ACE on VSS problem
I have a VSS cluster 2x6509 and an ACE blade in each I had to upgrade(ACE A2) the software so it could be recognised by the VSS. I have connectivity to the newtork from the first ACE ,but the second cannot arp it's default gatetway both ACE blade are on the same management vlan.
any help will be appreciated following is the config
svclc multiple-vlan-interfaces
svclc switch 1 module 1 vlan-group 1
svclc switch 2 module 1 vlan-group 1
svclc vlan-group 1 88
access-list ANY line 8 extended permit ip any any
policy-map type management first-match remote-access
class remote-mgmt
permit
interface vlan 88
description Axfood MGMT-LAN
ip address 194.132.91.239 255.255.255.128
access-group ANY
no shutdown
ip route 0.0.0.0 0.0.0.0 194.132.91.254
show arp
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
194.132.91.238 00.21.a0.82.8e.e9 vlan88 LEARNED 519 12340 sec up
194.132.91.239 00.21.a0.82.8e.39 vlan88 INTERFACE LOCAL _ up
194.132.91.251 00.25.46.21.c8.00 vlan88 LEARNED 518 4807 sec up
194.132.91.254 00.00.00.00.00.00 vlan88 GATEWAY - * 3 req dn
sho interface
switch/Admin# show int
vlan88 is up
Hardware type is VLAN
MAC address is 00:21:a0:82:8e:39
Mode : routed
IP address is 194.132.91.239 netmask is 255.255.255.128
FT status is non-redundant
Description:Axfood MGMT-LAN
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
45822 unicast packets input, 553642216 bytes
8022597 multicast, 218206 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
301 unicast packets output, 33548570 bytes
0 multicast, 523889 broadcast
0 output errors, 0 ignored
It looks like you don't have FT (alias & peer IP's) set up.
If the second ACE still can't ARP or ping the gateway after you get that taken care of, check w/ TAC to see if you're hitting bug CSCsz50968.
We ran into it when we were doing a bunch of failover tests between the two VSS chassis.
Similar Messages
-
Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65 Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
inservice
rserver RT_fax2
inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out. -
ACE - timeout inactivity problem
Hi All,
I've got a strange problem with session counts and timeout on an ACE (2.1.3).
I created a connection parameter-map to an existing configuration, added it to the load-balance configuration and then removed and re-added the service policy. The context is in bridge mode.
parameter-map type connection FINJAN
set timeout inactivity 60
set tcp timeout half-closed 60
policy-map multi-match Finjan-04-LB-policy
class VIP-production_class
loadbalance vip inservice
loadbalance policy production-8080_LB_policy
loadbalance vip icmp-reply
connection advanced-options FINJAN
class VIP-beta_class
loadbalance vip inservice
loadbalance policy beta-8080_LB_policy
loadbalance vip icmp-reply
connection advanced-options FINJAN
interface vlan 396
description slb vlan
bridge-group 396
access-group input BPDU
access-group input PERMIT-ALL
service-policy input Finjan-04-LB-policy
no shutdown
But I'm still seeing sessions with idle times of minutes.
For example:
27344 1 in TCP 397 10.199.253.103:3563 61.143.251.173:80 ESTAB
[ idle time : 00:16:47, byte count : 975 ]
[ elapsed time: 00:20:30, packet count: 14 ]
Is there anything else I need to do to make the timeout effective? I need to get this working before I can limit the number of connections to each real server.
Also the output of "sh serverfarm" shows many more current connections than a "sh conn de" command. Is this expected?
E.g:
ace2/finjan# sh serverfarm beta-farm-8080
serverfarm : beta-farm-8080, type: HOST
total rservers : 7
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: beta_blade-1
10.199.253.111:0 8 OPERATIONAL 44982 39669799 45323
rserver: beta_blade-2
10.199.253.112:0 8 OPERATIONAL 49594 42955799 60246
rserver: beta_blade-3
10.199.253.113:0 8 OPERATIONAL 51545 46098331 49868
rserver: beta_blade-4
10.199.253.114:0 8 OPERATIONAL 51659 46260307 57544
rserver: production_blade-2
10.199.253.102:0 8 OPERATIONAL 720 540878 41145
rserver: production_blade-3
10.199.253.103:0 8 OPERATIONAL 51270 45832507 45670
rserver: production_blade-4
10.199.253.104:0 8 OPERATIONAL 51870 45779920 47624
when the "sh conn de" reports about 14000 sessions.
Any help appreciated.
