ACE OCM counters increasing
Hi,
OCM(outbound connection Mgr) Counters are increasing & we have found that ACE is reseting client connection. I have found following bug. Currently we are running A2(1.1a). Anyone there hit by the same bug. Your experiences on this are appreciated.
CSCsr96168
Connection Free List Corruption
Symptom: New TCP connections are sometimes reset. Conditions: ACE module running A2(1.1a) Workaround: Downgrade to A2(1.1) Further Problem Description: This problem is suspected when `show np 2 me-stats -socm` shows the following counter incrementing: OCM Statistics: (Current) -------------- Drop [out of connections]: 14455 16
# show np 2 me-stats -socm
OCM Statistics: (Current)
Connection create received: 30526367 34
LB dest decision received: 6724048 15
Drop [LB dest decision fail]: 51 0
NAT Pool Alloc [addr/port]: 25586 0
NAT Pool Free [addr/port]: 25584 0
OCM Packet count (Hi & Lo): 37250415 49
(Context 4 Statistics)
Drop [mac lookup fail]: 1 0
Connection inserted: 853174 1
Packet message transmitted: 853149 1
# show np 2 me-stats -socm
OCM Statistics: (Current)
Connection create received: 30526681 33
LB dest decision received: 6724153 8
Drop [LB dest decision fail]: 51 0
NAT Pool Alloc [addr/port]: 25586 0
NAT Pool Free [addr/port]: 25584 0
OCM Packet count (Hi & Lo): 37250834 41
(Context 4 Statistics)
Drop [mac lookup fail]: 1 0
Connection inserted: 853195 6
Packet message transmitted: 853170 6
# show np 2 me-stats -socm
OCM Statistics: (Current)
Connection create received: 30528663 24
LB dest decision received: 6724773 11
Drop [LB dest decision fail]: 51 0
NAT Pool Alloc [addr/port]: 25586 0
NAT Pool Free [addr/port]: 25584 0
OCM Packet count (Hi & Lo): 37253436 35
(Context 4 Statistics)
Drop [mac lookup fail]: 1 0
Connection inserted: 853328 2
Packet message transmitted: 853303 2
Regards,
Akhtar
Hello Akhtar,
You've probably noticed that the "Drop [out of connections]" counter referenced in the bug is not shown in the output of your commands. This means that this counter is currently at zero. It will only be shown if it has a non-zero value. Therefore, this implies that this counter is not going up.
Also, from the output you supplied, nothing looks alarming to me that would indicate the cause of the resets. Here is how I would recommend you proceed:
If possible, upgrade to a newer software release. The release you are on is quite dated now and there have been hundreds of software fixes since that release. Further, the A2(1.x) software train will no longer have any maintenance updates. Upgrading to A2(2.3) may be the quickest solution for you if you are hitting a bug on the ACE.
If you cannot upgrade, or you upgrade and the issue persists, then you should gather the following information:
Get a showtech from the context in which the VIP resides
Start a capture of the ACE tengig port(see not below)
Run some test connections to replicate the RST
Stop the capture
Get a second showtech
Now you will be able to look at the connections in Wireshark, and compare your two showtechs to see what, if any, error (or Drop) counters increment. If necessary, please open a SR with Cisco TAC for expert analysis.
NOTE: In order to do the Tengig capture, you would need to configure SPAN on the Supervisor. The source interface would be Te/1. So for example, if your ACE is in slot 3, then the source interface of your monitor session would be Te3/1.
Regards,
Sean
Similar Messages
-
ACE 4710 dramatically increasing Sticky entries
Hello,
When I do a "show resource usage" on my ACE 4710 / SW Version A3(2.5) I see the Sticky entries increasing peramanently.
Resource Current Peak Min Max Denied
sticky 50758 62348 65536 0 0
When I have a look to the ANM managing the box I see the last days the current value was round about 25000 / 27000 max.
I look for a method to discover by what sticky definition or by what function / realserver the most increasing counters / entries are caused.
When I use the sh sticky database .... I see the lists for group or a special realserver / client but I miss sh show top clients / rservers / rules what generates the big sticky table....
Any good tipp how to troubleshoot that will be appreciated.
