ACE on VSS problem

Similar Messages

• ACE Load Balancing Problem

  Hi,
  I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
  Internet
  i
  i
  i
  i
  i
  ACE--------------------------------WAN
  i
  i
  i
  i
  LAN
  I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
  192.168.200.66  FAX Server-1
  192.1168.200.67 FAX Server-2
  192.168.200.65   Virtual IP address
  Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
  access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
  access-list acl-in line 1 extended permit ip any any
  access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
  access-list acl-out line 1 extended permit ip any any
  access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
  access-list acl-proxy line 1 extended permit ip any any
  access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
  access-list acl-wan line 1 extended permit ip any any
  probe tcp PROBE_5050
  port 5050
  interval 15
  passdetect interval 60
  open 1
  probe tcp PROBE_5101
  port 5101
  interval 15
  passdetect interval 60
  open 1
  probe tcp PROBE_TCP
  port 80
  interval 15
  passdetect interval 60
  open 1
  parameter-map type http PARAMAP_CASE
  case-insensitive
  no persistence-rebalance
  rserver host RS_BCPR01
  ip address 192.168.0.103
  inservice
  rserver host RS_BCPR02
  ip address 192.168.0.104
  inservice
  rserver host RT_fax1
  description Right Fax Server-1
  ip address 192.168.200.66
  rserver host RT_fax2
  description Right Fax Server-2
  ip address 192.168.200.67
  serverfarm host SF_BCPR
  transparent
  probe PROBE_5050
  probe PROBE_5101
  probe PROBE_TCP
  rserver RS_BCPR01
  inservice
  rserver RS_BCPR02
  inservice
  serverfarm host SF_RT_fax
  rserver RT_fax1
  rserver RT_fax2
  sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
  replicate sticky
  serverfarm SF_BCPR
  sticky ip-netmask 255.255.255.255 address source FAX-STICKY
  replicate sticky
  serverfarm SF_RT_fax
  class-map type management match-any CM_ALL
  2 match protocol snmp any
  3 match protocol http any
  4 match protocol https any
  5 match protocol icmp any
  6 match protocol telnet any
  class-map match-any CM_BYPASS_FOR_LAN
  3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
  8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
  9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
  10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
  class-map match-any CM_BYPASS_SUBNET
  9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
  13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
  14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
  15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
  class-map match-any CM_IM
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
  3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
  4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
  class-map match-all CM_SF_BCPR
  255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
  class-map match-any RT_FAX
  2 match virtual-address 192.168.200.65 0.0.0.0 any
  policy-map type management first-match PM_ALL
  class CM_ALL
  permit
  policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
  class class-default
  forward
  policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
  class class-default
  forward
  policy-map type loadbalance first-match PM_LB_RT_FAX
  class class-default
  sticky-serverfarm FAX-STICKY
  policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
  class class-default
  sticky-serverfarm STICKY-SOURCE
  policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
  class CM_BYPASS_FOR_LAN
  loadbalance vip inservice
  loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
  policy-map multi-match PM_BYPASS_HTTP
  class CM_BYPASS_SUBNET
  loadbalance vip inservice
  loadbalance policy PM_L7_BYPASS_HTTP
  policy-map multi-match PM_MAIN_BCPROXY
  class CM_SF_BCPR
  loadbalance vip inservice
  loadbalance policy PM_LB_SF_BCPROXY
  loadbalance vip icmp-reply active
  appl-parameter http advanced-options PARAMAP_CASE
  class CM_IM
  loadbalance vip inservice
  loadbalance policy PM_LB_SF_BCPROXY
  policy-map multi-match PM_RT_FAX
  class RT_FAX
  loadbalance vip inservice
  loadbalance policy PM_LB_RT_FAX
  service-policy input PM_ALL
  interface vlan 100
  description FW-INSIDE CONTEXT RACK1
  ip address 192.168.0.5 255.255.255.224
  alias 192.168.0.11 255.255.255.224
  peer ip address 192.168.0.6 255.255.255.224
  mac-address autogenerate
  no icmp-guard
  access-group input acl-out
  no shutdown
  interface vlan 200
  description WAN-VLAN CONTEXT RACK1
  ip address 192.168.0.33 255.255.255.224
  alias 192.168.0.43 255.255.255.224
  peer ip address 192.168.0.34 255.255.255.224
  mac-address autogenerate
  access-group input acl-wan
  service-policy input PM_BYPASS_HTTP
  service-policy input PM_MAIN_BCPROXY
  no shutdown
  interface vlan 300
  description ACE-INSIDE CONTEXT RACK1
  ip address 192.168.0.65 255.255.255.224
  alias 192.168.0.73 255.255.255.224
  peer ip address 192.168.0.66 255.255.255.224
  mac-address autogenerate
  access-group input acl-in
  service-policy input PM_BYPASS_FOR_LAN_HTTP
  service-policy input PM_BYPASS_HTTP
  service-policy input PM_MAIN_BCPROXY
  no shutdown
  interface vlan 301
  description BC-VLAN CONTEXT RACK1
  ip address 192.168.0.97 255.255.255.224
  alias 192.168.0.107 255.255.255.224
  peer ip address 192.168.0.98 255.255.255.224
  mac-address autogenerate
  access-group input acl-proxy
  no shutdown
  ft track interface TRACKING_FOR_FT_VLAN
  track-interface vlan 300
  peer track-interface vlan 300
  priority 255
  peer priority 255
  ip route 0.0.0.0 0.0.0.0 192.168.0.1
  Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem. 