Thank you
CathyI moved the service policy from the client vlan to the global config - in the hope of being able to apply the connection parameter-map. Just after I did that the whole ACE reloaded (failure in arp_mgr). Hopefully unrelated.
I do see unbalanced flows;
5078 1 in TCP 397 10.199.253.112:6005 211.166.10.66:80 ESTAB
[ idle time : 00:16:56, byte count : 1644 ]
[ elapsed time: 00:19:17, packet count: 29 ]
35 1 out TCP 396 211.166.10.66:80 10.199.253.112:6005 CLOSED
[ conn in reuse pool : FALSE]
[ idle time : 00:19:14, byte count : 28504 ]
[ elapsed time: 00:19:17, packet count: 21 ]
Is there anything I can do about this or is it dependent on the server-side doing something?
Thank you
Cathy -
Ace ssl-proxy problem, Online store.
Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard -
How to debug ACE FT Sync Problems ?
Hello,
in one of our contexts we have a sync problem on the standby unit.
"sh ft group detail" gives
"Running cfg sync status : Error on Standby device when applying configuration file replicated from active", while "Startup cfg sync status" is OK.
"sh crypto files" and "dir disk0:" produce the same output on both ACE units.
How can we analyze the problem ?Hi Gilles,
unfortunately I can not see a meaningful message. Can you please have a look at the attachments (taken from the standby machine) ?
Thank you very much in advance. -
Hi all,
I've just installed a fresh SLES 11 SP3 vm. Once rebooted, i noticed this error in hyper-v log:
- Hyper-V Volume Shadow Copy Requestor failed to connecto to virtual machine "nameofvm" because the version does not match the version expected by hyper-v (virtual machine ID xyz..) Framework version: Negotiated (0.0) Expected (3.0) Message
version: Negotiated (0.0) Expected (4.0) To fix this problem you must upgrate the integration services. To upgrade connect to the virtual machine and select insert ....
Now, obviously the installer disc doesn't work and all integration services are embedded in the linux OS. I'm concerning about two major factor: first, how can this problem impact the system once in production? And how can i address (or disable) this integration
service?
Thank you allHi Miralem, I believe there may be one other way to install updates. When you are installing SLES 11 SP3 for the first time, the installation manager GUI asks you if it should apply the updates. You might want to see if that works for you by creating
a new VM and closely monitoring the installation manager program.
If the VM is not going offline while taking the snapshot then this may be a false error. However, if the VM is going offline then probably the snapshot infrastructure is having some issues. Please let me know if you see that the VM is going offline while
taking the snapshot.
Also notice that backup for Linux VMs is only file-system consistent and it is not application consistent. This implies that db snapshots may not have the same level of application data consistency that you have come to expect through use of VSS on Windows.
This is because Linux does not have VSS style infrastructure to coordinate with user mode while a snapshot or a backup operation is in progress.
Please keep me posted on your progress.
Thanks,
Abhishek -
We have a number of Server 2012 servers and two Server 2012 R2 servers. I use Windows Server Backup to back them up nightly to a remote share. This worked fine on them for several weeks. About two weeks ago, one of the Server 2012 servers
began to have the following problem:
- Backup failed saying the System Writer could not be found
- Listing writers showed it was not there
- A lot of stuff on the web talked about permissions issues but this did not seem to be the case.
- Just restarting the Cryptographic Services service fixes the problem for that day - I can backup multiple times in the same day. But overnight the problem recurs until I restart the Cryptographic Services service
A few days later one of my Server 2012 R2 servers had the problem. Restarting cryptsvc fixed it, and the problem did not recur for a few days. Then it did.
So right now:
- One Server 2012 server has to have the cryptsvc restarted daily
- One Server 2012 R2 server has to have it restarted occasionally - maybe once a week.
There has been no change - no new software, etc - in either server. The backups worked fine for weeks and then this problem happened.
The Server 2012 server is an admin server and has a lot of software installed; the other has the Pulse software installed and nothing else.
I have tried a number of recommended solutions off the web, all to no avail.
Any help would be appreciated.
jj
John Thayer Jensen,
System Administrator, Digital Services,
The University of Auckland Business School
Room 260-4136, 12 Grafton Road
DDI: +64 9 923-7543
Mobile (work): +64 21 83-3586
quickdial: 60001
FAX: +64 9 373-7696
jj John Thayer Jensen, System Administrator, Digital Services, The University of Auckland Business School Room 260-4136, 12 Grafton Road DDI: +64 9 923-7543 Mobile (work): +64 21 83-3586 Mobile (personal): +64 21 85-1904 quickdial: 60001 FAX:
+64 9 373-7696 http://inquietumcor.blogspot.comHello John,
System State backup using Windows Server Backup fails with error: System writer is not found in the backup
http://support.microsoft.com/default.aspx?scid=kb;en-US;2009272
The issue is caused by a permissions issues with the COM+ Event System Service.
