ACE Module Cookie Parsing causes Reset Connection
I am trying to upgrade my ACE Modules from A2(1.3) to A2(3.2) . Unfortunately, the cookie parsing breaks when there are illegal characters and causes a connection reset (RST) when there is an invalid cookie, but only on code later than A2(1.3).
The cookie in question is being passed by a third party so making them change the cookie is not necessarily do-able. The cookie has the following value:
Cookie: CurrentUser={"UserKey":{"Key":"anonymous"},"LastUpdated":"10/13/2010 1:35:52 PM"}
We are using the following parameter map:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 20480
length-exceed continue
On the older code, the request is passed on to the server.
Is there a setting similar to "length-exceed continue" that I can give the ACE to tell it to ignore cookies it cannot parse?
HTTP inspection is not enabled.
Did you mean adding a class-default to the policy-map?
Adding it to the policy-map does make it match the class-default. Unfortunately, cookie parse errors result in the inability to parse both the cookie and the host header as well. It seems that rather than just failing to parse the cookie and being unable to do sticky matching - it completely fails the entire header parsing.
Here's our setup:
rserver host test1
ip address 192.168.1.101
inservice
rserver host test2
ip address 192.168.1.102
inservice
rserver host test3
ip address 192.168.1.103
inservice
rserver host test4
ip address 192.168.1.104
inservice
serverfarm host auto
probe HTTP-diagnostic
rserver test1
inservice
rserver test2
inservice
serverfarm host news
probe HTTP-diagnostic
rserver test3
inservice
rserver test4
inservice
sticky http-cookie autoCookie auto-cookie
cookie insert browser-expire
replicate sticky
serverfarm auto
sticky http-cookie newsCookie news-cookie
cookie insert browser-expire
replicate sticky
serverfarm news
class-map type http loadbalance match-any auto
2 match http header Host header-value "www.auto.local"
3 match http header Host header-value "auto.local"
class-map type http loadbalance match-any news
2 match http header Host header-value "www.news.local"
3 match http header Host header-value "news.local"
class-map match-all prod_VIP
2 match virtual-address XXX.XXX.XXX.XXX tcp eq www
policy-map type loadbalance first-match prod_POLICY
class auto
sticky-serverfarm auto-cookie
class news
sticky-serverfarm news-cookie
class class-default
sticky-serverfarm auto-cookie
policy-map multi-match aggregate-slb-apps
class prod_VIP
loadbalance vip inservice
loadbalance policy prod_POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
appl-parameter http advanced-options CASE_PARAM
Similar Messages
-
Cisco ACE module missing licence file - no connectivity
Hi,
We have 2 ACE modules that were delivered without any licenses.
There is no IP connectivity whatsoever to these modules and I'm guessing this is due to the fact there are no licenses installed.
Have tried asking Cisco to no avail - and am not sure if there is an actual problem with them or not.
The VLANs are assigned correctly and I can see inbound ICMP echo from the 6509 that its hosted in, but no outbound packets ever leave the ACE. I've applied a mgmt policy to enable ping/telnet/ssh etc.
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan4 vlan30-31 vlan160 vlan180-195 vlan360 vlan380-395 vlan560 vlan580-
595 vlan760 vlan780-795
switch/Admin# sh ip int bri
Interface IP-Address Status Protocol
vlan4 10.119.127.196 up up
vlan30 10.119.127.241 up up
vlan31 10.119.127.245 up up
interface vlan 4
description ACE Mgmt interface for Admin Context
ip address 10.119.127.196 255.255.255.224
service-policy input REMOTE_MGMT
no shutdown
vlan4 is up
Hardware type is VLAN
MAC address is 00:1f:ca:7b:6f:33
Mode : routed
IP address is 10.119.127.196 netmask is 255.255.255.224
FT status is non-redundant
Description:ACE Mgmt interface for Admin Context
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
Config download failures : 1
2980 unicast packets input, 16363862 bytes
240857 multicast, 3026 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
0 unicast packets output, 187712 bytes
0 multicast, 2933 broadcast
0 output errors, 0 ignored
switch/Admin# sh arp
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.119.127.193 00.00.00.00.00.00 vlan4 GATEWAY - * 3 req dn
10.119.127.196 00.1f.ca.7b.6f.33 vlan4 INTERFACE LOCAL _ up
10.119.127.245 00.1f.ca.7b.6f.33 vlan31 INTERFACE LOCAL _ up
10.119.127.241 00.1f.ca.7b.6f.33 vlan30 INTERFACE LOCAL _ up
================================================================================
Total arp entries 4
The ARP table for the adjacent switch SVI has a valid MAC upon reboot, but soon after resets to 00.00.00.00.00.00
Problem is that once Cisco eventually send me the license file I have no way of TFTP'ing it to the ACE module.
