.

If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:
1. Use NAT to ensure the return traffice makes it back to ACE.
2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/netwcsm.html#wp1065827

ACE Switchover and Config Sync

Hi
I'm new to the ACE modul and trying to set up some szenarios and i run already into some troubles.
Question 1)
I configured redundancy to another module - virtulised mode. Config sync between the context worked fine. If i change s'thing in the activ context it was copied to the standby context. But if i changed something in the active Admin context it was not copied to the standby Admin context.
Question 2)
FT Switchover in the Admin context is not possible returns the following fault:
ACE_Switch08/Admin# ft switchover
This command will cause card to switchover (yes/no)? [no] yes
Invalid FT group. FT switchover command will be ignored.
ACE_Switch08/Admin#
If I switch a single FT group it works. But how is it possible to switch all FT groups a the same time? Do i have to switch each context by itself?
Question 3)
After i have switched the active context to the standby context, the ft group x command shows both peers as active. After i take the standby ft group no inservice and back inservice it shows correctly Active and standby_HOT.
The configuration:
hostname ACE_Switch08
boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin
resource-class RC1
limit-resource all minimum 10.00 maximum equal-to-min
class-map type management match-any REMOTE_ACCESS
description -- Remote Access traffic match --
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 2100
ip address 172.29.190.16 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ft interface vlan 2020
ip address 192.168.100.1 255.255.255.0
peer ip address 192.168.100.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 200
heartbeat count 20
ft-interface vlan 2020
ip route 0.0.0.0 0.0.0.0 172.29.190.1
context sf0-2200
allocate-interface vlan 2201
allocate-interface vlan 2207
member RC1
context sf0-2220
allocate-interface vlan 2221
allocate-interface vlan 2227
member RC1
ft group 1
peer 1
no preempt
priority 200
peer priority 150
associate-context sf0-2200
inservice
ft group 2
peer 1
no preempt
priority 200
peer priority 150
associate-context sf0-2220
inservice
username admin password xxx role Admin domain
default-domain
username www password xxx role Admin domain de
fault-domain
Any help is appreciated
pat

Hi Pat,
1)
for my config i just put the "user" or "backend" contexts into ft groups. I don't sync the admin contexts on both aces. I am not even sure if that makes sense or is "best practicse".
So if you don't put the admin context into an extra ft group it won't be synced. you have to configure the admin contexts on each physical ace separately.
Putting the contexts sf0-2200 & sf0-2220 into an ft group and not having an ft group for admin is the way to go IMHO.
2)
If you do a switchover you always have to specify which context you want to switchover. I don't think that you can actually switchover a whole bunch of contexts with this command. If you want to do that a reload is the only way AFAIK.
Try:
ft switchover 1
ft switchover 2
3)
This could be because you have not configured the other ACE's admin context to participate in the ft properly.
My configs looke like this.
ACE01:
ft interface vlan 777
ip address 172.16.99.1 255.255.255.252
peer ip address 172.16.99.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 200
heartbeat count 20
ft-interface vlan 777
query-interface vlan 444
ft group 3
peer 1
priority 150
peer priority 110
associate-context FOO
inservice
ft group 4
peer 1
priority 150
peer priority 110
associate-context BAR
inservice
ft group 2
peer 1
priority 150
peer priority 110
associate-context FOO-BAR
inservice
ACE02:
ft interface vlan 777
ip address 172.16.99.2 255.255.255.252
peer ip address 172.16.99.1 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 200
heartbeat count 20
ft-interface vlan 777
query-interface vlan 444
ft group 2
peer 1
no preempt
priority 110
peer priority 150
associate-context FOO
inservice
ft group 3
peer 1
no preempt
priority 110
peer priority 150
associate-context BAR
inservice
ft group 4
peer 1
no preempt
priority 110
peer priority 150
associate-context FOO-BAR
inservice
Hope that helps
Roble

Design ? about SNMP operation in ACE module ... Traps sent to different Mgmt Stations

