ACE Problem

I have an ACE that I configured a couple of days ago with some very rudimentary configs for load sharing an ldap service. The service worked for one day with no problems. This morning around 9am, it stopped working. I can ping the VIP but cannot telnet to port 389 on the VIP. I can telnet to any of the individual servers, the serverfarm shows all nodes operational, the probe shows success.
I can't seem to figure out what has happened to this service. I reloaded the ACE, and still nothing. The sticky database is empty, no connections, nothing. The serverfarm stats look just like it's sitting there idle with nobody connecting. Yet when you try to connect, you don't get connected. It must be something simple, but I've looked at this until I'm not sure where to go next.
The config is as follows:
ciscoace3/Admin# sh run
Generating configuration....
hostname ciscoace3
boot system image:c6ace-t1k9-mz.A2_1_6a.bin
telnet maxsessions 5
resource-class RC1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
context Admin
member RC1
access-list All line 8 extended permit ip any any
probe tcp ldap_probe
port 389
interval 30
passdetect interval 10
rserver host ldapauth1
ip address 10.0.68.56
inservice
rserver host ldapauth2
ip address 10.0.67.176
inservice
rserver host ldapauth3
ip address 10.0.67.177
inservice
serverfarm host ldapauth_farm
rserver ldapauth1
    probe ldap_probe
    inservice
rserver ldapauth2
    probe ldap_probe
    inservice
rserver ldapauth3
    probe ldap_probe
    inservice
sticky ip-netmask 255.255.255.255 address both ldapauth_sticky
timeout 30
replicate sticky
serverfarm ldapauth_farm
class-map match-all ldapauth_vip
2 match virtual-address 10.10.0.10 any
class-map match-all nat
2 match source-address 0.0.0.0 0.0.0.0
class-map type management match-any remote-access
description Remote access traffic match
2 match protocol ssh any
3 match protocol telnet any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol https any
policy-map type management first-match everyone
class remote-access
    permit
policy-map type loadbalance first-match ldapauth_lb_policy
class class-default
    sticky-serverfarm ldapauth_sticky
policy-map multi-match ldapauth_multi_policy
class ldapauth_vip
    loadbalance vip inservice
    loadbalance policy ldapauth_lb_policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
policy-map multi-match nat
class nat
    nat dynamic 1 vlan 100
interface vlan 100
description Server VLAN (real server vlan)
ip address 10.0.64.250 255.255.192.0
nat-pool 1 10.0.64.251 10.0.64.251 netmask 255.255.255.255 pat
service-policy input everyone
no shutdown
interface vlan 101
description VLAN for Servers
ip address 10.10.0.5 255.255.255.0
service-policy input ldapauth_multi_policy
service-policy input nat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.64.1

You need to apply an access-group to allow traffic to the ACE. Example:
access-group input All
It can be applied globally or to an interface.
See:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/acl.html
Regards

Similar Messages

ACE - Problem with creation of selective BP Rule

Hello Experts,
I want to restrict the visibility of Accounts with ACE into CRM. The users should only have the right to see Accounts (Sold-to) with the same sales organization as himself.
Therefore if implemented the Interface Method GET_ACTORS_FROM_OBJECTS :
TYPES: BEGIN OF partner_data,
          partner         TYPE bu_partner,
          partner_guid    TYPE bu_partner_guid,
        END OF partner_data.
DATA: lt_partner_data TYPE TABLE OF partner_data,
        ls_partner_data TYPE partner_data,
        lv_guid TYPE bu_partner_guid,
        ls_object_guid TYPE crms_ace_object_guid,
        lv_rltyp       TYPE bu_partnerrole.
SELECT partner partner_guid FROM but000 INTO CORRESPONDING FIELDS OF TABLE lt_partner_data.
LOOP AT lt_partner_data INTO ls_partner_data.
    SELECT SINGLE rltyp FROM but100 INTO lv_rltyp WHERE partner = ls_partner_data-partner.
    IF lv_rltyp EQ 'CRM000'.
      ls_object_guid-object_guid = ls_partner_data-partner_guid.
      APPEND ls_object_guid TO ex_object_guid_table.
    ENDIF.
ENDLOOP
Everything works fine, and the users could only find the accounts which have the same sales organization as the user.
But now, the users couldn't find any contact person in the system.
My solution for that problem was to implement a second ACE rule, where the users get access to all other BP except Accounts.
For me, this solution is unsatisfactory!
In a system with about 100.000 Contacts this solution would significally degrade the performance. There will be thousands of entries in the ACE tables which weren't needed.
I only want to filter the Accounts mit ACE and nothing more.
Is there a possibility to filter only Accounts with ACE?
Regards
Steffen

Hi Steffen,
with the activation of ACE this is indeed one of those side effects.
isn't there any way to do some extra coding in the runtime check of ACE? If you can check there is the object the user wants to see is a person that would save you a lot of work.