  I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
  rserver host RT_fax1
    description Right Fax Server-1
    ip address 192.168.200.66
    inservice
  rserver host RT_fax2
    description Right Fax Server-2
    ip address 192.168.200.67
    inservice
  serverfarm host SF_RT_fax
    rserver RT_fax1
      inservice
    rserver RT_fax2
      inservice
  policy-map type loadbalance rdp first-match PM_LB_RT_FAX
    class class-default
      serverfarm SF_RT_fax
  policy-map multi-match PM_RT_FAX
    class RT_FAX
      loadbalance vip inservice
      loadbalance policy PM_LB_RT_FAX
      loadbalance vip icmp-reply active
  interface vlan 200
    description WAN-VLAN CONTEXT RACK1
    ip address 192.168.0.33 255.255.255.224
    alias 192.168.0.43 255.255.255.224
    peer ip address 192.168.0.34 255.255.255.224
    mac-address autogenerate
    access-group input acl-wan
    service-policy input PM_BYPASS_HTTP
    service-policy input PM_MAIN_BCPROXY
    service-policy input PM_RT_FAX
    no shutdown
  interface vlan 300
    description ACE-INSIDE CONTEXT RACK1
    ip address 192.168.0.65 255.255.255.224
    alias 192.168.0.73 255.255.255.224
    peer ip address 192.168.0.66 255.255.255.224
    mac-address autogenerate
    access-group input acl-in
    service-policy input PM_BYPASS_FOR_LAN_HTTP
    service-policy input PM_BYPASS_HTTP
    service-policy input PM_MAIN_BCPROXY
    service-policy input PM_RT_FAX
    no shutdown
  But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out.