Good Day everyone,
I searched the site, and I could not find the answer I was looking for, so If anyone happens to know or point me to a link I would greatly appreciate it.
Topic:
Can ACE module sent different Traps (oid) to different management station? Split decision processing to send specific traffic to specific stations, based on the alert it has detected.
Scenario:
Our network equipments have a demarc point on what devices are managed via SNMP (Traps, syslog, EMS, etc...); Routers, Switches, ACE modules, and so forth.
However, we are not responsible for the App Servers assigned to various broadcast domains.
Customer would like to receive Notification from the ACE module when a Real Server is taken out of rotation , when specific probes have failed.
My team manages the ACE module, so any alerts from the ACE will be sent to the management station configured in our network.
Unfortunately I do not have a Test Lab to test my theory, so any help would be greatly appreciated before I submit my Production configs.
Design Requirements:
Customer would like the following traps generated and sent to their management station:
1) Real Server host name
2) TCP port
3) Real Server IP address
4) If capable, percentage threshold for each real server, based on the prediction configured for each Server Farm
5) Can a NetIQ agent be download on the ACE module to communicate with the NetIQ management station?
As always thank you for any help you can provide, and if you happen to be around Huntsville Alabama/USA.. you got a cold beer waiting for you!!!!
Cheers,
-raman

Gilles,
Thank you for your prompt answer.
When you have time please look over the following question and let me know if it is possible to implement, if the Proxy server is not an option?
Can a Custom TCL script be executed to sent an notification via SMPT if a health probe fails?
The SMTP message will contain the server info (IP address, Host name, TCP port).
The script procedure will execute certain actions based on the returned result.
Thanks,
raman
P.S
Sorry about not being up to speed on TCL. I am reading up on the TCL capability, and trying to provide some options to my customer.

Can not import ACE module to ANM

Hello,
Good day.
I recently facing an interesting problem.
We are running ANM 5.1.0 to manage our LB contexts, those contexts are configured on ACE20-MOD-K9 module which installed in Catalyst6500 switch. Our installation is like this, two ACE20-MOD-K9 modules installed into same Catalyst6513 different slots. And those two ACE modules serves different Data Halls, contexts configured on those modules are completely seperated, different VLAN, different subnet no relation at all.
I'm able to import the catalyst chassis into ANM and under Config>Guided Setup>Import Device>Modules, I'm able to see both ACE modules but only one module able to be imported, another one I can not even choose it. There are slightly difference those two modules show themselves in that page. The one I'm able to import shows exactly it's module type and version number but another one is showing someting strange.
Slot#      Model                     Type            Serial #      State                 Version                Description                                      #VC
3            ACE20-MOD-K9      ACE v2.3      XXXXXX      up                     A2(3.5)                Application Control Engine Module      28
9            ACE20-MOD-K9      Module         XXXXXX      Not Imported      ace2t_main_d      Application Control Engine Module      N/A <---problem module
Does any was facing samiliar problem?
Thanks

I think I found something related to my issue.
In ANM operating Guidance,section"Importing ACE Modules after the Host Chassis has been Imported" mentioned some restriction. The module in slot 9 actually has samiliar situation, show module commands shows that Catalyst chassis doesn't really recognize the software version that might caused ANM not able to figure out if that module is supported or not so it makes a simple decision deny import. I will try to reboot that module see if we can fix this issue.
"Guidelines and Restrictions
ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x) software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you that it failed to import the unrecognized ACE configuration and that device discovery failed.
However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier ANM release contained an inventory with an ACE module that supported the A1(6x) software release or an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows the A1(x) software release to reside in the ANM database and will support operations for the release. ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software version.
We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE software release, and that you instruct ANM to recognize the updated release. See the "Instructing ANM to Recognize an ACE Module Software Upgrade" section.
See the Supported Device Tables for the Cisco Application Networking Manager for a complete list of supported ACE module and ACE appliance software releases."
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/5.2/user/guide/UG_manage_devices.html

ACE Module vs ACE Appliance

Hello,
What is the difference between ACE Module and ACE Appliance? why the ACE Module is better? or ACE Appliance, what is the advantage between Module and Appliance.
anyone can explain me?
Best Regards