ACE problem - bridge mode - behind a firewall

Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
Damian

Thanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
â¢ Traffic is coming from a separate local subnet
â¢ Traffic is not coming from the internet so it does not required a NAT
â¢ We need 1 VIP listening on two ports
â¢ The backend servers are four Linux boxes
Thanks again,
Damian

ACE Problem after restarting Application

Hi,
we have an ACE20 and have set it up to balance 4 Containers on a Oracle Application Server. Every time we stop all Containers at the same time for longer than an hour it takes forever (hours) until the Load Balancer starts balancing the Containers again. I can see that the ACE Module is checking the Containers in the Apache Logfiles on the Application Server and gets a 200, but still we can't access the Application for a few hours. If I connect direct to the Container it also works fine... just the ACE does not work. Like it has a timeout and is waiting.
Any idea how to give it a kick?
While accessing the Application I can see that it connects, but nothing happens...
sh conn detail
total current connections : 2
conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
68155      2 in TCP   191 10.200.101.73:35777   10.200.101.64:80      ESTAB
          [ idle time   : 00:00:18,   byte count : 888        ]
          [ elapsed time: 00:00:18,   packet count: 3          ]
68156      2 out TCP   195 10.200.105.33:80      10.200.101.73:35777   INIT
          [ conn in reuse pool : FALSE]
          [ idle time   : 00:00:18,   byte count : 0          ]
          [ elapsed time: 00:00:18,   packet count: 0          ]
Thanks for any help!
Jason