Any suggestions/advice?Thanks for the info - so I should at least be able to connect to a license-less ACE at least, but these modules seem to have a problem.
If the modules are reloaded (from the ACE) or reset (from the Supervisor) they initially have the ARP entry (however still cannot communicate to the attached Supervisor via SVI) which eventually resets.
Info as requested:
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 0 0 0
mgmt-connections 0 0 0 0 0
proxy-connections 0 0 0 0 0
xlates 0 0 0 0 0
bandwidth 0 76 0 125000000 296849008
throughput 0 76 0 0 296849008
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 2 0 0 15
ssl-connections rate 0 0 0 0 0
mac-miss rate 0 0 0 0 0
inspect-conn rate 0 0 0 0 0
acl-memory 0 6336 0 0 11
sticky 0 0 0 0 0
regexp 0 0 0 0 0
syslog buffer 0 0 0 0 0
syslog rate 0 0 0 0 24
Context: APPLICATION
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: BACK_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: FRONT_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: TEST_DEV
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
switch/Admin# sh cde health
CDE BRCM INTERFACE
======================
Packets received 3357
Packets transmitted 12
Broadcom interface CRC error count 0
BRCM VOQ status [empty] [not full]
BRCM pull status [pulling]
CDE HYPERION INTERFACE
======================
Packets received 7668407
Packets transmitted 967915
Short packets drop count 0
Fifo Full drop count 0
Protocol error drop count 0
FCS error drop count 0
CRC error drop count 0
Num times flow control triggered on hyp interface 0
Num self generated multicast packets filtered 967915
HYP IXP0 VOQ status [empty] [not full]
HYP IXP1 VOQ status [empty] [not full]
HYP SLOW VOQ status [empty] [not full]
HYP tx pull status [pulling]
CDE IXP0 INTERFACE
======================
Packets received 964680
Packets transmitted 6581196
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP0 Fast VOQ status [empty] [not full]
IXP0 BRCM VOQ status [empty] [not full]
IXP0 pull status [pulling]
IXP0 spi src status [healthy]
IXP0 spi snk status [healthy]
CDE1 SWITCH1 INTERFACE
======================
Packets received (hyp, ixp0) 3241
Packets received (bcm) 6
Packets received (daughter card 0) 0
Packets received (daughter card 1) 0
Packets Errors received (hyp, ixp0) 0
Packets Errors received (bcm) 0
Packets Errors received (daughter card 0) 0
Packets Errors received (daughter card 1) 0
Packets transmitted (ixp1) 122653
Packets transmitted (nitrox) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
CDE2 SWITCH2 INTERFACE
======================
Packets received (ixp1) 122653
Packets received (nitrox) 0
Packets Errors received (ixp1) 0
Packets Errors received (nitrox) 0
Packets transmitted (hyp, ixp0) 3241
Packets transmitted (broadcom) 6
Packets transmitted (daughter card 0) 0
Packets transmitted (daughter card 1) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
Packets Errors transmitted (daughter card 0) 0
Packets Errors transmitted (daughter card 1) 0
CDE IXP1 INTERFACE
======================
Packets received 3247
Packets transmitted 122653
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP1 Fast VOQ status [empty] [not full]
IXP1 BRCM VOQ status [empty] [not full]
IXP1 pull status [pulling]
IXP1 spi src status [healthy]
IXP1 spi snk status [healthy]
CDE NITROX INTERFACE
======================
Packets received 0
Packets transmitted 0
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
NTX Fast VOQ status [empty] [not full]
NTX BRCM VOQ status [empty] [not full]
NTX pull status [pulling]
NTX spi src status [healthy]
NTX spi snk status [healthy]
== Backplane ==
ITASCA_SYS_CNTL1 0x300 data 0x61f0000
ITASCA_SYS_CNTL2 0x304 data 0x80630000 -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
ACE Module and Limiting Connections
We currently use the ACE module to Load-balancing IPSEC connection into SPA's. Since the SPA's only support 60 new connections per second. I was looking for a way to limit the amount of connecitons from the ACE to the SPA's.