• ACE - timeout inactivity problem

  Hi All,
  I've got a strange problem with session counts and timeout on an ACE (2.1.3).
  I created a connection parameter-map to an existing configuration, added it to the load-balance configuration and then removed and re-added the service policy. The context is in bridge mode.
  parameter-map type connection FINJAN
  set timeout inactivity 60
  set tcp timeout half-closed 60
  policy-map multi-match Finjan-04-LB-policy
  class VIP-production_class
  loadbalance vip inservice
  loadbalance policy production-8080_LB_policy
  loadbalance vip icmp-reply
  connection advanced-options FINJAN
  class VIP-beta_class
  loadbalance vip inservice
  loadbalance policy beta-8080_LB_policy
  loadbalance vip icmp-reply
  connection advanced-options FINJAN
  interface vlan 396
  description slb vlan
  bridge-group 396
  access-group input BPDU
  access-group input PERMIT-ALL
  service-policy input Finjan-04-LB-policy
  no shutdown
  But I'm still seeing sessions with idle times of minutes.
  For example:
  27344 1 in TCP 397 10.199.253.103:3563 61.143.251.173:80 ESTAB
  [ idle time : 00:16:47, byte count : 975 ]
  [ elapsed time: 00:20:30, packet count: 14 ]
  Is there anything else I need to do to make the timeout effective? I need to get this working before I can limit the number of connections to each real server.
  Also the output of "sh serverfarm" shows many more current connections than a "sh conn de" command. Is this expected?
  E.g:
  ace2/finjan# sh serverfarm beta-farm-8080
  serverfarm : beta-farm-8080, type: HOST
  total rservers : 7
  ----------connections-----------
  real weight state current total failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: beta_blade-1
  10.199.253.111:0 8 OPERATIONAL 44982 39669799 45323
  rserver: beta_blade-2
  10.199.253.112:0 8 OPERATIONAL 49594 42955799 60246
  rserver: beta_blade-3
  10.199.253.113:0 8 OPERATIONAL 51545 46098331 49868
  rserver: beta_blade-4
  10.199.253.114:0 8 OPERATIONAL 51659 46260307 57544
  rserver: production_blade-2
  10.199.253.102:0 8 OPERATIONAL 720 540878 41145
  rserver: production_blade-3
  10.199.253.103:0 8 OPERATIONAL 51270 45832507 45670
  rserver: production_blade-4
  10.199.253.104:0 8 OPERATIONAL 51870 45779920 47624
  when the "sh conn de" reports about 14000 sessions.
  Any help appreciated.
  Thank you
  Cathy

  I moved the service policy from the client vlan to the global config - in the hope of being able to apply the connection parameter-map. Just after I did that the whole ACE reloaded (failure in arp_mgr). Hopefully unrelated.
  I do see unbalanced flows;
  5078 1 in TCP 397 10.199.253.112:6005 211.166.10.66:80 ESTAB
  [ idle time : 00:16:56, byte count : 1644 ]
  [ elapsed time: 00:19:17, packet count: 29 ]
  35 1 out TCP 396 211.166.10.66:80 10.199.253.112:6005 CLOSED
  [ conn in reuse pool : FALSE]
  [ idle time : 00:19:14, byte count : 28504 ]
  [ elapsed time: 00:19:17, packet count: 21 ]
  Is there anything I can do about this or is it dependent on the server-side doing something?
  Thank you
  Cathy

• Ace ssl-proxy problem, Online store.