Hi,
I'm still having problems with the ACE Laodbalancer. At the moment it doesn't seem to recover after having restarted the Application the last time.
Can someone look at the Config and tell me if they see a mistake in it?
I have three instances accesst, accesst2 and accesst3. Each instance has 4 Oracle Application Server Containers Deployed on 2 different Apllication Servers. The Site is split between 2 DMZ which are seperated by a Firewall. The Cisco Ace has one leg in each vlan (191 and 195). We always had a problem after taking the Applcation Servers down Updates that it takes forever untill the ACE Server starts blancing agian. For the last 4 Days it hasn't started reblancing yet. As far as I know nothing has changed in the Configuration of the Server or of the ACE. The Firewall Admin said he tried t find a problem, but didn't change anything.
Do I maybe have a mistake in the ACE Config? Am I missing something here?
MS4_ACE_PU/MY-APP# sh running-config
Generating configuration....
logging buffered 7
access-list anyone line 8 extended permit ip any any
probe http HEAD_1
port 7791
interval 10
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_2
port 7792
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_3
port 7793
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_4
port 7794
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_5
port 7795
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_6
port 7796
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_7
port 7797
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_8
port 7798
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
parameter-map type http PERSIST-REBALANCE
persistence-rebalance
action-list type modify http LOCATION-RW-VIP-2
header rewrite response location header-value "http://accesst3.my-site.de:.....(.*)" replace "https://accesst3.my-site.de/%1"
header rewrite response content-lokation header-value "http://accesst3.my-site.de:.....(.*)" replace "https://accesst3.my-site.de/%1"
action-list type modify http LOCATION-RW-VIP-1
header rewrite response content-lokation header-value "http://accesst2.my-site.de:.....(.*)" replace "https://accesst2.my-site.de/%1"
header rewrite response location header-value "http://accesst2.my-site.de:.....(.*)" replace "https://accesst2.my-site.de/%1"
action-list type modify http LOCATION-RW-VIP
header rewrite response location header-value "http://accesst.my-site.de:.....(.*)" replace "https://accesst.my-site.de/%1"
header rewrite response content-lokation header-value "http://accesst.my-site.de:.....(.*)" replace "https://accesst.my-site.de/%1"
rserver host server103
description KS ApplicationServer
ip address 10.200.105.33
inservice
rserver host server104
description KS ApplicationServer
ip address 10.200.105.34
inservice
serverfarm host HTTP-APPL
rserver server103 7791
      probe HEAD_1
    inservice
rserver server103 7792
    probe HEAD_2
    inservice
rserver server104 7791
    probe HEAD_1
    inservice
rserver server104 7792
    probe HEAD_2
    inservice
serverfarm host HTTP-APPL-1
rserver server103 7795
    probe HEAD_5
    inservice
rserver server103 7796
    probe HEAD_6
    inservice
rserver server104 7795
    probe HEAD_5
    inservice
rserver server104 7796
    probe HEAD_6
    inservice
serverfarm host HTTP-APPL-2
rserver server103 7797
    probe HEAD_7
    inservice
rserver server103 7798
    probe HEAD_8
    inservice
rserver server104 7797
    probe HEAD_7
    inservice
rserver server104 7798
    probe HEAD_8
    inservice
sticky http-header TranSON_Cert_Subject group1
replicate sticky
serverfarm HTTP-APPL
sticky http-header TranSON_Cert_Subject group2
replicate sticky
serverfarm HTTP-APPL-1
sticky http-header TranSON_Cert_Subject group3
replicate sticky
serverfarm HTTP-APPL-2
class-map type http inspect match-any HTTP-INS-VIP
2 match header Host header-value "accesst.my-site.de"
class-map type http inspect match-any HTTP-INS-VIP-1
2 match header Host header-value "accesst2.my-site.de"
class-map type http inspect match-any HTTP-INS-VIP-2
2 match header Host header-value "accesst3.my-site.de"
class-map match-all HTTP-VIP
2 match virtual-address 10.200.101.64 tcp eq www
class-map match-all HTTP-VIP-1
2 match virtual-address 10.200.101.68 tcp eq www
class-map match-all HTTP-VIP-2
2 match virtual-address 10.200.101.69 tcp eq www
policy-map type loadbalance first-match HTTP-SF
class class-default
    sticky-serverfarm group1
    action LOCATION-RW-VIP
policy-map type loadbalance first-match HTTP-SF-1
class class-default
    sticky-serverfarm group2
    action LOCATION-RW-VIP-1
policy-map type loadbalance first-match HTTP-SF-2
class class-default
    sticky-serverfarm group3
    action LOCATION-RW-VIP-2
policy-map type inspect http all-match INS-PM-VIP
class HTTP-INS-VIP
    permit
policy-map type inspect http all-match INS-PM-VIP-1
class HTTP-INS-VIP-1
    permit
policy-map type inspect http all-match INS-PM-VIP-2
class HTTP-INS-VIP-2
    permit
policy-map multi-match SLB-logic
class HTTP-VIP
    loadbalance vip inservice
    loadbalance policy HTTP-SF
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options PERSIST-REBALANCE
class HTTP-VIP-1
    loadbalance vip inservice
    loadbalance policy HTTP-SF-1
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options PERSIST-REBALANCE
class HTTP-VIP-2
    loadbalance vip inservice
    loadbalance policy HTTP-SF-2
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options PERSIST-REBALANCE
interface vlan 191
ip address 10.200.101.65 255.255.255.0
alias 10.200.101.67 255.255.255.0
peer ip address 10.200.101.66 255.255.255.0
access-group input anyone
service-policy input SLB-logic
no shutdown
interface vlan 195
ip address 10.200.105.65 255.255.255.0
alias 10.200.105.63 255.255.255.0
peer ip address 10.200.105.66 255.255.255.0
access-group input anyone
no shutdown
Destination         Gateway          Interface         Flags
10.200.101.0/24     0.0.0.0          vlan191           IA [0x30]
10.200.105.0/24     0.0.0.0          vlan195           IA [0x30]

ACE: Problem dual proccesor server predisctor least-load and 2 oids

Hello,
I have a problem, I have configured predictor least-loaded and probe snmp in ACE, My Servers are dual core proccesor. the oids are:
oid .1.3.6.1.2.1.25.3.3.1.2.1 and oid .1.3.6.1.2.1.25.3.3.1.2.2
In 1 context (integracion1) I configured oid .1.3.6.1.2.1.25.3.3.1.2.1 and the other context (integracion2) I configured oid .1.3.6.1.2.1.25.3.3.1.2.2 and the results was positive, but when I configure 2 oid in integracion2 the output says FAILED, I need sense 2 proccesors to balance. how can do it? when I configure .1.3.6.1.2.1.25.3.3.1.2 (2 proccesors) the output says FAILED
I attachment 3 configurations
Best Regards

when you use multiple oid's on a probe , you need to manually configure the weight and make sure weights add up to 16000 so your probe should be configured as follows:
probe snmp test-server
interval 4
faildetect 2
passdetect interval 10
receive 2
community public
oid .1.3.6.1.2.1.25.3.3.1.2.1
threshold 75
weight 8000
oid .1.3.6.1.2.1.25.3.3.1.2.2
threshold 75
weight 8000