Hello,
Have a look at the Configuring Real Server Rate Limiting section of the ACE documentation. I think this will meet your needs.
Hope this helps,
Sean -
ACE module hung and required hard reset !!Plz help
ACE module had bit flip and it was hunged after that.I was not able to run any command(i.e For ex if i run show ft status nothing was displayed).I was not able to run any command on the standby ACE as well is this could be both the ACE module ACTIVE?
Manuaaly reboot from the ACE did not work. I had to forced hardare reset from cat 6500.
Is this a bug or strange behaviour?
I am running ACE A2(2.3) version on the module.
Thanks
ALEXUsually in the case of the bit flip the ace will reset itself, which clears the problem. In order to understand what is happining to your ACE, you would have to open a TAC case, and provide show tech information, as well as any files that were generated in the "core:" directory. You can view these using the command "dir core:"
It seems odd that the standby ACE also wouldn't respond to any command input. Did you have to reset it as well? If you had to reset it as well, then it may have encountered the same conditions that caused the hang on the primary.
Was there any syslog messages generated on the 6500 switch during the time? -
LATELY HAVING A PROBLEM FORWARDING EMAIL VIA GOGGLE FROM FOX NEWS ARTICLES, WHEN I CLICK ON GOGGLE I SEE SAFARI CANNOT CONNECT WITH SERVER.
HAVE TRIED DELETING CACHE AND COOKIE, HISTORY AND RESETTING SAFARI WITH NO SUCCESS.
ANY HELP YOU CAN GIVE ME TO RESOLVE THIS ISSUE WOULD BE GREATING APPRECIATED.
THIS IS MY FIRST TIME USING THIS FORUM, NEW AT THE COMPUTER WORLD.
HOPE YOU'LL BE ABLE TO HELP ME RESOLVE THIS PROBLEM.
THANK YOU!It isn't Goggle. Did you make sure you went to Google?
-
I am facing an issue with Cisco ACE module. Have 5 servers serving the connections for applications. However, during peak hours there is lot of dropped connections.
Also have lot of fragment reassemble.
Please help how to go ahead troubleshooting the issue.it is on the cisco site. In the ACE datasheet to be exact. But I'm talking about the appliance. Not sure about the module. But should be the same. Only thing I was not sure was whether the same limits apply to the base license package, or are the figures lower for the base license. Cisco says that the numbers are the same for the base package.
however I'm yet to verify it on the field -
I am getting this popup error when trying to open a .gif file:
"Could not complete your request because the file-format module cannot parse the file."
This comes up every time I try to open a .gif file. Even if I make a .gif file (like the image included in this post), save it and then try to open it again, I get the same error. I tried reinstalling CS4, but the error is still there. I have also done the reset on start-up and nothing. Some have suggested that I open it in (Windows XP Pro) MS Paint and then save it again. Did it and this does NOT work for me, either.
I know it's a Photoshop problem because I can see this file everywhere, except Photoshop. It will open here, there and everywhere, except for Photoshop.
I've searched the Adobe Commmunity and it looks like no one has come up with a fix for this. I'm just currious after 5 years with this problem, has there been a solution?
ScottOne of the files that has the error is in my first post.