Regards
GerhardHello Surya,
Thank you for your response. I us a mix of different persistance Methods:
For some of the services source-ip based, for other, Cookie-based, and for some other I look on a special http header field... So it would be interesting to find out for what of the methods ths sticky entries grows...Because I see the counter rising since 2nd Oct 2:00 am... before it was never so high...
Regards
Gerhard -
VIP is not responding When pinging from ace
hey i have a very strange type of error. everything was working fine untill it just stopped. i have two vips both were mounted and working fine and then one of the vip just stopped working you can ping and get reply from my pc but not from ace. they are connected directly with nexus 5k and was working fine. now you can have reply from for other vips and servers and all other thing but not that single vip. when you ping it on nexus you get DUP; Packets which is not understood by me there is all commands like no ip redirects are been given but i dont know wats rong.
can some1 have any idea and help ?Hi Usman,
Not sure about DUP packets that you see on nexus but from ACE's perspective we need to see what is wrong and for that i would need to look at your configuration and other outputs. Do you see that your client's request is reaching the ACE VIP ? You can check using "show conn address " and see if you see a corresponding backend connection or not. Do you see any handshake failures or any other counters increasing under "show stats crypto server" command? We need to have more information for us to look at to tell you what is going on at least from ACE's viewpoint.
Regards,
Kanwal -
I have configured policy-maps and class-maps on 3550 and 3560 switches.
The following is excerpt....
class-map match-any voip_class
match access-group 100
policy-map voip_policy
class voip_class
trust dscp
interface GigabitEthernet0/12
service-policy input voip_policy
priority-queue out
access-list 100 permit udp any any
I have the access-list 'open' for testing purposes.
However when I run the command 'sh policy-map int gi0/12' I get no counters increasing.
Should I?
Also if I run the 'sh access-list 100' command, should I get increasing counters?
Thanks for any help
Nik MihelioudakisSh policy map is not supported on this platform
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdy50035
Use "show mls qos interface gig0/12 statistics" instead. -
Dot Mac top 5 hits has reset, pages still have counters ticking away...
Every now and then, I check www.mac.com (after having previously signed in) and check how many email messages and website hits I have. Something happened this morning so that the .mac page is reset and it's only keeping counts on pages I've created since then. However, the actual pages still contain counters and the counters increase as you'd expect.
http://web.mac.com/makentosh
Reloading pages will make it increment, but the only pages shown in .Mac are the two most recent ones.
Has anyone else seen this? Not a big deal as the counters still work, but I liked being able to tell which sites were hit the most without needing to actually visit them.Held down option and did "Publish All to .Mac" and still shows the same few pages. My main page is now at 503, but won't show up in .Mac.
Add to that, .Mac has been sporadic today. -
ISE Internal error suddenly appear
I started to see this error message suddenly
[500] Internal Error
Please contact system administrator. If you are the System Administrator please consult the logs.
ISE deployment consists of two nodes one carrying Administration persona (primary) , and monitoring (secondary) and the other carrying Administration persona (secondary) , and monitoring (primary) persona, the setup was running smoothly without any issues. ISE version was 1.2; and after this issue appeared we did the required troubleshooting with no luck ; so we upgraded both units to 1.3 and still facing the same issue.
We noticed a strange behavior on agent redirection ACL , when trying to reach basic services such as domain,DNS,.. (which are denied from redirection on the ACL) it appears to be redirected to ISE ( last permit ACE in redirection ACL counters increases contineously ) which shouldn't be the case in the posturing stage.
Anyone did face this issue , and what does this mean or have any ideas appreciate to share with us...Wency, maybe you should start a new thread, this is not error 500 related.
That said, you seem to refer to Tacacs functionality. This protocol is not yet supported in ISE. (will be in 2.0; no, I don't know when this will be out).
One can manage CLI access to devices with Radius too, but rather than being able to check each command on ISE, the user gets a certain 'privilege' at login. How the devices enforces that depens on the device. Parser views are a cool feature on IOS devices (routers), but several devices (switches and old routers) support only 15 privilege levels (and you can change the preset levels of commands). Yet other devices (WLC and Prime) use user Roles. Which Radius attributes are to be send depends on the device. You'll have to look it up in the switch/router/etc. manual. Look for aaa and radius attributes.
On Ise, you just add the proper Radius attributes to the authz profile, like this.
To assign a level of 15 (enable mode) for example. -
PBR Multiple Tracking Support information for Cat2960
Hello
I have been investigating for PBR multiple tracking support devices specially Catalyst 2960.