  Hello!
  I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
  The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
  The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
  If i have missed something in the config or if someone have any other idea why this dont work for me..
  Appreciate any help!
  My config:
  (at the moment only web5 is in use)
  ACE-1/CO-WEB1# show run
  access-list ANY line 10 extended permit ip any any
  access-list icmp line 8 extended permit icmp any any
  probe http PROBE-HTTP
  interval 3
  passdetect interval 10
  passdetect count 2
  expect status 200 200
  expect status 300 323
  parameter-map type ssl SSLPARAMS
  cipher RSA_WITH_RC4_128_MD5
  rserver host vmware-server1
  description testserver1
  ip address 219.222.4.180
  probe PROBE-HTTP
  inservice
  rserver host vmware-server2
  description testserver 2
  ip address 219.222.4.181
  probe PROBE-HTTP
  inservice
  rserver host web5
  description testserver from windows nlb
  ip address 219.222.4.185
  probe PROBE-HTTP
  inservice
  ssl-proxy service SSL-PROXY-SE
  key cert-se.key
  cert cert-se.pem
  ssl advanced-options SSLPARAMS
  serverfarm host WM-ware_servers
  rserver vmware-server1
  inservice
  serverfarm host webtest
  description testserver-farm
  predictor leastconns
  rserver vmware-server1 80
  rserver vmware-server2 80
  rserver web5
  inservice
  sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
  timeout 60
  serverfarm webtest
  class-map match-all VIP-HTTP
  2 match virtual-address 219.222.4.178 tcp eq www
  class-map match-all VIP-HTTPS
  2 match virtual-address 219.222.4.178 tcp eq https
  class-map type management match-any icmp
  description for icmp reply
  2 match protocol icmp any
  policy-map type management first-match icmp
  class icmp
  permit
  policy-map type loadbalance first-match VIP-HTTP
  class class-default
  sticky-serverfarm STICKY-GROUP1
  policy-map type loadbalance first-match VIP-SSL
  class class-default
  serverfarm webtest
  policy-map multi-match SLB-VIP-HTTP
  class VIP-HTTP
  loadbalance vip inservice
  loadbalance policy VIP-HTTP
  loadbalance vip icmp-reply
  class VIP-HTTPS
  loadbalance vip inservice
  loadbalance policy VIP-SSL
  loadbalance vip icmp-reply
  ssl-proxy server SSL-PROXY-SE
  interface vlan 21
  description ### ACE OUTSIDE mot FW ###
  ip address 219.222.4.171 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  service-policy input SLB-VIP-HTTP
  no shutdown
  interface vlan 22
  description ### ACE INSIDE Gateway for Web-servers ###
  ip address 219.222.4.177 255.255.255.240
  access-group input ANY
  access-group output ANY
  service-policy input icmp
  no shutdown
  ip route 0.0.0.0 0.0.0.0 219.222.4.161
  ACE-1/CO-WEB1#
  as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
  ACE-1/CO-WEB1# show conn
  total current connections : 4
  conn-id np dir proto vlan source destination state
  ----------+--+---+-----+----+---------------------+---------------------+------+
  4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
  14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
  11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
  3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
  ACE-1/CO-WEB1#

  Hello Krille
  i had the same problem.
  The HTT Probe you define will do a check if
  the return code is
  expect status 200 200
  expect status 300 323
  Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
  The only output after ther Certificates is a blank site.
  If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
  regards
  eberhard

• How to debug ACE FT Sync Problems ?

  Hello,
  in one of our contexts we have a sync problem on the standby unit.
  "sh ft group detail" gives
  "Running cfg sync status : Error on Standby device when applying configuration file replicated from active", while "Startup cfg sync status" is OK.
  "sh crypto files" and "dir disk0:" produce the same output on both ACE units.
  How can we analyze the problem ?

  Hi Gilles,
  unfortunately I can not see a meaningful message. Can you please have a look at the attachments (taken from the standby machine) ?
  Thank you very much in advance.

• SLES 11 SP3 - VSS Problem

  Hi all,
  I've just installed a fresh SLES 11 SP3 vm. Once rebooted, i noticed this error in hyper-v log:
  - Hyper-V Volume Shadow Copy Requestor failed to connecto to virtual machine "nameofvm" because the version does not match the version expected by hyper-v (virtual machine ID xyz..) Framework version: Negotiated (0.0) Expected (3.0)  Message
  version: Negotiated (0.0) Expected (4.0) To fix this problem you must upgrate the integration services. To upgrade connect to the virtual machine and select insert ....
  Now, obviously the installer disc doesn't work and all integration services are embedded in the linux OS. I'm concerning about two major factor: first, how can this problem impact the system once in production? And how can i address (or disable) this integration
  service? 
  Thank you all

  Hi Miralem, I believe there may be one other way to install updates. When you are installing SLES 11 SP3 for the first time, the installation manager GUI asks you if it should apply the updates. You might want to see if that works for you by creating
  a new VM and closely monitoring the installation manager program.
  If the VM is not going offline while taking the snapshot then this may be a false error. However, if the VM is going offline then probably the snapshot infrastructure is having some issues. Please let me know if you see that the VM is going offline while
  taking the snapshot.
  Also notice that backup for Linux VMs is only file-system consistent and it is not application consistent. This implies that db snapshots may not have the same level of application data consistency that you have come to expect through use of VSS on Windows.
  This is because Linux does not have VSS style infrastructure to coordinate with user mode while a snapshot or a backup operation is in progress.
  Please keep me posted on your progress.
  Thanks,
  Abhishek