Check for the existence of a GPO that is setting this permission or if this was not intended then you can simply reset the permissions for the Service Logon User. In this case that is the Local Service.
Checking for the GPO:
Start Group Policy Manager
Expand Policies then Windows Settings and then Security Settings
Under Security Settings locate System Services and click on it
Locate "COM+ Event System" in the list of services and confirm that both the "Startup" and "Permissions" columns are set to "Not Defined".
If these are settings are configured you will need to consult with the customer as to what purpose this serves in the environment before making any changes
NOTE: Making changes to a group policy can effect all computers in which the policy applies to. Take extra care to confirm that the changes you are making will not affect the environment negatively.
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Regards,
Don [MSFT] -
ACE dropped conns problem (Bridged mode)
Dear all,
I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
Can anyone helps?
Regards
AbdelazizHi Olivier,
This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
Thanx,
Abdealziz
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5
rserver host CASHUB131
ip address 172.22.22.131
inservice
rserver host CASHUB132
ip address 172.22.22.132
inservice
serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
inservice
rserver CASHUB132
inservice
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any
class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any
policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
serverfarm SFARM-EXCAS130
policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
loadbalance vip inservice
loadbalance policy POLICY-L7-VIP-EXCAS130
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.22.254 -
Samsung Galaxy Ace - Mountain Lion problem
Hello,
Ive recently downloaded Mountain Lion for my Macbook Pro. I have been happy with the program itself however i have a slight issue. When i tried connecting my Samsung Galaxy Ace to my phone it did not estblish a connection. This is quite perculiar as previously it used to work perfectly but post update not so well. I find this quite frustrating now as i can not put any music on my phone! So i was hoping that somebody would be nice enough to suggest some solutions. Ive already tried using a different wire, rebooting my phone, restarting my mac but i have no luck! Hopefully somebody can help me.
Thanks Junaid
( I need to listen to my Jay-Z songs!! )In my experience with Android Gingerbread, ICS, and Jelly Bean: once you enable USB data/sharing/tethering in the phone settings, then connect a USB cable to the Mac, it just connects and mounts the internal and external SD cards as folders on the Mac desktop. Then you can drag and drop files both ways. You should eject each mounted device to preserve your phone data.
-
I am using standard http port 80 in front end (between the end user and ACE module ) and I am using port 9080 for backend (between the ACE and servers).
I don't want the port number 9080 to show up in the url
http://www.Trading.com:9080/ANTOnline
how can i hide the port 9080 from the end userTry this config:
rserver host Server001
ip address 10.1.1.1
inservice
rserver host Server002
ip address 10.1.1.2
inservice
serverfarm host SF001
probe CHECK.HTML
rserver Server001 9080
inservice
rserver Server002 9080
inservice
class-map match-all R001
2 match virtual-address 1.1.1.1 tcp eq www
policy-map type loadbalance first-match P001
class class-default
serverfarm SV001
policy-map multi-match L4-LB
class R001
loadbalance vip inservice
loadbalance policy P001
loadbalance vip icmp-reply
It should solve your problems -
ACE HTTP loadbalancing problem
What i'm trying to achieve with the below config is
any request coming in with "programming" in the URL
will be mapped to one server and all else mapped to
a different. So what i see happening is that i can
get to the main page but not the page with "programming"
in the URL. I have to clear the connections to get
mapped to the serverfarm with that handles all requests
with "programming". I thought is was related to the
sticky serverfarm i had configured before so i reverted
to a ordinary serverfarm and it still doesn't work. Any
thoughts or suggestions????