The following is very similar to this information. However it can not be applicable to Cat2960.
[PBR Support for Multiple Tracking Options]
http://www.cisco.com/en/US/docs/ios/iproute_pi/configuration/guide/iri_prb_mult_track_external_docbase_0900e4b1810fe379_4container_external_docbase_0900e4b181525fed.html#wp1056119
But feature navigator can show the following information of this feature.
[Feature Navigator for Cat2960]
PBR Support for Multiple Tracking Options
IOS:12.2(55)SE1
Feature-Set:LAB-Base
You can find it by using the research feature and filter by PBR.
So which is correct ?
Basically Cat2960 can not support PBR or there is any related information based on the feature navigator's info.
Any information would be very helpful.
Thank you very much and Best Regards,
Masanobu HiyoshiHello Julio
Thank you for your precious information!
In my understanding it is conclution that the Catalyst 2960 & 2960S series
basically do not support for PBR. So PBR multiple tracking also do not support right?
Here is the output of Cat2960 and 3750X
2960#sh sdm prefer
The current template is "lanbase-routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
0 routed interfaces and 255 VLANs.
number of unicast mac addresses: 4K
number of IPv4 IGMP groups + multicast routes: 0.25K
number of IPv4 unicast routes: 4.25K
number of directly-connected IPv4 hosts: 4K
number of indirect IPv4 routes: 0.25K
number of IPv6 multicast groups: 0.375k
number of directly-connected IPv6 addresses: 0.75K
number of indirect IPv6 unicast routes: 0.5K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.125k
number of IPv4/MAC security aces: 0.375k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0.375k
number of IPv6 security aces: 127
[3750X]
As you know by default Cat3750X normally requires SDM template as routing for
functioning PBR. Otherwise the number of IPv4 policy based routing aces
does not increase.
3750X(config-if)#ip policy route-map PBR
Mar 30 01:34:21.869: %PLATFORM_PBR-4-SDM_MISMATCH: PBR requires sdm template routing
3750X#sh sdm prefer
The current template is "desktop routing" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 3K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 10.875k
number of directly-connected IPv4 hosts: 3K
number of indirect IPv4 routes: 7.875k
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0.5K
number of IPv4/MAC qos aces: 0.375k
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 58
So what could you think about the feature navigator's information related to this?
Is it possible to modify it? or request to cisco for this?
Best Regards,
Masanobu Hiyoshi -
Multi datasource faliover problem - JDeveloper integrated Weblogic 10.3.5
Hi all,
I have a problem with JDeveloper integrated weblogic (version 10.3.5) fail over to second datasource in multi data source (2 generic datasources) configuration environment.
My test goes like this:
1. I have two databases running on separate servers.
2. both data sources are up & running OK.
3. JDeveloper integrated weblogic configured with multi datasource, using algorithm failover, and failover callback class.
4. weblogic started and adf application running using first datasource in list.
5. if I unplug network cable or shut down first database, weblogic won't fail over to second datasource and still trying to use the first one.
Failover callback class:
package failover;
public class ConnectionPoolFailoverCallback implements weblogic.jdbc.extensions.ConnectionPoolFailoverCallback {
static {
System.out.println("------------------------------------------------------------");
System.out.println("\n\n\tConnectionPoolFailoverCallback class initiated...\n\n\t");
System.out.println("------------------------------------------------------------");
public int allowPoolFailover(String currPool, String nextPool, int opcode) {
System.out.println("Current Pool - " + currPool);
System.out.println("Next Pool - " + nextPool);
System.out.println("Operation Code - " + opcode);
System.out.println("------------------------------------------------------------");
if (opcode == OPCODE_CURR_POOL_DEAD) {
System.out.println("\n\n\tConnectionPoolFailoverCallback return OK.");
return OK;
} else {
System.out.println("\n\n\tConnectionPoolFailoverCallback return DONOT_FAILOVER.");
return DONOT_FAILOVER;
}{code}
*Problem:* When I unplug network cable or shutdown first database, method allowPoolFailover returns OK, but weblogic won't switch to second datasource entering allowPoolFailover method again and again.
+Note:+ weblogic integrated in JDeveloper is running u development mode.
Did I miss something in configuration or something else?
Any help is appreciated.