• VSS problems on Server 2012

  We have a number of Server 2012 servers and two Server 2012 R2 servers.  I use Windows Server Backup to back them up nightly to a remote share.  This worked fine on them for several weeks.  About two weeks ago, one of the Server 2012 servers
  began to have the following problem:
  - Backup failed saying the System Writer could not be found
  - Listing writers showed it was not there
  - A lot of stuff on the web talked about permissions issues but this did not seem to be the case.
  - Just restarting the Cryptographic Services service fixes the problem for that day - I can backup multiple times in the same day.  But overnight the problem recurs until I restart the Cryptographic Services service
  A few days later one of my Server 2012 R2 servers had the problem.  Restarting cryptsvc fixed it, and the problem did not recur for a few days.  Then it did.
  So right now:
  - One Server 2012 server has to have the cryptsvc restarted daily
  - One Server 2012 R2 server has to have it restarted occasionally - maybe once a week.
  There has been no change - no new software, etc - in either server.  The backups worked fine for weeks and then this problem happened.
  The Server 2012 server is an admin server and has a lot of software installed; the other has the Pulse software installed and nothing else.
  I have tried a number of recommended solutions off the web, all to no avail.
  Any help would be appreciated.
  jj
  John Thayer Jensen,
  System Administrator, Digital Services,
  The University of Auckland Business School
  Room 260-4136, 12 Grafton Road
  DDI: +64 9 923-7543
  Mobile (work): +64 21 83-3586
  quickdial: 60001
  FAX: +64 9 373-7696
  jj John Thayer Jensen, System Administrator, Digital Services, The University of Auckland Business School Room 260-4136, 12 Grafton Road DDI: +64 9 923-7543 Mobile (work): +64 21 83-3586 Mobile (personal): +64 21 85-1904 quickdial: 60001 FAX:
  +64 9 373-7696 http://inquietumcor.blogspot.com

  Hello John,
  System State backup using Windows Server Backup fails with error: System writer is not found in the backup
  http://support.microsoft.com/default.aspx?scid=kb;en-US;2009272
  The issue is caused by a permissions issues with the COM+ Event System Service.
  Check for the existence of a GPO that is setting this permission or if this was not intended then you can simply reset the permissions for the Service Logon User. In this case that is the Local Service.
  Checking for the GPO:
  Start Group Policy Manager
  Expand Policies then Windows Settings and then Security Settings
  Under Security Settings locate System Services and click on it
  Locate "COM+ Event System" in the list of services and confirm that both the "Startup" and "Permissions" columns are set to "Not Defined".
  If these are settings are configured you will need to consult with the customer as to what purpose this serves in the environment before making any changes
  NOTE: Making changes to a group policy can effect all computers in which the policy applies to. Take extra care to confirm that the changes you are making will not affect the environment negatively. 
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. 
  Regards,
  Don [MSFT]

• ACE dropped conns problem (Bridged mode)

  Dear all,
  I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
  interface vlan 2112
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  interface vlan 2122
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
  Can anyone helps?
  Regards
  Abdelaziz