rserver host TEST_01
ip address 10.10.204.200
inservice
rserver host TEST_02
ip address 10.10.204.201
inservice
serverfarm host TEST/PROG_SF
rserver TEST_02
inservice
serverfarm host TEST_SF
rserver TEST_01
inservice
class-map match-any TEST_VS
2 match virtual-address 10.10.215.27 tcp eq www
3 match virtual-address 10.10.215.27 tcp eq https
class-map type http loadbalance match-any TEST/PROG
3 match http url (/programming.*)
4 match http url /programming.*
policy-map type loadbalance first-match TEST_L7SLB
class TEST/PROG
serverfarm TEST/PROG_SF
class class-default
serverfarm TEST_SF
policy-map multi-match VIPS
class TEST_VS
loadbalance vip inservice
loadbalance policy TEST_L7SLB
loadbalance vip icmp-reply
interface vlan 215
service-policy input VIPSyou need to activate persistent rebalance which is not on by default so that subsequent requests inside the same tcp connection can be remapped to a different server if matching a different rule.
parameter-map type http HTTP-PARAM
persistence-rebalance
policy-map multi-match VIPS
class TEST_VS
appl-parameter http advanced-options HTTP-PARAM
Gilles. -
Hi all,
We are trying to implement a similar scenario related to ACE as in this blog:
/people/boris.dingenouts/blog/2006/09/18/the-concept-and-implementation-of-crm-ace
We have developed our Z class, and did all the necessary configuration stuff. When we try to activate the right, the right gets activated and it schedules a job with name ACE_DISPATCHER. It remains in active state for a long time and it doesn't seem to get complete. Can anyone faced a similar situation before? Is there any way to control this.
Please help me out.
Thanks.
Best regards,
Ravikiran.Hi,
we found that the Dispatcher is in sleep mode - even after applying notes 1055525 and 990171, the problem still remains.
We are trying to build a situation, where a User would be able to edit a BP, only if he (corresponding BP) has a relationship type contact person with the BP.
Everyone else will have display authorization only
Any tips - can ACE handle this problem?
regards
Pras -
ACE isssue for rserver with multiple IP on the same NIC
Dear all,
I'm doing to configure an ACE with bridged mode to load balance incoming traffic to 3 TMG servers following this network diagram:
The system design require to have 4 IP address on the same NIC, and 3 VIP for each pool of the IP as presented in the diagram (rserver: 172.22.14.52 & 62 & 72 - VIP: 172.22.14.82). The attached configuration of the ACE was tested successfully, but we discover that some NIC crash after a non-specific period (Server cannot ping their default gateway: Destination unreachable). I need then to restart the server to get things going well.
After troubleshooting many things, I discover that when I remove the service policy on the ACE interface, the problem disappears and server continue to work correctly.
Is it possible that this problem is due to having on the ACE arp table 3 IP address having the same mac? and how I can solve it?
Thanks, AbdelazizThis is for help the show arp result. I see that the four IP address of each server have the same mac address but only the first IP is LEARNED. Is it normal?
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.22.14.51 00.c0.dd.16.90.4c vlan2014 LEARNED 15067 13964 sec up
172.22.14.52 00.c0.dd.16.90.4c vlan2014 RSERVER 15051 173 sec up
172.22.14.53 00.c0.dd.16.90.4c vlan2014 RSERVER 15057 177 sec up
172.22.14.54 00.c0.dd.16.90.4c vlan2014 RSERVER 15059 178 sec up
172.22.14.61 00.c0.dd.16.ae.60 vlan2014 LEARNED 15058 13677 sec up
172.22.14.62 00.c0.dd.16.ae.60 vlan2014 RSERVER 15050 172 sec up
172.22.14.63 00.c0.dd.16.ae.60 vlan2014 RSERVER 15064 181 sec up
172.22.14.64 00.c0.dd.16.ae.60 vlan2014 RSERVER 15061 179 sec up
172.22.14.71 00.c0.dd.16.93.b8 vlan2014 LEARNED 15065 13700 sec up
172.22.14.72 00.c0.dd.16.93.b8 vlan2014 RSERVER 15048 171 sec up
172.22.14.73 00.c0.dd.16.93.b8 vlan2014 RSERVER 15062 179 sec up
172.22.14.74 00.c0.dd.16.93.b8 vlan2014 RSERVER 15068 291 sec up
172.22.14.253 88.43.e1.75.9a.80 vlan2024 LEARNED 15019 9328 sec up
172.22.14.254 88.43.e1.75.96.00 vlan2024 GATEWAY 14463 36 sec up
172.22.14.250 00.23.5e.26.1e.71 bvi3 INTERFACE LOCAL _ up
================================================================================ -
Hi,
my question is about design.
At the left side, the server and the ACE vlan interfaces are directly connected to
the same vlan. VIP traffic flow is green, server management is brown.
The problem is, that with this design i'm restricted to one server vlan per context,
because the server gateway is the ACE and the ACE-gateway is the server-vlan-interface
at the core.