ACE: Problem configuring probe snmp

Hi,
I have a problem when I configure probe snmp and My Server W2K3 dual core, snmp comunity public has an oid cpu .1.3.6.1.2.1.25.3.3.1.2, the output is:
access-list anyone line 8 extended permit ip any any
probe snmp was
interval 4
faildetect 2
passdetect interval 10
receive 2
community public
oid .1.3.6.1.2.1.25.3.3.1.2
threshold 70
rserver host was1
ip address 10.24.8.200
probe was
inservice
rserver host was2
ip address 10.24.8.201
probe was
inservice
serverfarm host servers
rserver was1
inservice
rserver was2
inservice
class-map type management match-any ADM-CONTEX-SERV1
4 match protocol icmp any
5 match protocol snmp any
class-map type http loadbalance match-all Check-Headers
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map match-all VIP-10-HTTP
2 match virtual-address 10.24.16.10 tcp eq www
class-map type http loadbalance match-all other-HTTP
2 match http url .*
policy-map type management first-match ADM-CTX-SERV1
class ADM-CONTEX-SERV1
permit
policy-map type loadbalance first-match L7-logic
class Check-Headers
serverfarm servers
class other-HTTP
serverfarm servers
policy-map type loadbalance first-match lb-logic
class class-default
serverfarm servers
policy-map multi-match client-vips
class VIP-10-HTTP
loadbalance vip inservice
loadbalance policy L7-logic
loadbalance vip icmp-reply active
interface vlan 60
ip address 10.24.8.5 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ADM-CTX-SERV1
no shutdown
interface vlan 233
ip address 10.24.16.5 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ADM-CTX-SERV1
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 10.24.16.1
sh probe was detail
probe : was
type : SNMP
state : ACTIVE
description :
port : 161 address : 0.0.0.0 addr type : TRANSPARENT
interval : 4 pass intvl : 10 pass count : 3
fail count: 2 recv timeout: 2
version : 1 community : public
oid string #1 : .1.3.6.1.2.1.25.3.3.1.2
type : PERCENTILE max value : 100
weight : 16000 threshold : 70
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : was1
10.24.8.201 13 13 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply - bad SNMP OID
Last probe time : Tue Feb 24 23:22:41 2009
Last fail time : Tue Feb 24 23:20:47 2009
Last active time : Never
Server load : 16000
rserver : was2
10.24.8.200 12 12 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply timeout (no reply)
Last probe time : Tue Feb 24 23:22:34 2009
Last fail time : Tue Feb 24 23:20:52 2009
Last active time : Never
Server load : 16000

Hi,
For a multicore processor you need to make a few changes to get the load on each core/processor. You need to have an instance for each core.
Try adding .1 or .2 to the OID to get the load on each core.
Also try doing an snmpwalk on the OID to see what the real structure is.
HTH
Cathy

Proble with synchronization

I hvae seen some where the follwing question
Given:
public class NamedCounter {
private final String name;
private int count;
public NamedCounter(String name) { this.name = name; }
public String getName() { return name; }
public void increment() { coount++; }
public int getCount() { return count; }
public void reset() { count = 0; }
Which three changes should be made to adapt this class to be used
safely by multiple threads? (Choose three.)
A. declare reset() using the synchronized keyword
B. declare getName() using the synchronized keyword
C. declare getCount() using the synchronized keyword
D. declare the constructor using the synchronized keyword
E. declare increment() using the synchronized keyword
ANS :- ACE
Problem :- I have a doubt with the oprion c, it simply returns the value of count then why synchronized the getCount() function, mostly we synchronized the function which changes the value of variable.
Edited by: rahul_p on Jun 4, 2008 10:51 PM

rahul_p wrote:
Problem :- I have a doubt with the oprion c, it simply returns the value of count then why synchronized the getCount() function, mostly we synchronized the function which changes the value of variable.In terms of concurrency and getting a valid value, no syncing is needed on the getter. (This would not be true if it were a long.)
However, even though it's "safe", in that the getter cannot read corrupt data, it can read stale data. Since each thread is allowed to keep a local copy of shared variables, it's entirely possible that after one thread writes a new value to count, no other thread will ever read that value. Entry to and exit from a sync block or method forces a reconciliation between the thread's local copy and the main copy.