  Hi Olivier,
  This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
  Thanx,
  Abdealziz
  Generating configuration....
  access-list BPDU-Allow ethertype permit bpdu
  probe tcp HTTPS
    port 443
    interval 15
    passdetect interval 15
    passdetect count 1
  probe icmp PING
    interval 5
  rserver host CASHUB131
    ip address 172.22.22.131
    inservice
  rserver host CASHUB132
    ip address 172.22.22.132
    inservice
  serverfarm host SFARM-EXCAS130
    probe HTTPS
    rserver CASHUB131
      inservice
    rserver CASHUB132
      inservice
  parameter-map type connection TCP_IDLE_30min
    set timeout inactivity 1800
  class-map match-all CLASS-L4-VIP-EXCAS130
    2 match virtual-address 172.22.22.130 any
  class-map type management match-any REMOTE-ACCESS
    description management ACE
    10 match protocol telnet any
    20 match protocol ssh any
    30 match protocol icmp any
    31 match protocol https any
    32 match protocol snmp any
  policy-map type management first-match REMOTE-MGT
    class REMOTE-ACCESS
      permit
  policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
    class class-default
      serverfarm SFARM-EXCAS130
  policy-map multi-match POLICY-LB-HMC-2112
    class CLASS-L4-VIP-EXCAS130
      loadbalance vip inservice
      loadbalance policy POLICY-L7-VIP-EXCAS130
      loadbalance vip icmp-reply
      connection advanced-options TCP_IDLE_30min
  interface vlan 2112
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  interface vlan 2122
    bridge-group 1
    access-group input BPDU-Allow
    service-policy input POLICY-LB-HMC-2112
    no shutdown
  interface bvi 1
    ip address 172.22.22.250 255.255.255.0
    peer ip address 172.22.22.251 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.22.22.254

• Samsung Galaxy Ace - Mountain Lion problem

  Hello,
  Ive recently downloaded Mountain Lion for my Macbook Pro. I have been happy with the program itself however i have a slight issue. When i tried connecting my Samsung Galaxy Ace to my phone it did not estblish a connection. This is quite perculiar as previously it used to work perfectly but post update not so well. I find this quite frustrating now as i can not put any music on my phone! So i was hoping that somebody would be nice enough to suggest some solutions. Ive already tried using a different wire, rebooting my phone, restarting my mac but i have no luck! Hopefully somebody can help me.
  Thanks Junaid
  ( I need to listen to my Jay-Z songs!! ) 

  In my experience with Android Gingerbread, ICS, and Jelly Bean: once you enable USB data/sharing/tethering in the phone settings, then connect a USB cable to the Mac, it just connects and mounts the internal and external SD cards as folders on the Mac desktop. Then you can drag and drop files both ways. You should eject each mounted device to preserve your phone data.

• ACE port redirection problem

  I am using standard http port 80 in front end (between the end user and ACE module ) and I am using port 9080 for backend (between the ACE and servers).
  I don't want the port number 9080 to show up in the url
  http://www.Trading.com:9080/ANTOnline
  how can i hide the port 9080 from the end user

  Try this config:
  rserver host Server001
  ip address 10.1.1.1
  inservice
  rserver host Server002
  ip address 10.1.1.2
  inservice
  serverfarm host SF001
  probe CHECK.HTML
  rserver Server001 9080
  inservice
  rserver Server002 9080
  inservice
  class-map match-all R001
  2 match virtual-address 1.1.1.1 tcp eq www
  policy-map type loadbalance first-match P001
  class class-default
  serverfarm SV001
  policy-map multi-match L4-LB
  class R001
  loadbalance vip inservice
  loadbalance policy P001
  loadbalance vip icmp-reply
  It should solve your problems

• ACE HTTP loadbalancing problem

  What i'm trying to achieve with the below config is
  any request coming in with "programming" in the URL
  will be mapped to one server and all else mapped to
  a different. So what i see happening is that i can
  get to the main page but not the page with "programming"
  in the URL. I have to clear the connections to get
  mapped to the serverfarm with that handles all requests
  with "programming". I thought is was related to the
  sticky serverfarm i had configured before so i reverted
  to a ordinary serverfarm and it still doesn't work. Any
  thoughts or suggestions????
  rserver host TEST_01
  ip address 10.10.204.200
  inservice
  rserver host TEST_02
  ip address 10.10.204.201
  inservice
  serverfarm host TEST/PROG_SF
  rserver TEST_02
  inservice
  serverfarm host TEST_SF
  rserver TEST_01
  inservice
  class-map match-any TEST_VS
  2 match virtual-address 10.10.215.27 tcp eq www
  3 match virtual-address 10.10.215.27 tcp eq https
  class-map type http loadbalance match-any TEST/PROG
  3 match http url (/programming.*)
  4 match http url /programming.*
  policy-map type loadbalance first-match TEST_L7SLB
  class TEST/PROG
  serverfarm TEST/PROG_SF
  class class-default
  serverfarm TEST_SF
  policy-map multi-match VIPS
  class TEST_VS
  loadbalance vip inservice
  loadbalance policy TEST_L7SLB
  loadbalance vip icmp-reply
  interface vlan 215
  service-policy input VIPS