Adobe Photoshop Version: 11.0
Operating System: Windows XP 32-bit
Version: 5.1 Service Pack 3
System architecture: AMD CPU Family:15, Model:10, Stepping:0 with MMX, SSE Integer, SSE FP, SSE2
Physical processor count: 6
Processor speed: 3210 MHz
Video Card: NVIDIA GeForce GTX 460
Video Mode: 1280 x 1024 x 4294967296 colors
Video Card Driver: nv4_disp.dll
Driver Version: 6.14.13.0623
Built-in memory: 3289 MB
Free memory: 257 MB
Memory available to Photoshop: 1677 MB
Memory used by Photoshop: 69 %
Image cache levels: 4
Serial number: xxxxxxxxxxxxxxx
Application folder: C:\Program Files\Adobe\Adobe Photoshop CS4\
Temporary file path: C:\DOCUME~1\xxxxxx\LOCALS~1\Temp\
Photoshop scratch has async I/O enabled
Scratch volume(s):
F:\, 233.7G, 145.7G free
Primary Plug-ins folder: C:\Program Files\Adobe\Adobe Photoshop CS4\Plug-ins\
Additional Plug-ins folder: not set
Installed components:
ACE.dll ACE 2008/08/27-18:10:41
AdobeLinguistic.dll Adobe Linguisitc Library 4.0.0
AdobeLM.dll AdobeLM 3.0.11.10077 53.352460
AdobeLM_libFNP.dll FLEXnet Publisher (32 bit) 11.5.0.1 build 57427
AdobeOwl.dll Adobe Owl
AdobeOwlCanvas.dll Adobe Owl Canvas
AdobePDFL.dll PDFL 2008/08/20-20:15:08
AdobeUpdater.dll Adobe Updater Library
AdobeXMP.dll Adobe XMP Core
AdobeXMPFiles.dll Adobe XMP Files 4.2.2 53.352624
AdobeXMPScript.dll Adobe XMP Script 4.2.2 53.352624
adobe_caps.dll Adobe CAPS 2,0,99,0 2.135373
adobe_epic.dll Adobe EPIC 3.0.1.10077 53.352460
adobe_eula.dll Adobe EPIC EULA 3.0.1.10077
AFlamingo.dll AFlamingo
AGM.dll AGM
ahclient.dll AdobeHelp Dynamic Link Library 1, 3, 12, 0
aif_core.dll AIF 1.0
aif_ogl.dll AIF 1.0
amtlib.dll AMTLib 2.0.1.10077 53.352460
amtservices.dll AMTServices 2.0.1.10077 53.352460
ARE.dll ARE 2008/08/27-18:10:41
asneu.dll AsnEndUser Dynamic Link Library 1, 6, 0, 8
authplay.dll
AXE8SharedExpat.dll AXE8SharedExpat
AXEDOMCore.dll AXEDOMCore
Bib.dll BIB
BIBUtils.dll BIBUtils
cg.dll NVIDIA Cg Runtime 2.0.0015
cgGL.dll NVIDIA Cg Runtime 2.0.0015
CoolType.dll CoolType 2008/08/27-18:10:41
data_flow.dll AIF 1.0 53.352475
ExtendScript.dll ExtendScript
FileInfo.dll Adobe XMP FileInfo 4.2.2
FNP_Act_Installer.dll FLEXnet Publisher (32 bit)
icucnv36.dll
icudt36.dll
image_flow.dll AIF 1.0 53.352475
image_runtime.dll AIF 1.0 53.352475
JP2KLib.dll JP2KLib 2008/06/11-20:19:53 53.100857 53.100857
libifcoremd.dll Intel(r) Visual Fortran Compiler 10.0 (Update A)
libmmd.dll Intel(r) C Compiler, Intel(r) C++ Compiler, Intel(r) Fortran Compiler 10.0
MPS.dll MPS 2008/07/07-10:33:04 53.350311 53.350311
msvcp71.dll Microsoft® Visual Studio .NET 7.10.3077.0
msvcr71.dll Microsoft® Visual Studio .NET 7.10.3052.4
pdfsettings.dll Adobe PDFSettings 1.04
Photoshop.dll Adobe Photoshop CS4 CS4