Problem with ACE and Internet Explorer 8

I have a problem with ACE (system A2(1.1)) and Internet Explorer 8.
exactly:
ACE is configured as end-to-end ssl with 2 rserver and with the sticky source address. When user is opening the virtual address from IEv7, the web portal (On Microsoft IIS) works fine.
If user opens the same web portal but using IEv8, the session is suspended after 60 seconds.
I think, that the reason is http keep-allive, which is sending every 60 seconds from the user's internet browser.
Here is some information about this. http://en.wikipedia.org/wiki/HTTP_persistent_connection
Do you have any idea how to resolve this problem: upgrade ACE, change the configuration on IIS or ACE ??
Please help.

Hi Kazik,
Using a persistent connection or HTTP keepalives should not have any negative effect on the ACE, so, giving you a straight-forward answer to fix it is not going to be easy.
I would recommend you to open a TAC case to have this investigated further. When you do, please, provide the following data:
A showtech from the Admin context of the ACE
A traffic capture taken on the TenGig interface connecting the switch with the ACE backplane while doing a test connection (preferably one with IE7 and one with IE8 to compare)
If possible, a copy of the SSL private key. Being able to decrypt the traffic capture to look inside the HTTP flow would really make troubleshooting much easier.
Regards
Daniel

ACE Load Balancing Problem

Hi,
I have ACE 4701 with c4710ace-mz.A3_2_2.bin image. In the current setup ACE is located in the center of network where all the WAN, Intenret and LAN is connected and ACE has default towards Internet and All other segment has default route towards ACE appliance. ACe is only redirecting the port 80 traffic to my Proxy server and bypass my lan subnet on port 80.
Internet
i
i
i
i
i
ACE--------------------------------WAN
i
i
i
i
LAN
I want to use ACE for the load balancing of two servers. Today I did the load balancing configuration but as soon as I applied the policy map on the interface vlan 200 and 300, my complete network reachability went down. When I remove the policy my network came back to normal.
192.168.200.66 FAX Server-1
192.1168.200.67 FAX Server-2
192.168.200.65   Virtual IP address
Attached is the configuration that I did on ACE for the load balancing and below is the current configuration of the ACE appliance.
access-list acl-in remark ACCESS LIST FOR ACE-INSIDE
access-list acl-in line 1 extended permit ip any any
access-list acl-out remark ACCESS LIST FOR ACE-OUTSIDE
access-list acl-out line 1 extended permit ip any any
access-list acl-proxy remark ACCESS LIST FOR PROXY SEGMENT
access-list acl-proxy line 1 extended permit ip any any
access-list acl-wan remark ACCESS LIST FOR WAN SEGMENT
access-list acl-wan line 1 extended permit ip any any
probe tcp PROBE_5050
port 5050
interval 15
passdetect interval 60
open 1
probe tcp PROBE_5101
port 5101
interval 15
passdetect interval 60
open 1
probe tcp PROBE_TCP
port 80
interval 15
passdetect interval 60
open 1
parameter-map type http PARAMAP_CASE
case-insensitive
no persistence-rebalance
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
serverfarm host SF_BCPR
transparent
probe PROBE_5050
probe PROBE_5101
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
rserver RT_fax2
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
sticky ip-netmask 255.255.255.255 address source FAX-STICKY
replicate sticky
serverfarm SF_RT_fax
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
13 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
14 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map match-any RT_FAX
2 match virtual-address 192.168.200.65 0.0.0.0 any
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance first-match PM_LB_RT_FAX
class class-default
sticky-serverfarm FAX-STICKY
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
sticky-serverfarm STICKY-SOURCE
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_IM
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
policy-map multi-match PM_RT_FAX
class RT_FAX
loadbalance vip inservice
loadbalance policy PM_LB_RT_FAX
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT RACK1
ip address 192.168.0.5 255.255.255.224
alias 192.168.0.11 255.255.255.224
peer ip address 192.168.0.6 255.255.255.224
mac-address autogenerate
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.0.97 255.255.255.224
alias 192.168.0.107 255.255.255.224
peer ip address 192.168.0.98 255.255.255.224
mac-address autogenerate
access-group input acl-proxy
no shutdown
ft track interface TRACKING_FOR_FT_VLAN
track-interface vlan 300
peer track-interface vlan 300
priority 255
peer priority 255
ip route 0.0.0.0 0.0.0.0 192.168.0.1
Please help me out what i am missing. Is there any limitation on policy map or my bypass subnet list is creating problem.