  you need to activate persistent rebalance which is not on by default so that subsequent requests inside the same tcp connection can be remapped to a different server if matching a different rule.
  parameter-map type http HTTP-PARAM
  persistence-rebalance
  policy-map multi-match VIPS
  class TEST_VS
  appl-parameter http advanced-options HTTP-PARAM
  Gilles.

• Problem in ACE

  Hi all,
  We are trying to implement a similar scenario related to ACE as in this blog:
  /people/boris.dingenouts/blog/2006/09/18/the-concept-and-implementation-of-crm-ace
  We have developed our Z class, and did all the necessary configuration stuff. When we try to activate the right, the right gets activated and it schedules a job with name ACE_DISPATCHER. It remains in active state for a long time and it doesn't seem to get complete. Can anyone faced a similar situation before? Is there any way to control this.
  Please help me out.
  Thanks.
  Best regards,
  Ravikiran.

  Hi,
  we found that the Dispatcher is in sleep mode - even after applying notes 1055525 and 990171, the problem still remains.
  We are trying to build a situation, where a User would be able to edit a BP, only if he (corresponding BP) has a relationship type contact person with the BP.
  Everyone else will have display authorization only
  Any tips - can ACE handle this problem?
  regards
  Pras

• ACE isssue for rserver with multiple IP on the same NIC

  Dear all,
  I'm doing to configure an ACE with bridged mode to load balance incoming traffic to 3 TMG servers following this network diagram:
  The system design require to have 4 IP address on the same NIC, and 3 VIP for each pool of the IP as presented in the diagram (rserver: 172.22.14.52 & 62 & 72 - VIP: 172.22.14.82). The attached configuration of the ACE was tested successfully, but we discover that some NIC crash after a non-specific period (Server cannot ping their default gateway: Destination unreachable). I need then to restart the server to get things going well.
  After troubleshooting many things, I discover that when I remove the service policy on the ACE interface, the problem disappears and server continue to work correctly.
  Is it possible that this problem is due to having on the ACE arp table 3 IP address having the same mac? and how I can solve it?
  Thanks, Abdelaziz

  This is for help the show arp result. I see that the four IP address of each server have the same mac address but only the first IP is LEARNED. Is it normal?
  ================================================================================
  IP ADDRESS      MAC-ADDRESS        Interface  Type      Encap  NextArp(s) Status
  ================================================================================
  172.22.14.51    00.c0.dd.16.90.4c  vlan2014  LEARNED    15067  13964 sec    up
  172.22.14.52    00.c0.dd.16.90.4c  vlan2014  RSERVER    15051  173 sec      up
  172.22.14.53    00.c0.dd.16.90.4c  vlan2014  RSERVER    15057  177 sec      up
  172.22.14.54    00.c0.dd.16.90.4c  vlan2014  RSERVER    15059  178 sec      up
  172.22.14.61    00.c0.dd.16.ae.60  vlan2014  LEARNED    15058  13677 sec    up
  172.22.14.62    00.c0.dd.16.ae.60  vlan2014  RSERVER    15050  172 sec      up
  172.22.14.63    00.c0.dd.16.ae.60  vlan2014  RSERVER    15064  181 sec      up
  172.22.14.64    00.c0.dd.16.ae.60  vlan2014  RSERVER    15061  179 sec      up
  172.22.14.71    00.c0.dd.16.93.b8  vlan2014  LEARNED    15065  13700 sec    up
  172.22.14.72    00.c0.dd.16.93.b8  vlan2014  RSERVER    15048  171 sec      up
  172.22.14.73    00.c0.dd.16.93.b8  vlan2014  RSERVER    15062  179 sec      up
  172.22.14.74    00.c0.dd.16.93.b8  vlan2014  RSERVER    15068  291 sec      up
  172.22.14.253   88.43.e1.75.9a.80  vlan2024  LEARNED    15019  9328 sec     up
  172.22.14.254   88.43.e1.75.96.00  vlan2024  GATEWAY    14463  36 sec       up
  172.22.14.250   00.23.5e.26.1e.71  bvi3      INTERFACE  LOCAL     _         up
  ================================================================================

• ACE design issue

  Hi,
  my question is about design.
  At the left side, the server and the ACE vlan interfaces are directly  connected to
  the same vlan. VIP traffic flow is green, server  management is brown.
  The problem is, that with this design i'm restricted to one server vlan per context,
  because the server gateway is the ACE and the ACE-gateway is the server-vlan-interface
  at the core.
  When the VIP is used, traffic flow is:
  1) World is routed to the VIP-VLAN Interface on the core
  2) Core sends traffic to the VIP
  3) ACE sends traffic to the server through server-vlan-interface
  4) server sends back to the ACE
  5) ACE sends back to core through the VIP VLAN
  6) core sends traffic to worl, everything is fine
  Now our server admins want to administrate from different locations:
  w/o adding host routes to the core:
  1) Admin tries to connect to the server
  2) World is routed to the Server-VLAN Interface on the core
  3)  Core sends traffic to the server
  4) server send traffic to default-gw (ACE)
  5) ACE drops traffic due to seeing traffic in only one direction, saying no matching session
  Todo: Add host route into core to force the traffic to use the ace for
  every single server.
  with adding host routes to the core:
  1) Admin tries to connect to  the server
  2) World is routed to the Server-VLAN Interface on the core
  3)  Core sends traffic to the ACE server-VLAN-interface, due to host route
  4) ACE sending to the server
  4) server send traffic to default-gw (ACE)
  5) ACE to core via server-vlan-interface (default route), core to world and everything is fine
  Now its impossible to add another Server-VLAN interface to the ACE, because the destinations
  are all the same (world) and the gateway on the ACE have to be the VLAN routing instance, the core.
  So i have a default route to one server-vlan-interface on the core and all traffic passing the ACE uses
  this gw. The result is, that the traffic is blocked by our Firewall.
  My plan is now to implement a transit-VLAN (shown on the right side of my pic) for making
  my job easier (no host routes, no server admin needed (!) to change gateways..... ) and
  overcome the different kind of problems.
  My question is now:
  Is ensured that the ACE will see all it's traffic ?
  I think all should be fine, because the traffic path is unique.
  Thanks for reading ^^ and for posting some opinions.
  regards from germany

  If I understand correctly, the servers would not be directly connected to the ACE anymore.
  Their gateway would not be the ACE anymore.
  Problem with this is to guarantee that server response to a *world* request goes back to ACE.
  Without any specific action/config, this won't happen.
  The server will forward its response to its gateway which will send it directly to the outside world, bypassing ACE and creating the same asymetry you're trying to solve.
  To solve this, you will need to do source nating on ACE.
  But then your servers will lose information about client source ip address (no more stats based on that info).
  Unless if you configure header insert and modify the server to read that info in each request.
  As you can see this is not quite easy.
  You could try bridge mode.
  Create another vlan, and bridge it (BVI) with existing server vlan.
  Keep the servers in their original vlan and connect the gateway to the new vlan (without changing ip addresses).
  ACE will then be in the middle of GW and ACE.
  Gilles.

• 6500 VSS Chassis in unknown state

  Hi,
  we have 6500 chassises in our set up. But using CWLMS 4.0 , we are unable to manage VSS feature of 6500.Also
  User tracking for Nexus 7K Switches subnets are not working.
  Please guide.
  Rgrds,
  Soumik.

  Hi,
  Would you mind posting some more information about the VSS problem. (Exact steps or maybe a screenshot of what you are doing). I didn't have any major issues configuring Cisco 6500 VSS in LMS or NCS. Minor ones were some SNMP MIBs which you can simply ignore.
  Predrag Petrovic