Plugin.dll Adobe Photoshop CS4 CS4
PlugPlug.dll Adobe(R) CSXS PlugPlug Standard Dll (32 bit) 1.0.0.73
PSArt.dll Adobe Photoshop CS4 CS4
PSViews.dll Adobe Photoshop CS4 CS4
registration.dll Registration
SCCore.dll ScCore
shfolder.dll Microsoft(R) Windows (R) 2000 Operating System
WRServices.dll WRServices
Installed plug-ins:
3D Studio 11.0
ADM 3.11x01
Accented Edges 11.0
Angled Strokes 11.0
Average 11.0
BMP 11.0
Bas Relief 11.0
Camera Raw 5.0
Chalk & Charcoal 11.0
Charcoal 11.0
Chrome 11.0
Cineon 11.0
Clouds 11.0
Collada 11.0
Color Halftone 11.0
Colored Pencil 11.0
CompuServe GIF 11.0
Conté Crayon 11.0
Craquelure 11.0
Crop and Straighten Photos 11.0
Crop and Straighten Photos Filter 11.0
Crosshatch 11.0
Crystallize 11.0
Cutout 11.0
Dark Strokes 11.0
De-Interlace 11.0
Dicom 11.0
Difference Clouds 11.0
Diffuse Glow 11.0
Displace 11.0
Dry Brush 11.0
Embed Watermark 3.0
Entropy 11.0
Extrude 11.0
FXG 11.0
FastCore Routines 11.0
Fibers 11.0
Film Grain 11.0
Filmstrip 11.0
Filter Gallery 11.0
Fresco 11.0
Glass 11.0
Glowing Edges 11.0
Google Earth 4 11.0
Grain 11.0
Graphic Pen 11.0
HDRMergeUI 11.0
Halftone Pattern 11.0
IFF Format 11.0
Ink Outlines 11.0
Kurtosis 11.0
Lens Blur 11.0
Lens Correction 11.0
Lens Flare 11.0
Lighting Effects 11.0
Liquify 11.0
MMXCore Routines 11.0
Matlab Operation 11.0
Maximum 11.0
Mean 11.0
Measurement Core 11.0
Median 11.0
Mezzotint 11.0
Minimum 11.0
Mosaic Tiles 11.0
Multiprocessor Support 11.0
NTSC Colors 11.0
Neon Glow 11.0
Note Paper 11.0
Ocean Ripple 11.0
OpenEXR 11.0
PCX 11.0
PNG 11.0
Paint Daubs 11.0
Palette Knife 11.0
Patchwork 11.0
Paths to Illustrator 11.0
Photocopy 11.0
Photoshop 3D Engine 11.0
Picture Package Filter 11.0
Pinch 11.0
Pixar 11.0
Plaster 11.0
Plastic Wrap 11.0
Pointillize 11.0
Polar Coordinates 11.0
Portable Bit Map 11.0
Poster Edges 11.0
Radial Blur 11.0
Radiance 11.0
Range 11.0
Read Watermark 3.0
Reticulation 11.0
Ripple 11.0
Rough Pastels 11.0
Save for Web & Devices 11.0
ScriptingSupport 11.0
Send Video Preview to Device 11.0
Shear 11.0
Skewness 11.0
Smart Blur 11.0
Smudge Stick 11.0
Solarize 11.0
Spatter 11.0
Spherize 11.0
Sponge 11.0
Sprayed Strokes 11.0
Stained Glass 11.0
Stamp 11.0
Standard Deviation 11.0
Sumi-e 11.0
Summation 11.0
Targa 11.0
Texturizer 11.0
Tiles 11.0
Torn Edges 11.0
Twain Acquire 11.0
Twain Select 11.0
Twirl 11.0
U3D 11.0
Underpainting 11.0
Vanishing Point 11.0
Variance 11.0
Variations 11.0 (11.0x001)
Video Preview 11.0
WIA Support 11.0
Water Paper 11.0
Watercolor 11.0
Wave 11.0
Wavefront|OBJ 11.0
Wind 11.0
Wireless Bitmap 11.0
ZigZag 11.0
Plug-ins that failed to load: NONE
Flash:
Connections
Kuler
Installed TWAIN devices:
WIA-hp officejet 6100 series
hp officejet 6100 series TWAIN -
[ACE] What makes a sticky reset?