In the past Cisco has been shipping two line of Loadbalancing products
First line ( modules dedicated for 6500/7600 chassis ) includes CSM & CSM-S & SSLSM (for ssl offloading)
The other line comprises of appliance based CSS series products.
ACE module is a next generation module replacing CSM modules that fits into 6500/7600 chassis.
It gives you upto 16Gbps throughput (versus CSM's 4Gbps throughput).
ACE appliance is a next gen replacement of CSS line of appliance based products.
CSS appliances were used to come in different Hardware models with varied
performance capacities. ACE appliance is a single hardware with various licenses
used to scale the performance/features.Ace appliance supports upto 4Gbps of throughput.
Previously CSS & CSM code terminologies & command set was different. For example a real server
was termed as "service" in CSS & was called "real" in CSM . Similarly "probe" in CSM was "keepalive"
in CSS.
With ACE line of products you get the same terminologies & command sets for both
modules & Appliances.
ACE Appliance & ACE modules are functionality vise coming closer with every new release but
still there are some differences.
For example following ACE appliance features are not available in ACE module:
Appl optimization (flash forward, Delta Encoding)
Embedded Device manager
Http compression
Which one is better than the other really depends on your requirement
From Performance perspective Module give you much higher performance then Appliance.
SO if performance is your criteria the ACE module is better than ACE appliance.(Some performance metrics at the end of the post).
If you are looking for Application optimization & HTTP compression along with Loadbalancing
then it can only be achieved with ACE appliance.
If you are not using 6500/7600 series chassis in your environment then you can only use ACE appliance
(unless you are open to buy module+chassis due to performance requirement).
Some performance metrics
Ace Appliance supports 1 Million concurrent connections where as Ace Module supports 4 Million.
Ace Appliance supports 120K L4 conn/sec where as Ace Module supports 380K L4 conn/sec.
Ace Appliance supports 40K L7 conn/sec where as Ace Module supports 133K L7 conn/sec.
Ace Appliance supports upto 4Gbps throughput where as Ace Module supports 16Gbps throughput .
HTH
Syed Iftekhar Ahmed

ACE Module throughput

Hi
In the Datashhet of the ACE-Module (ACE20-MOD-K9) there is the following promise:
Throughput
16 Gbps*, 8 Gbps*, and 4 Gbps
We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).
Are these 4Gbps bidirectional or unidirectional?
Is it 2Gbps in one direction and 2Gbps in the other direction?
Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
How can I measure the effective used bandwith on the ACE module?
What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
How do I know that the ACE runs at it's bandwith limitation?
Any Ideas?
Thanks
Patrik

Hi Patrik,
See my answers inline:
We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).Are these 4Gbps bidirectional or unidirectional?Is it 2Gbps in one direction and 2Gbps in the other direction?
It measures the total throughput going through the box. It includes both directions. Also take into account that, for any traffic through the ACE, the packets are seen twice (client to ACE and ACE to server), so the effective throughput is half of the licensed one.
Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
You could get up to 2Gbps unidirectional. This traffic will go through the ACE twice, adding to the 4Gbps license
How can I measure the effective used bandwith on the ACE module?
With the "show resource usage" command
What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
It will drop packets that go over the bandwidth without taking into account to which connection they belong
How do I know that the ACE runs at it's bandwith limitation?
Again, "show resource usage"
Regards
Daniel

Do i have a dead ACE module?