I did these changes this time nothing disconnected but I am not able to do the Remote desktop on the virtual IP address. Real IP has Remote desktop enabled even VIP is not ping able for me.
rserver host RT_fax1
description Right Fax Server-1
ip address 192.168.200.66
inservice
rserver host RT_fax2
description Right Fax Server-2
ip address 192.168.200.67
inservice
serverfarm host SF_RT_fax
rserver RT_fax1
    inservice
rserver RT_fax2
    inservice
policy-map type loadbalance rdp first-match PM_LB_RT_FAX
class class-default
    serverfarm SF_RT_fax
policy-map multi-match PM_RT_FAX
class RT_FAX
    loadbalance vip inservice
    loadbalance policy PM_LB_RT_FAX
    loadbalance vip icmp-reply active
interface vlan 200
description WAN-VLAN CONTEXT RACK1
ip address 192.168.0.33 255.255.255.224
alias 192.168.0.43 255.255.255.224
peer ip address 192.168.0.34 255.255.255.224
mac-address autogenerate
access-group input acl-wan
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
alias 192.168.0.73 255.255.255.224
peer ip address 192.168.0.66 255.255.255.224
mac-address autogenerate
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
service-policy input PM_RT_FAX
no shutdown
But nothing is working for me. Please help me out. This time i didnt configure the sticky. But in real I will go with sticky and complete IP protocol will be use a VIP. Please help me out.

ACE load-balancing-Cookie problem

In our other load-balancing environments the load-balancer-cookie contains the encrypted (real) servername or ip-address.
We think it's the same on the cisco, for that reason it's in theory not possible, that there are two 'green'-cookies with different values in the same request.
There are only two possibilities how this could happen:
a) The healthmonitor (http_probe) fails, the loadbalancer 'thinks' that the realserver is down and redistributes the traffic.
But in that case we would expect, that the old cookie will be overwritten by the new one and not simply added to the http-header.
b) The predictor in the serverfarm chooses a new realserver within the same request.
If that is really the cause of that problem this would be bug in the cisco ace.
What we found out, is that the loadbalancer performs a 'Set-Cookie'-Operation an every request even if the client submits the cookie correctly.
For example:
GET /ips-opdata/scripts/jquery.js HTTP/1.1
Host: www.xxxxx.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://www.xxxxx.com/
Cookie: green=R339366665; JSESSIONID=28D91FC6FD62A3921354BB36826294C4
HTTP/1.1 200 OK
Set-Cookie: green=R339366665; path=/; expires=Tue, 29-Mar-2011 06:33:00 GMT
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
ETag: W/"72181-1298537508000"
Last-Modified: Thu, 24 Feb 2011 08:51:48 GMT
Content-Type: text/javascript
Content-Length: 72181
Date: Mon, 28 Mar 2011 06:15:19 GMT
As you can see the cookies: green=R339366665 is transmitted from the client, but the loadbalancer does a Set-Cookie Operation of the same cookie once again. This is an unexpected behaviour.
We hope that this helps you to figure out the reason of the problem.

The cookie is sent by the ACE on each response to refresh the timeout value on the client. The value of the cookie doesn't change. This is the expected behaviour and shouldn't break anything in the application / browser.
For browser-based applications, don't forget to add the "browser-expire" parameter to your cookie-based stickyness config.

ACE - timeout inactivity problem

Hi All,
I've got a strange problem with session counts and timeout on an ACE (2.1.3).
I created a connection parameter-map to an existing configuration, added it to the load-balance configuration and then removed and re-added the service policy. The context is in bridge mode.
parameter-map type connection FINJAN
set timeout inactivity 60
set tcp timeout half-closed 60
policy-map multi-match Finjan-04-LB-policy
class VIP-production_class
loadbalance vip inservice
loadbalance policy production-8080_LB_policy
loadbalance vip icmp-reply
connection advanced-options FINJAN
class VIP-beta_class
loadbalance vip inservice
loadbalance policy beta-8080_LB_policy
loadbalance vip icmp-reply
connection advanced-options FINJAN
interface vlan 396
description slb vlan
bridge-group 396
access-group input BPDU
access-group input PERMIT-ALL
service-policy input Finjan-04-LB-policy
no shutdown
But I'm still seeing sessions with idle times of minutes.
For example:
27344 1 in TCP 397 10.199.253.103:3563 61.143.251.173:80 ESTAB
[ idle time : 00:16:47, byte count : 975 ]
[ elapsed time: 00:20:30, packet count: 14 ]
Is there anything else I need to do to make the timeout effective? I need to get this working before I can limit the number of connections to each real server.
Also the output of "sh serverfarm" shows many more current connections than a "sh conn de" command. Is this expected?
E.g:
ace2/finjan# sh serverfarm beta-farm-8080
serverfarm : beta-farm-8080, type: HOST
total rservers : 7
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: beta_blade-1
10.199.253.111:0 8 OPERATIONAL 44982 39669799 45323
rserver: beta_blade-2
10.199.253.112:0 8 OPERATIONAL 49594 42955799 60246
rserver: beta_blade-3
10.199.253.113:0 8 OPERATIONAL 51545 46098331 49868
rserver: beta_blade-4
10.199.253.114:0 8 OPERATIONAL 51659 46260307 57544
rserver: production_blade-2
10.199.253.102:0 8 OPERATIONAL 720 540878 41145
rserver: production_blade-3
10.199.253.103:0 8 OPERATIONAL 51270 45832507 45670
rserver: production_blade-4
10.199.253.104:0 8 OPERATIONAL 51870 45779920 47624
when the "sh conn de" reports about 14000 sessions.
Any help appreciated.
Thank you
Cathy

I moved the service policy from the client vlan to the global config - in the hope of being able to apply the connection parameter-map. Just after I did that the whole ACE reloaded (failure in arp_mgr). Hopefully unrelated.
I do see unbalanced flows;
5078 1 in TCP 397 10.199.253.112:6005 211.166.10.66:80 ESTAB
[ idle time : 00:16:56, byte count : 1644 ]
[ elapsed time: 00:19:17, packet count: 29 ]
35 1 out TCP 396 211.166.10.66:80 10.199.253.112:6005 CLOSED
[ conn in reuse pool : FALSE]
[ idle time : 00:19:14, byte count : 28504 ]
[ elapsed time: 00:19:17, packet count: 21 ]
Is there anything I can do about this or is it dependent on the server-side doing something?
Thank you
Cathy

ACE 4710 and Cookie problem

I plan to load balance user traffic to a server farm. Currently, server is using cookie to generate delay/response time statistic for users from various locations. If I use ACE to load balance user traffic, I need to use NAT statement on ACE to make the design to work. However, server can no longer use cookie to generate such statictics since source address is now a NATed address. Is there a way to rectify this problem? Thank you in advance.

You can get rid of nat - which would require a redesign (use policy routing or make ACE default gateway for servers).
If redesign is not possible, than you have to live with NAT.
ACE offers the http header insert function.
You could add the src ip of the client inside the http header.
Up to the server to retrieve the info and build whatever is needed.
Gilles.

Ace ssl-proxy problem, Online store.

Hello!
I have a problem with moving our online store loadbalancing to a Cisco ACE solution from Windows NLB that it runs on now. And also relive the servers from the ssl encrypt and decrypting of sessions.
The load balancing works', as long the session is Http, but when the "customer" comes to the point that i is going to pay. Our shop is jumping over to HTTPs and this is where the problem appear.
The "customer" is getting the certificate right but the site is not displayed = the session to the shop seems to die.
If i have missed something in the config or if someone have any other idea why this dont work for me..
Appreciate any help!
My config:
(at the moment only web5 is in use)
ACE-1/CO-WEB1# show run
access-list ANY line 10 extended permit ip any any
access-list icmp line 8 extended permit icmp any any
probe http PROBE-HTTP
interval 3
passdetect interval 10
passdetect count 2
expect status 200 200
expect status 300 323
parameter-map type ssl SSLPARAMS
cipher RSA_WITH_RC4_128_MD5
rserver host vmware-server1
description testserver1
ip address 219.222.4.180
probe PROBE-HTTP
inservice
rserver host vmware-server2
description testserver 2
ip address 219.222.4.181
probe PROBE-HTTP
inservice
rserver host web5
description testserver from windows nlb
ip address 219.222.4.185
probe PROBE-HTTP
inservice
ssl-proxy service SSL-PROXY-SE
key cert-se.key
cert cert-se.pem
ssl advanced-options SSLPARAMS
serverfarm host WM-ware_servers
rserver vmware-server1
inservice
serverfarm host webtest
description testserver-farm
predictor leastconns
rserver vmware-server1 80
rserver vmware-server2 80
rserver web5
inservice
sticky ip-netmask 255.255.255.0 address source STICKY-GROUP1
timeout 60
serverfarm webtest
class-map match-all VIP-HTTP
2 match virtual-address 219.222.4.178 tcp eq www
class-map match-all VIP-HTTPS
2 match virtual-address 219.222.4.178 tcp eq https
class-map type management match-any icmp
description for icmp reply
2 match protocol icmp any
policy-map type management first-match icmp
class icmp
permit
policy-map type loadbalance first-match VIP-HTTP
class class-default
sticky-serverfarm STICKY-GROUP1
policy-map type loadbalance first-match VIP-SSL
class class-default
serverfarm webtest
policy-map multi-match SLB-VIP-HTTP
class VIP-HTTP
loadbalance vip inservice
loadbalance policy VIP-HTTP
loadbalance vip icmp-reply
class VIP-HTTPS
loadbalance vip inservice
loadbalance policy VIP-SSL
loadbalance vip icmp-reply
ssl-proxy server SSL-PROXY-SE
interface vlan 21
description ### ACE OUTSIDE mot FW ###
ip address 219.222.4.171 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
service-policy input SLB-VIP-HTTP
no shutdown
interface vlan 22
description ### ACE INSIDE Gateway for Web-servers ###
ip address 219.222.4.177 255.255.255.240
access-group input ANY
access-group output ANY
service-policy input icmp
no shutdown
ip route 0.0.0.0 0.0.0.0 219.222.4.161
ACE-1/CO-WEB1#
as seen in "show conn" the sessions is established, first when i enter site, and go to payment (jumping over to SSL):
ACE-1/CO-WEB1# show conn
total current connections : 4
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
4 1 in TCP 21 219.222.0.2:49972 219.222.4.178:443 ESTAB
14 1 out TCP 22 219.222.4.185:443 219.222.0.2:49972 ESTAB
11 2 in TCP 21 219.222.0.2:49923 219.222.4.178:80 ESTAB
3 2 out TCP 22 219.222.4.185:80 219.222.0.2:49923 ESTAB
ACE-1/CO-WEB1#

Hello Krille
i had the same problem.
The HTT Probe you define will do a check if
the return code is
expect status 200 200
expect status 300 323
Now if a user is accessing the hppts site, in the flow there will be an expect status like 404, the ACE now is not establish an sticky connection, cause it think that the flow is not ok.
The only output after ther Certificates is a blank site.
If you change the Probing to ICMP you will be able to access the https site and the connection is sticky. With a litte tool like IE Watch you will be able to see the wrong Status codes.
regards
eberhard

How to debug ACE FT Sync Problems ?

Hello,
in one of our contexts we have a sync problem on the standby unit.
"sh ft group detail" gives
"Running cfg sync status : Error on Standby device when applying configuration file replicated from active", while "Startup cfg sync status" is OK.
"sh crypto files" and "dir disk0:" produce the same output on both ACE units.
How can we analyze the problem ?

Hi Gilles,
unfortunately I can not see a meaningful message. Can you please have a look at the attachments (taken from the standby machine) ?
Thank you very much in advance.

ACE RHI problem

Hello,
I have two 6509 switches with ACE modules installed and configured as active/standby. There is no FWSM installed, so MSFC shares a common subnet with the external interface of ACE. On both MSFCs, I can see the static route injected (RHI) by ACE. However, those routes are different. On the MSFC hosting the active ACE, the next hop of the static route installed is the alias IP address of the external ACE interface. On the MSFC hosting the standby ACE has the next hop as the IP address of the external interface of the standby ACE not the alias.
This causes a problem when traffic is routed through the second MSFC where it will send traffic destined to my VIP to the standby ACE causing traffic to be dropped.
Why this behaviour happens? I started to see this behaviour after a sudden reboot on the standby ACE. Before that, I am not sure what was the route injected into the second MSFC but I had no problem with my VIP.
Can anyone help me how I can tell the second MSFC to route traffic towards the alias instead of the interface IP?
Thanks.

The TAC case is resolved. Posting back to the community so the solution can be shared with a wider audience.
Thanks to Mohammed for keeping outputs of troubleshooting at the time of problem, it was found that after the standby ACE rebooted, BOTH the active ACE and standby ACE were injecting the host route to the VIP, this is not expected behaviour. The expected behaviour is for the active ACE to inject the host route with the ACE alias IP as the next hop, and the standby to not inject the route.
This problem is due to a software defect CSCsx67908 "When you configure ACEs for redundancy and Route Health Injection (RHI) and the standby ACE reboots, duplicate RHI entries can exist on the supervisor."
ref: http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html
Software fix integrated is available. There is also workaround by a "FT switchover" on the ACE.
Another workaround by routing is to disable RHI for the VIP, and instead advertise the VIP subnet by routing protocol on the switch supervisor (eg, advertising the connected Vlan via EIGRP, OSPF, etc...).
RHI of the VIP is not enable by default, and can be disabled with the following from ACE:
policy-map multi-match XYZ
class ABC
no loadbalance vip advertise active
More info on RHI can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/getting/started/guide/rhi.html
Regards,
Simon

ACE Problem

Similar Messages

Maybe you are looking for