Hi,
Our websites are loadbalanced thru our ACE modules and we are using the sticky feature.
Sticky is needed so that the customers session will retain the content of its shopping basket.
About 10% of our customers complain that the basket is emptied during a session, forcing them to start over. In our logs we indeed see that some users are balanced to another server during a session. Apparently in these cases the sticky feature is ignored somehow.
My question is, what are the possible triggers that the ACE uses to dismiss the sticky for a given session and start a new one?
Could it for example be caused by an html-page containing a link to another vip than the vip the page is originally served from?
Or could a simple spelling-error in a link be the trigger?
Looking forward to any answer.
Kind regards,
Anthony van HartenHi, I've a similar scenario with a Cisco 4710 in a dmz, running a vip that end users are hitting from behind proxy and nat.
I enabled Cookie-Insert and its pushing down a cookie to the browser now, just wondering if I need to add persistence-rebalance when you are using cookie-insert. from the command reference it seems like all user sessions would end up on one rserver if i did that. Looking to ensure the round-robin is still used.
Usage Guidelines
With persistence rebalance enabled, when successive GET requests result in load balancing that chooses the same policy, the ACE sends the request to the real server used for the last GET request. This behavior prevents the ACE from load balancing every request and recreating the server-side connection on every GET request, producing less overhead and better performance.
Another effect of persistence rebalance is that header insertion and cookie insertion, if enabled, occur for every request instead of only the first request.
thanks
John W. -
I am monitoring an ACE module using snmp. The values returned from certain OIDs are graphed using Cacti. I found the 64 bit counters on interfaces for the ACE wrap at 10,000,000,000 instead of 2^64. Now that I have configured cacti to expect the wrap at 10 billion, I am concerned about the 32 bit counters. I am querying this snmp oid to get L7 connection counter
cslbxStatsL7PolicyConns
1.3.6.1.4.1.9.9.254.1.1.1.1.8
Should I expect this counter to wrap at 2^32 or a lower value?The maximum value for a 32bit OID should be 4294967296, I do have a value in my lab that is above 1 billion for that counter, so I wouldn't think there is an issue immediately. One common issue - when you clear stats manually, the counter will reset to 0. As well, I found an internal bug that that suggested some pocket case within the code could have cleared stats incorrectly, but it has never been seen since. There is a guess that someone logged into the test bed and cleared it without permission, but it was not able to be verified. Hence the bug was created to investigate the code, turned up nothing, and was junked accordingly.
What you might want to do is keep a sharp eye on the counter. When it looks like it rolls, login to the context you are polling and take a look at the accounting log. If you find that someone cleared the logging, that answers the question. If not - log a TAC case and we can replicate your exact configuration/code version in our lab to see if there what the deviation is that causes it to clear. A bug would be logged and fixed.
Regards,
Chris Higgins -
Hi,
I configured a new serverfarm with leastconns predictor for two servers on our ACE module Version A2(2.3). Probes (show probes XX detail) to the servers are successful and both servers are operational (show serverfarm APPLI detail) but connections are directed only to one server.
When I deactived the server which is receiving the connections (no inservice), the ACE start to direct connection to the second server.
There are several serverfarm, configured the same way, that are Loadbalancing traffic as correctly.
Here is a sample of my config
serverfarm host TEST_443
predictor leastconns
probe TEST_443_PROBE01
rserver TEST_RS01 443
inservice
rserver TEST_RS02 443
inservice
sticky http-cookie TEST_HTTPS TEST_443_STKY
cookie insert
timeout 720
replicate sticky
serverfarm TEST_443
probe http TEST_443_PROBE01
port 443
interval 20
passdetect interval 60
passdetect count 5
request method get url /test
expect status 302 302
connection term forced
policy-map type loadbalance first-match TEST_L7PLB_HTTPS
class class-default
sticky-serverfarm TEST_443_STKY_SF
insert-http X-Forwarded-Proto header-value "https"
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match SLB-HTTP-POLICY
class TEST_L4VIP_HTTPS
loadbalance vip inservice
loadbalance policy TEST_L7PLB_HTTPS
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 202
appl-parameter http advanced-options PERSIST
ssl-proxy server TEST_SSL_PROXY_SERVER
PS : ACE uptime is 291days, could that impact ACE behavior ?