When the VIP is used, traffic flow is:
1) World is routed to the VIP-VLAN Interface on the core
2) Core sends traffic to the VIP
3) ACE sends traffic to the server through server-vlan-interface
4) server sends back to the ACE
5) ACE sends back to core through the VIP VLAN
6) core sends traffic to worl, everything is fine
Now our server admins want to administrate from different locations:
w/o adding host routes to the core:
1) Admin tries to connect to the server
2) World is routed to the Server-VLAN Interface on the core
3) Core sends traffic to the server
4) server send traffic to default-gw (ACE)
5) ACE drops traffic due to seeing traffic in only one direction, saying no matching session
Todo: Add host route into core to force the traffic to use the ace for
every single server.
with adding host routes to the core:
1) Admin tries to connect to the server
2) World is routed to the Server-VLAN Interface on the core
3) Core sends traffic to the ACE server-VLAN-interface, due to host route
4) ACE sending to the server
4) server send traffic to default-gw (ACE)
5) ACE to core via server-vlan-interface (default route), core to world and everything is fine
Now its impossible to add another Server-VLAN interface to the ACE, because the destinations
are all the same (world) and the gateway on the ACE have to be the VLAN routing instance, the core.
So i have a default route to one server-vlan-interface on the core and all traffic passing the ACE uses
this gw. The result is, that the traffic is blocked by our Firewall.
My plan is now to implement a transit-VLAN (shown on the right side of my pic) for making
my job easier (no host routes, no server admin needed (!) to change gateways..... ) and
overcome the different kind of problems.
My question is now:
Is ensured that the ACE will see all it's traffic ?
I think all should be fine, because the traffic path is unique.
Thanks for reading ^^ and for posting some opinions.
regards from germanyIf I understand correctly, the servers would not be directly connected to the ACE anymore.
Their gateway would not be the ACE anymore.
Problem with this is to guarantee that server response to a *world* request goes back to ACE.
Without any specific action/config, this won't happen.
The server will forward its response to its gateway which will send it directly to the outside world, bypassing ACE and creating the same asymetry you're trying to solve.
To solve this, you will need to do source nating on ACE.
But then your servers will lose information about client source ip address (no more stats based on that info).
Unless if you configure header insert and modify the server to read that info in each request.
As you can see this is not quite easy.
You could try bridge mode.
Create another vlan, and bridge it (BVI) with existing server vlan.
Keep the servers in their original vlan and connect the gateway to the new vlan (without changing ip addresses).
ACE will then be in the middle of GW and ACE.
Gilles. -
6500 VSS Chassis in unknown state
Hi,
we have 6500 chassises in our set up. But using CWLMS 4.0 , we are unable to manage VSS feature of 6500.Also
User tracking for Nexus 7K Switches subnets are not working.
Please guide.
Rgrds,
Soumik.Hi,
Would you mind posting some more information about the VSS problem. (Exact steps or maybe a screenshot of what you are doing). I didn't have any major issues configuring Cisco 6500 VSS in LMS or NCS. Minor ones were some SNMP MIBs which you can simply ignore.
Predrag Petrovic
Maybe you are looking for
-
Table compare deleting rows which does not exist in target table
Hi Gurus, I am struggling with an issue in Data Services. I have a job which uses Table Compare, then History Preserving and then a Key Generation transforms. There is every possibility that data would get deleted from the source table. Now, I want t
-
Where is the menu bar in Itunes on windows 7
Just downloaded i tunes 10 and the text on the menu bar is missing at the top of the window, the only thing that is there are small black rectangles that appear when the mouse scrolls over them. help
-
Is there any way..?
Hi All, Is there any way to retain the values in the ShippingToAddress form in ShippingPage when UseBillingCheckbox is unchecked (By default is checked)..? So that after un checking fields become editable..? Thanks, Vishnu
-
How to set TimeOut period in Portal
Hi, I am running a report in the portal which is taking more than 1 min to display the results. After this one min the page is getting timedout. Can any one please let me know how to administrate the timeout interval. I found this link http://help.sa
-
Is it possible to debug "CL_HTTP_PLAIN_OUTBOUND" FROM HTTP RECEIVER ADAPTER
Hi All, In my PI interface the data from R/3 ( using abap proxy ) is getting posted on a external server using HTTP receiver adapter . I assume that it triggers this class when you run the HTTP receiver adapter -CL_HTTP_PLAIN_OUTBOUND Please let me