Thanks in advance,
AlexandarHi Alexandar,
Have you made any progress with this? We seem to have bumped into this issue as well. Connection requests are consistently routed to the disabled pool (it appears as disabled in the WLS console, but we can see the counters increasing steadily), the callback handler is called and returns OK, and the connection request is ultimately serviced by the active pool. So while the application still successfully handles requests, there's obviously an underlying problem in obtaining the connection.
Thanks,
Sebastien -
Cisco CSR 1000V dont forward packets
Hi,
I have an evaluation Cisco CSR 1000V. I set up a IPSEC Connection correctly:
CISCO1000V# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
Policy:
Extended IP access list IPSEC
10 permit ip 10.122.20.0 0.0.0.255 10.255.0.0 0.0.0.255 log
20 permit ip 10.255.0.0 0.0.0.255 10.122.20.0 0.0.0.255 log
IPSEC is set up on GigabitEthernet 2 (PEER IP)
Internal interface (GigabitEthernet 1) have IP: 3.3.3.3. On my server (in subnet 10.122.20.x) i set up a routing to 10.255.0.0/24 via 3.3.3.3.
When I run ping from my server on address 10.255.0.0.1 i dont see any encrypted counters increase....
I dont have any other acls.
Where is the problem?Hi,
I have an evaluation Cisco CSR 1000V. I set up a IPSEC Connection correctly:
CISCO1000V# sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.2 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
Policy:
Extended IP access list IPSEC
10 permit ip 10.122.20.0 0.0.0.255 10.255.0.0 0.0.0.255 log
20 permit ip 10.255.0.0 0.0.0.255 10.122.20.0 0.0.0.255 log
IPSEC is set up on GigabitEthernet 2 (PEER IP)
Internal interface (GigabitEthernet 1) have IP: 3.3.3.3. On my server (in subnet 10.122.20.x) i set up a routing to 10.255.0.0/24 via 3.3.3.3.
When I run ping from my server on address 10.255.0.0.1 i dont see any encrypted counters increase....
I dont have any other acls.
Where is the problem? -
Broadcast/multicast counters does not increase on vlan interface
Hi,
on a Cat6500 we try to monitor interface packet statistics via snmp, in detail we want to get information about the relation between unicast, multicast and broadcast packet counter.
What we found out is that while on physical l2 interfaces all counters (ifHCInUcastPkts, ifHCInMulticastPkts, fHCInBroadcastPkts, ifHCOutUcastPkts, ifHCOutMulticastPkts, ifHCOutBroadcastPkts) are filled, on vlan interfaces multicast in/out and broadcast out packets stay zero whole the time. We use arp, hsrp, ospf and other well know broadcast and multicast based protocols.
Does anybody know why this counters do not increase?
Attached you find an excel sheet which shows an example of interface counter vs. vlan counter.
many thanks in advance,
Thorsten SteffenHi jon,
belown the result of sh sdm prefer,so need i a licence ip service to apply the route-maap on the interface vlan,or just entrer the config"sdm prefer routing" and reboot the switch?
SWBB0#sh sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 74
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0
number of IPv6 security aces: 60 -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
Increase of priority flow control counters in a FCoE environment
Hi,
I need some input about what is normal in a FCoE environment in regards to priority flow contol counters.
I see Increase of RxPPP and TxPPP counters on a FCoE end to end enviroment. however we don't see high traffic rates to/from storage array(<1Gbps). Customer have not reported low transfer from storage.
Setup:
CNA hosts - FEX2232 - N5K - EMC-VNX
FCoE end-to-end, No native FibreChannel.
CNA adapters = Emulex.
Is a problem I should look further into or is it normal?
I have read the troubleshooting guide.
http://www.cisco.com/en/US/partner/docs/switches/datacenter/nexus5000/sw/troubleshooting/guide/n5K_ts_fcoe.html
some output:
N5K-2# sh inter priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================
FEX101-2232 1-8
Ethernet1/1 Auto Off 0 211994
Ethernet1/2 Auto Off 0 0
Ethernet1/3 Auto Off 2891830 0
Ethernet1/4 Auto Off 6269410 0
Ethernet1/5 Auto Off 12109662 0
Ethernet1/6 Auto Off 79534 0
Ethernet1/7 Auto Off 0 0
Ethernet1/8 Auto Off 0 0
FEX102-2232 9-16
Ethernet1/9 Auto Off 0 9994780
Ethernet1/10 Auto Off 0 0
Ethernet1/11 Auto Off 24678 0
Ethernet1/12 Auto Off 0 0
Ethernet1/13 Auto Off 4316 0
Ethernet1/14 Auto Off 136 0
Ethernet1/15 Auto Off 0 0
Ethernet1/16 Auto Off 0 0
!VNX-FCOE-ATTACHED SP_A
Ethernet1/19 Auto On (8) 1888566 10100200
!VNX-FCOE-ATTACHED SP_A
Ethernet1/20 Auto On (8) 10414603 1367098
Ethernet1/23 Auto Off 0 0
Ethernet1/24 Auto Off 0 0
Ethernet1/25 Auto Off 0 0
Ethernet1/26 Auto Off 0 0
Ethernet1/27 Auto Off 0 0
Ethernet1/28 Auto Off 0 0
Ethernet1/30 Auto Off 0 0
Ethernet1/32 Auto On (8) 0 0
Ethernet1/38 Auto Off 0 0
Ethernet1/39 Auto Off 0 0
Ethernet1/40 Auto Off 0 0
Ethernet1/41 Auto On (8) 0 0
Ethernet1/42 Auto On (8) 0 0
Ethernet1/43 Auto On (8) 0 0
Ethernet1/44 Auto On (8) 0 0
!CNA atttached hosts.
Ethernet101/1/1 Auto On (8) 37109 33155
Ethernet101/1/2 Auto On (8) 120 32336
Ethernet101/1/3 Auto On (8) 274 34404
Ethernet101/1/4 Auto On (8) 1924 64754
Ethernet101/1/5 Auto On (8) 144 14684
Ethernet101/1/24 Auto On (8) 4296788 4466
Ethernet101/1/25 Auto On (8) 104520 22
Ethernet101/1/26 Auto On (8) 838 30824
Ethernet101/1/27 Auto On (8) 796 7770
Ethernet101/1/28 Auto On (8) 13749152 1684
Ethernet101/1/29 Auto On (8) 5912918 1276
Ethernet101/1/30 Auto On (8) 3296026 2292
Ethernet101/1/31 Auto On (8) 0 80
Ethernet101/1/32 Auto On (8) 0 0
Ethernet102/1/1 Auto On (8) 75656 323512
Ethernet102/1/2 Auto On (8) 0 5632
Ethernet102/1/3 Auto On (8) 4278 173828
Ethernet102/1/4 Auto On (8) 0 0
Ethernet102/1/28 Auto On (8) 2872 300046
Ethernet102/1/29 Auto On (8) 28216 11808124
Ethernet102/1/30 Auto On (8) 4792 441340
Ethernet102/1/31 Auto On (8) 0 0
Ethernet102/1/32 Auto On (8) 1040 201214
Ethernet1/19 Auto On (8) 1888566 10100200
Ethernet1/20 Auto On (8) 10414603 1367098
Just a one of the servers
GDC-CORE-SW04# sh inter e101/1/29 priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================
Ethernet101/1/29 Auto On (8) 5912932 1276
GDC-CORE-SW04# sh inter e101/1/29 | in pause
0 Rx pause
0 Tx pause
GDC-CORE-SW04# sh inter e101/1/29 priority-flow-control
============================================================
Port Mode Oper(VL bmap) RxPPP TxPPP
============================================================
Ethernet101/1/29 Auto On (8) 5913378 1276
GDC-CORE-SW04#
GDC-CORE-SW04# sh inter e101/1/29 | in pause
0 Rx pause
0 Tx pause
VNX
GDC-CORE-SW04# sh inter priority-flow-control | in Ethernet1/19 ne 1
Ethernet1/19 Auto On (8) 1889064 10100536
Ethernet1/20 Auto On (8) 10414603 1367164
GDC-CORE-SW04# sh inter e1/19 | in "input rate"
30 seconds input rate 133346744 bits/sec, 16668343 bytes/sec, 10762 packets/sec
input rate 96.22 Mbps, 8.31 Kpps; output rate 118.68 Mbps, 8.83 Kpps
GDC-CORE-SW04# sh inter e1/20 | in "input rate"
30 seconds input rate 36024752 bits/sec, 4503094 bytes/sec, 2342 packets/sec
input rate 33.96 Mbps, 2.09 Kpps; output rate 24.95 Mbps, 1.50 KppsHi, thank your for your answer.
I actually already enabled the system qos manually since we run 5.0(2)N2 release.
We will implement FCoE over 5500. What I'm worried about is the warning message I posted above on Nexus 7009s connected to my 5500s after I enabled the system qos.
Could it be originated by the DCBX feature? May I have some problem if 'Priority-flow-control' setting between N5k and N7k don't match? -
ACE - Clear Resource Usage Counters
Hi everyone. I've tried clearing my resource usage counters several time by using both commands:
clear stats resource-usage
clear stats all
Neither work. The resource usage counters remain the same. Is there a workaround to this issue? I would really like to see the counters over a specific period as opposed to since last reboot.Hi Tim
The clear stats resource-usage cmd only clear the stat for Peak and Denied counter.
I tested with A3(2.2) as below and it worked ok.
ACE-4710-c/Admin# sh resource usage all
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 19 53 0 400000 0
mgmt-connections 2 8 0 20000 0
proxy-connections 0 4 0 52429 0
xlates 0 0 0 13107 0
acc-connections 0 0 0 10 0
bandwidth 864416 30966244 0 339748365 0
throughput 12448 33252 0 214748365 0
mgmt-traffic rate 851968 30932992 0 125000000 0
connection rate 0 10 0 200000 0
ssl-connections rate 0 0 0 200 0
mac-miss rate 0 1 0 400 0
inspect-conn rate 0 0 0 8000 0
http-comp rate 0 0 0 2621440 0
acl-memory 33824 33824 0 7510426 0
sticky 0 0 0 0 0
regexp 1214 1214 0 209715 0
syslog buffer 0 0 0 210944 0
syslog rate 0 0 0 20000 0
ACE-4710-c/Admin# clear sta
startup-config stats
ACE-4710-c/Admin# clear stats resource-usage
ACE-4710-c/Admin# sh resource usage all
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 19 19 0 400000 0
mgmt-connections 2 2 0 20000 0
proxy-connections 0 0 0 52429 0
xlates 0 0 0 13107 0
acc-connections 0 0 0 10 0
bandwidth 1115184 30966244 0 339748365 0
throughput 1072 1072 0 214748365 0
mgmt-traffic rate 1114112 1114112 0 125000000 0
connection rate 0 0 0 200000 0
ssl-connections rate 0 0 0 200 0
mac-miss rate 0 0 0 400 0
inspect-conn rate 0 0 0 8000 0
http-comp rate 0 0 0 2621440 0
acl-memory 33824 33824 0 7510426 0
sticky 0 0 0 0 0
regexp 1214 1214 0 209715 0
syslog buffer 0 0 0 210944 0
syslog rate 0 0 0 20000 0
ACE-4710-c/Admin#
ACE-4710-c/Admin#
-Andrew -
Increased time_wait on Websense systems after LB HTTP with ACE
I was wondering if anyone knew why we would see an increase of tcp sessions in time_wait status after setting up HTTP load balancing. The systems are Websense boxes that are being used both as a proxy (which the VIP is for) and with WCCP. We have 5 total systems but only 3 have been added to the serverfarm. The two that are are not in the serverfarm and not having this issue. The we are using L4 LB. So the two, non LB systems are on the client side VLAN. Any ideas?
Hi,
According to the article below:
Windows 8.1 Update for x64-based Systems (KB2919355)
http://www.microsoft.com/en-us/download/details.aspx?id=42335&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True
1. These KB's must be installed in the following order: clearcompressionflag.exe, KB2919355, KB2932046, KB2959977, KB2937592, KB2938439, and KB2934018.
2. KB2919442 is a prerequisite for Windows 8.1 Update and should be installed before attempting to install KB2919355
Did all the client fulfil the requirement?
And if reboot is required in the KB article, we’d better reboot it and install the next.
Hope this helps. -
Hi All,
I'm using ACE module A2(2.4)
I'm trying to use parameter server-conn reuse, but clients get sometimes statuscode 503.