Thanks for any troubleshooting hintsLooking at this on my phone but it looks like you L7 policy is referencing a sticky server farm that does not exist.
ie TEST_443_STKY_SF is incorrect name for sticky
If that's not it. Then check that the first server actually has a number of conns on it when a new connection is established. Sometimes when both servers have 0 conns - new incoming conns will always go to the first server
Regards
Stephen
===============================
Free network configuration management software at www.rconfig.com
Sent from Cisco Technical Support iPhone App -
Hi
One of my ACE module got restarted The following are the error messsages in the 6500 switches
Oct 22 13:38:40.411: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Module not responding to Keep Alive polling)
Oct 22 13:38:40.439: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Module not responding to Keep Alive polling)
The IOs version of the ACE is :- disk0:c6ace-t1k9-mz.3.0.0_A1_3b.bin
Switch Os version is : s72033-advipservicesk9_wan-mz.122-18.SXF7.bin
Could anybody tell me Is there any BUG in the IOS ?Or What could be the possible reason ?
Thanks in Advance
Dineshi have similar problem. the catalyst restart the ace, and ace doesn't work.
Also i have two catalyst conected in trunk, and i have two ace, one in each catalyst. No redundancie. both have the same problem.
ACE ios is: boot system image:c6ace-t1k9-mz.A2_1.bin
catalyst ios is: s72033-ipservicesk9_wan-mz.122-33.SXH2a.bin
log from catalyst:
17w2d: %CONST_DIAG-SP-6-HM_TEST_SP_INFO: TestAsicSync[1]: last_busy_percent[6%], Tx_Rate[3292], Rx_Rate[232]
17w2d: %CONST_DIAG-SP-2-HM_MOD_RESET: Resetting Module 1 for software recovery, Reason: Failed TestAsicSync
17w2d: %OIR-SP-3-PWRCYCLE: Card in module 1, is being power-cycled off (Diagnostic Failure)
17w2d: %HA_EM-6-LOG: Mandatory.go_asicsync.tcl: GOLD EEM TCL policy for TestAsicSync
17w2d: %SNMP-5-MODULETRAP: Module 1 [Down] Trap
17w2d: %C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (Diagnostic Failure)
17w2d: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
17w2d: %SNMP-5-MODULETRAP: Module 1 [Up] Trap
17w2d: %DIAG-SP-6-RUN_MINIMUM: Module 1: Running Minimal Diagnostics...
17w2d: %DIAG-SP-6-DIAG_OK: Module 1: Passed Online Diagnostics
17w2d: %OIR-SP-6-INSCARD: Card inserted in slot 1, interfaces are now online
17w2d: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
17w2d: %FABRIC-SP-6-TIMEOUT_ERR: Fabric in slot 5 detected excessive flow-control on channel 0 (Module 1, fabric connection 0)
17w2d: %CONST_DIAG-SP-6-HM_TEST_SP_INFO: TestAsicSync[1]: last_busy_percent[6%], Tx_Rate[6293], Rx_Rate[298]
ANY advise? -
ACE module not load balancing across two servers
We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers. At various times the application team is seeing active connections on only one real server. They see no connection attempts on the other server. The ACE sees both servers as up and active within the serverfarm. However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers. The issue is fixed by restarting the application on the server that is not receiving any connections. However, it reappears again. And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers. I'm kind of curious myself. Does anyone have some tips on where we can look next to isolate the cause?
We're running A2(3.3). The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday. The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
Here are the show serverfarm statistics as of today:
ACE# show serverfarm farma-8000
serverfarm : farma-8000, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: server#1
x.x.x.20:8000 8 OPERATIONAL 0 186617 3839
rserver: server#2
x.x.x.21:8000 8 OPERATIONAL 67 83513 1754Are you enabling sticky feature? What kind of predictor are you using?