I rebooted one of my HA ACE modules and it hasn't come back up. The logs on the 6500 show the following..
Mar 23 08:54:25: %DIAG-SP-6-RUN_COMPLETE: Module 4: Running Complete Diagnostics...
Mar 23 08:54:28: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
Mar 23 08:54:28: %SNMP-5-MODULETRAP: Module 4 [Up] Trap
Mar 23 08:54:27: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
Mar 23 08:54:28: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mar 23 08:54:43: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 08:55:18: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
Mar 23 08:57:30: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:07:23: %SNMP-5-MODULETRAP: Module 4 [Down] Trap
Mar 23 09:07:23: SP: The PC in slot 4 is shutting down. Please wait ...
Mar 23 09:07:56: SP: PC shutdown completed for module 4
Mar 23 09:08:06: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Fabric channel errors)
Mar 23 09:15:48: %DIAG-SP-6-RUN_COMPLETE: Module 4: Running Complete Diagnostics...
Mar 23 09:15:50: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
Mar 23 09:15:51: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
Mar 23 09:15:51: %SNMP-5-MODULETRAP: Module 4 [Up] Trap
Mar 23 09:15:51: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mar 23 09:16:06: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:16:41: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
Mar 23 09:17:45: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:28:00: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:28:46: %SNMP-5-MODULETRAP: Module 4 [Down] Trap
Mar 23 09:28:46: SP: The PC in slot 4 is shutting down. Please wait ...
Mar 23 09:29:19: SP: PC shutdown completed for module 4
Mar 23 09:29:29: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Fabric channel errors)
Mar 23 09:37:11: %DIAG-SP-6-RUN_COMPLETE: Module 4: Running Complete Diagnostics...
Mar 23 09:37:13: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
Mar 23 09:37:13: %SNMP-5-MODULETRAP: Module 4 [Up] Trap
Mar 23 09:37:12: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
Mar 23 09:37:13: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mar 23 09:37:28: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:38:03: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
Mar 23 09:38:15: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
The output of the ACE console is the following....
System Bootstrap, Version 12.2[123],
Copyright (c) 1994-2009 by cisco Systems, Inc.
Slot 4 : Running DEFAULT rommon image ...
.ACE platform with 1048576 Kbytes of main memory
.Loading disk0:c6ace-t1k9-mz.A2_3_4.bin. Please wait ....
Uncompressing Linux...
Starting the kernel...
INIT: version 2.78 booting
Mounting Second Ramdisk ....
Second Ramdisk successfully mounted
Configuring network interfaces.
CF dump: Register callback functions
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/cf: 11 files, 26575/63414 clusters
FAT FS is ok
Compact Flash size 1014624(in 1k blocks) ...
Core file size 204800
Available free size in cf is 589424 (in 1k blocks) ...
set_coredump 2.11, 12 Mar 2005, FAT32, LFN
first_cluster = 0x5102 num_cluster = 0x40 (64)
inserting procfs
inserting isan_kthread
inserting wiremod
inserting klib
inserting resdrv
inserting tlv
inserting sse
inserting kpss
inserting sdwrap
creating sdwrap device
inserting klm_tl
creating tl device
inserting klm_scp
inserting klm_mts
creating mts0 device
creating mtscfg0 device
inserting utaker
creating utaker0 device
creating utaker1 device
inserting sysmgr-hb
creating sysmgr-hb device
inserting modlock
creating modlock device
inserting bufmgr
inserting pkt_fifo
inserting encdec
creating encdec device
inserting pseudo
inserting drammap mod
creating drammap device
inserting ixp_dnld
creating ixp_dnld device
inserting sysdrv
creating sysdrv device
New registry installed.
INIT: Entering runlevel: 3
inserting i2c module
inserting ssa driver
inserting cde driver
inserting bf_dnld driver
inserting pfm_drv driver
inserting regaccess driver
inserting bf_nvram driver
Firmware compiled 21-Jan-11 13:14 by integ Build [25600]
ACE Daughter boards DB1 not present DB2 not present.
downloading fpga to cde 1
Read 3262454 bytes from ./cde1_core.bit
FPGA Date: 2007/12/18 Time: 14:22: 0
CDE 1 download successful
downloading fpga to cde 2
Read 2377744 bytes from ./cde2_core.bit
FPGA Date: 2007/ 8/15 Time: 20:59:47
CDE 2 download successful
FPGA Programming Done
CDE 1 revision ID 0403
CDE 2 revision ID 0402
enabling cde 0 interrupts
finished CDE setup
Configuring NP 1 Memory
Configuring NP 2 Memory
Waiting for NP 1 SRAM memory to clear...success
Downloading NP 1 Image
Waiting for NP 2 SRAM memory to clear...success
Downloading NP 2 Image
..... 0x4eef60 (5173088) bytes downloaded
..... 0x4eef60 (5173088) bytes downloaded
Loading Nitrox driver.
PCI device 177d:0002
Writing register at address 3838 with e00
size = 8108
Ctx memory range(0x0000000-0x10000000)
Cleared 262144 1024-byte blocks in 5 requests.
N2SetupMicrocode: failed; error code 3
Writing register at address 3898 with 1
N2LoadMicrocode: failed; error code 3
N2LoadMicrocode: failed; error code 3

Hello Akhtar,
Can you upload the command: #show version?
Can you upload the dir core: , hopefully the ACE might have generated some core dumps which might help us to determine the failure?
Here you have a link about getting the core dumps:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Copying_Core_Dumps
Have you experienced this issue before? Did you experience this issue during a high peak of traffic?
Did you apply any change in the configuration?
#show tech-support and core dumps would help to determine if this was a hardware failure or a software defect
Jorge

ACE module hung and required hard reset !!Plz help

ACE module had bit flip and it was hunged after that.I was not able to run any command(i.e For ex if i run show ft status nothing was displayed).I was not able to run any command on the standby ACE as well is this could be both the ACE module ACTIVE?
Manuaaly reboot from the ACE did not work. I had to forced hardare reset from cat 6500.
Is this a bug or strange behaviour?
I am running ACE A2(2.3) version on the module.
Thanks
ALEX

Usually in the case of the bit flip the ace will reset itself, which clears the problem. In order to understand what is happining to your ACE, you would have to open a TAC case, and provide show tech information, as well as any files that were generated in the "core:" directory. You can view these using the command "dir core:"
It seems odd that the standby ACE also wouldn't respond to any command input. Did you have to reset it as well? If you had to reset it as well, then it may have encountered the same conditions that caused the hang on the primary.
Was there any syslog messages generated on the 6500 switch during the time?

ACE Module and IPSEC

Similar Messages

Maybe you are looking for