A#1/Test1# show np 1 me-stats "-socm -v"
OCM Statistics: (Current)
Errors: 0 0
Connection create received: 231121503 1142
LB dest decision received: 365473159 1473
Nat app fixup recieved: 0 0
Connection unproxy received: 52997475 393
Connection reproxy received: 51249279 375
IPCP received: 83227 2
ACK trigger received: 52733008 390
TCP connected received 218498529 1065
Unknown message received: 0 0
Drop [LB dest decision fail]: 29392 0
Drop [invalid ifid] 0 0
Drop [Out of buffers]: 0 0
Dest decision transmitted: 248735645 1174
TCP connect transmitted: 212827881 828
ACK trigger transmitted: 12 0
IPCP transmitted: 83227 2
NAT[static mapped]: 0 0
NAT[static real]: 0 0
NAT[xlate alloc fail]: 0 0
NAT[xlate real hit]: 0 0
NAT[xlate mapped hit]: 0 0
NAT[invalid xlate]: 0 0
NAT[dump xlate]: 0 0
NAT[xlate release failed]: 0 0
NAT Pool Alloc [fail]: 0 0
NAT Pool Alloc [addr]: 0 0
NAT Pool Alloc [addr/port]: 33689970 81
NAT Pool Free [addr]: 0 0
NAT Pool Free [addr/port]: 33689214 88
NAT Pool Free [orphan IP]: 0 0
Reuse retrieve link update conn invalid 0 0
Reuse retrieve link update conn not on r 0 0
Reuse retrieve success but conn invalid: 0 0
Drop [Next Hop queue full]: 0 0
Reuse retrieve miss: 845627 3
OCM Packet count (Hi & Lo): 976499360 4850
Packet forward received: 4343180 10
NAF Error [no route or unresolved adjace 0 0
NAF Error [nat resp fail]: 0 0
UDP Chaser received: 10406 0
(Context 1 Statistics)
Drop [out of connections]: 0 0
Drop [out of proxies]: 0 0
Drop [out of ssl]: 0 0
Drop [mac lookup fail]: 0 0
Drop [route lookup fail]: 0 0
Drop [nat fail] 0 0
Drop [ip sanity check fail] 0 0
Drop [acl deny]: 0 0
Drop [redundant connection]: 0 0
Connection inserted: 862670 3
Packet message transmitted: 6409302 230
Reuse conns retrieved: 6390611 238
Drop [Reproxy fail]: 171 0
Drop [dest nat fail]: 58286 2
The last counter is increasing. What does it mean? Can this be the problem?
I do not get 503 in the retcode map of the servers.
Regards
MatsHi Mats,
I find it very strange that the ACE is sending a 503 message back to the client, because, in case of issues, it normally just resets the connection. With that in mind, we should also investigate the server itself. This is not trivial, so, you should open a TAC case.
Let me just explain the meaning of the "Drop [dest nat fail]" counter. It will be incremented if, after a connection has been natted, one of the servers tries to open a new connection against the natted IP and port. This shouldn't happen unless you are using a protocol composed of several connections (for example, FTP)
Regards
Daniel
Maybe you are looking for
-
My ipod wont sync all my music/files, comes up with an error now
HI there! My ipod was working fine over a week ago and now it wont work! I try to sync it and it says it has synced it but only puts on about 200 songs out of 2000- not even that, before it says unknown error and then wipes it all off,and wont sync!
-
Hi, I run a query in the BEx by selecting 2 cost centers A and B and I receive both results. When I execute the job with the reporting agent I receive only the first cost center. How can I debug this ? Any idea what could be the reason ? Thanks for y
-
WL Bug: StringIndexOutOfBoundsException when deploying war
When deploying a war file in WLS 6.1 SP2 I get below exception. This seems to be a WL bug caused by a line in WebAppHelper.resolveManifestName s4 = s4.substring(0, s4.length() - 1); There is no check if s4.length() is 0. Is there a fix included in a
-
This gets the alv to popular without any errors but the column names are blank on top. Any ideas? CALL FUNCTION 'REUSE_ALV_FIELDCATALOG_MERGE' EXPORTING i_program_name = sy-repid i_structure_name = 'ZFI_CONTRAC
-
Why can't I copy/paste an image to Yahoo! Mail on Firefox?
It's quite odd. From any other browser I'm able to copy and paste an image straight into the e-mail body of Yahoo! Mail (meaning, not an attachement but actually pasting the image), but not from Firefox. Upon doing some research on-line, many a folk