If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
The behavior seems to depend on the configuration.
So, please let me know a part of configuration?
Regards,
Yuji -
ACE module, TLS and smtp
Hello,
On a ACE module running software version ACE2(1.0), I have defined a virtual smtp server that is load-balanced to a serverfarm containing 2 SMTP servers. Normal SMTP connexions on port 25 work fine. SMTPS connexions to port 465 of a second vserver also work fine: SSL termination occurs at the ACE module and SMTP connexions to the real servers are in clear text on port 25. But I am having problems with TLS.
If a client connecting to port 25 of the first vserver tries to negotiate TLS, it works but it's the real server that handles TLS encryption. This is normal behavior - but the certificate has to be installed on each of the real servers. I would like the ACE module to handle TLS (it's supported according to the documentation). That way the certificate would only have to be installed on the ACE module.
So I tried to setup a third vserver on port 587 with the same "proxy-service" as the second vserver used for SSL. If a client connects to port 587 of the vserver via TLS, we only see the 3-way handshake between the client and the vserver, then a pause of a few seconds, then a FIN from the client and finally an ACK and a RESET from the vserver.
There are absolutely no lines in the log that could help me find out what's happening.
I found the "debug ssl" command in the documentation but I don't know how to use it - I entered the command and nothing happened; I don't know where the debugging information goes. This is probably why there's a warning that says that "The ACE debug commands are intended for use by trained Cisco personnel only."...
So my questions are: why is TLS not working? How can I find out why it's not working? Where does the "debug" information go when we use the "debug" commands?
Thanks a lot for any help you can give me!
Regards,
Marc.SMTP over TLS is not supported in ACE currently.
SMTP doesnt use SSL/TLS simply as a secure transport like LDAP, IMAP, POP, HTTP.
In case of SMTP client needs to open a new conn.
So ACE or for that matter any other SMTP relay device needs to terminate conn, look in to the SMTP pkts and punch hole according to the new client conns.
You can get more details at
http://tools.ietf.org/html/rfc2487
Syed -
Our ACE module v A2(2.0) recently reset itself. This was the last boot reason.
NP 1 Failed : Nitrox Crash Detected
I can't seem to find proper documentation as to what this could mean. Any ideas ?
Thanks.Hi,
As next step, I will suggest to open TAC service request for this issue. This crash might have created
a corefile under dir core:
When you open service request, please collect below data,
- Latest showtech
- corefile from ACE, you can ftp out by running command "copy core: ftp:"
We need to analyze corefile to know root cause for this crash.
Best regards,
Rahul
Maybe you are looking for
-
Can u print without AirPrint printer if you have a wireless printer?
Can u print without AirPrint printer if you have a wireless printer? I have a fairly new canon printer, MP495 series all in one, and was wondering if there is anyway to print wirelessly to it or if I have to buy another printer that is airprint compa
-
Error - Could not resolve s:Script to a component implementation?
Flex Builder 4.6, 60-day trial version. New to MXML / AS, but familiar with Java, Javascript, XML, OpenLaszlo. Ooooold, sloooow Vista box. I want a bare-bones proof-of-concept class extending <s:Label> with a script responding to a click. Here's wha
-
I can't find the "Authorize your computer" in the Itunes Store. I can't download my old purchases because it tells me I have to authorize the computer, but I can't find it anywhere!! I can enter my account and deauthorize the old computers, which I d
-
Unable to install any 3rd party applications
I have a nokia e61. I have been trying to install 3rd party apps like newsgator, truphone, google maps etc on my phone. It dowloads the applications and immediately thereafter gives me a message 'Unable to install'. Any suggestions anyone.
-
Oracle check constraint bug ?
Hi, This is an 'interesting' bug: create table mytable ( id number, status number, constraint mytable_pk primary key (id) insert into mytable (id, status) values (1, 0); insert into mytable (id, status) values (2, -1); On XE (10.2.0.1) and 10.2.0.4: