ACE Redundancy FT Vlan down

Hi All,
Simple question.
Assuming to have two ACE load balancer installed in two different Catalyst 6500.
The two Catalyst are directly connected over a L2 connection and all the flow-state information and the redundancy heartbeat information are transmitted over this connection.
One LB is in active and the second one in stand by. The two load balancer processing traffic for the same virtual devices, of course.
Assuming now that the link is in shutdown state.
In this case both ACE LB will be in the Active state.
Could you please briefly describe what are the impact of having two load balancer active at the same time?
Thank you.

Hi Tom,
It looks the vlan and the physical interface are up. You can anyway check the following to confirm:
sh interface gi 1/4
sh interface vlan 12
In "sh interface gi 1/4 counters", do you see the "RX packets" counter increasing?
You should be able to ping 192.168.12.2 from 192.168.12.1 and vice versa. Which ip did you assign to the other peer. Should be:
ft interface vlan 12
peer ip address 192.168.12.2 255.255.255.0
ip address 192.168.12.1 255.255.255.0
no shutdown
You can check as well "sh ft stats" and see if the heartbeats counter are increasing.
Regarding to other interfaces, you mention that you can't ping devices on the ACE adjacent vlans. Are you allowing icmp traffic? For instance:
policy-map type management first-match management
class management
permit
class-map type management match-any management
match protocol icmp any
service-policy input management
Finally, did you check whether you are able to resolve mac addresses?
I hope it helps,
Olivier

Similar Messages

ACE FT Vlan Down

I'm trying to configure Fault Tolerance on a pair of 4710s. I followed the doc, and configured int gi1/4 as the fault tolerance interface, using vlan 12. However the GUI is saying FT Vlan Down
The troubleshooting wiki said check the physical connectivity, but everything there looks good. Each ACE can ping it's own IP, but not the router on that VLAN, or the peer.   They're connected to a dedicated VLAN in a switch, and I even tried a crossover cable to directly connect the two.
Here's our config:
ace1/Admin# show running-config ft
Generating configuration....
ft interface vlan 12
ip address 192.168.12.1 255.255.255.0
peer ip address 192.168.12.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 12
query-interface vlan 1000
ft group 1
peer 1
peer priority 200
associate-context Admin
inservice
interface gigabitEthernet 1/4
description FT
ft-port vlan 12
no shutdown
Everything looks good, the interface is up/up, but I can't ping the peer. Gui shows FT Vlan Down. Here's a show ft peer...
ace1/Admin# show ft peer 1 detail
Peer Id                      : 1
State                        : FSM_PEER_STATE_DOWN
Maintenance mode             : MAINT_MODE_OFF
FT Vlan                      : 12
FT Vlan IF State             : UP
My IP Addr                   : 192.168.12.1
Peer IP Addr                 : 192.168.12.2
Query Vlan                   : 1000
Query Vlan IF State          : UP, Manual validation - please ping peer
Peer Query IP Addr           : 0.0.0.0
Heartbeat Interval           : 300
Heartbeat Count              : 20
Tx Packets                   : 0
Tx Bytes                     : 0
Rx Packets                   : 0
Rx Bytes                     : 0
Rx Error Bytes               : 0
Tx Keepalive Packets         : 0
Rx Keepalive Packets         : 0
TL_CLOSE count               : 0
FT_VLAN_DOWN count           : 0
PEER_DOWN count              : 2
SRG Compatibility            : INIT
License Compatibility        : INIT
FT Groups                    : 1
Any other ideas on what to check?
Thanks
Tom

Hi Tom,
It looks the vlan and the physical interface are up. You can anyway check the following to confirm:
sh interface gi 1/4
sh interface vlan 12
In "sh interface gi 1/4 counters", do you see the "RX packets" counter increasing?
You should be able to ping 192.168.12.2 from 192.168.12.1 and vice versa. Which ip did you assign to the other peer. Should be:
ft interface vlan 12
peer ip address 192.168.12.2 255.255.255.0
ip address 192.168.12.1 255.255.255.0
no shutdown
You can check as well "sh ft stats" and see if the heartbeats counter are increasing.
Regarding to other interfaces, you mention that you can't ping devices on the ACE adjacent vlans. Are you allowing icmp traffic? For instance:
policy-map type management first-match management
class management
    permit
class-map type management match-any management
match protocol icmp any
service-policy input management
Finally, did you check whether you are able to resolve mac addresses?
I hope it helps,
Olivier

ACE Redundancy

It seems ft groups are the ACE redundancy feature. FT groups are associated with contexts. In turn contexts are associated with slb groups. Does this mean, one must group slb groups into contexts according to failover behavior?
In other words, how do I relate contexts, ft groups and slb groups? I need some to be Active-Active and some Active-Standby.

Thanks Gilles,
Does this not defeat what I understand to be the purpose of contexts, to provide virtual machines for the different business interests to log into?
Am I to understand also then that the entire context will failover, all the slb groups in it, if the ft heartbeat test does not pass? What about the health probes for slb groups, they are purely to determine if a server is elligible for traffic or not, and cannot assist in failing over a group if necessary?
The Active-Active is at the customer's request. They would like read requests to go to all servers, in both locations, and write requests to go to only one (Active-Standby).

ACE redundancy tracking and failure detection

Hello,
I have configured redundancy on a pair of ACEs, and looking now for the most approriate method of failure detection.
In the admin guide, 3 possible methodes are explained: host tracking, interface tracking and HSRP group tracking.
I don't have HSRP configured on the Supervisors in the ACEs chassis, the default gateway is on other chassis, so HSRP tracking is not an option.
The ACEs are configured in routed mode.
I have 1 VLAN with all VIPs, and 4 server VLANs.
There are 2 contexts active.
I was thinking of tracking all 5 VLAN interfaces + tracking the default gateway on client side.
Would this be a good approach?
thanks in advance for your input.

Hi ,
The ACE supports a maximum of 4,093 VLANs per system and a maximum of 1,024 shared VLANs per system.
Alos note that the ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.
Regards,
Sachin

ACE redundancy with bridge mode

I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
can anybody explain me, how it works?

Yes, that's correct.
If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
access-list NONIP ethertype permit bdpu
int vlan 10 ! client-side
access-group input NONIP
int vlan 20 ! server-side
access-group input NONIP
more info:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
Please rate if this was useful for you.
Kind regards,
Dario

Layer 3 Vlans Down!

Folks,
Could someone please tell me why my layer 3 interfaces (vlan interfaces) are down??version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 10
hostname Chicago
enable password cisco
no aaa new-model
ip subnet-zero
no ip domain-lookup
ip vrf vlan40-10
rd 40:10
route-target export 40:10
route-target import 40:10
--More-- !
ip vrf vlan50-20
rd 50:20
route-target export 50:20
route-target import 50:20
ip vrf vlan60-30
rd 60:30
route-target export 60:30
route-target import 60:30
mls ip multicast flow-stat-timer 9
no mls flow ip
no mls flow ipv6
mls cef error action freeze
--More-- !
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
redundancy
mode sso
main-cpu
auto-sync running-config
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
interface Loopback0
ip address 1.1.1.1 255.255.255.0
ip router isis
interface GigabitEthernet6/1
no ip address
shutdown
--More-- interface GigabitEthernet6/2
no ip address
shutdown
interface GigabitEthernet7/1
no ip address
shutdown
interface GigabitEthernet7/2
ip address 100.100.100.1 255.255.255.0
ip router isis
tag-switching ip
interface Vlan1
no ip address
interface Vlan40
ip vrf forwarding vlan40-10
ip address 40.40.40.1 255.255.255.0
interface Vlan50
ip vrf forwarding vlan50-20
ip address 50.50.50.1 255.255.255.0
interface Vlan60
ip address 60.60.60.1 255.255.255.0
router eigrp 100
network 40.0.0.0
network 50.0.0.0
network 60.0.0.0
no auto-summary
router isis
net 10.0010.0000.0002.00
--More-- router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback0
no auto-summary
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
address-family ipv4 vrf vlan60-30
no auto-summary
no synchronization
exit-address-family
address-family ipv4 vrf vlan50-20
no auto-summary
no synchronization
exit-address-family
address-family ipv4 vrf vlan40-10
--More-- redistribute connected metric 100 route-map vlan40-10
no auto-summary
no synchronization
exit-address-family
ip classless
no ip http server
route-map vlan40-10 permit 1
match interface Vlan40
control-plane
dial-peer cor custom
--More-- !
line con 0
line vty 0 4
password cisco
login
end

Do you have any devices in those VLANs? If not, due to auto-state feature, the L3 VLAN interfaces will be down.
http://www.cisco.com/warp/public/473/188.html

Upgrading ACE , redundant active-active context

Hi,
We have 2 ACE's running in our network, and we would like to upgrade the ACE software.
To minimize any disruption to existing network traffic during a software upgrade or downgrade, deploy your ACE modules in a redundant configuration. For details about redundancy, see Chapter 7, Configuring Redundant ACE Modules. The following steps provide an overview on upgrading a redundant configuration used in conjunction with the procedures in this appendix:
1. Upgrade the active module first.
2. Reboot the active ACE after the software installation. When you reboot the active ACE, it fails over to the standby module and existing traffic continues without interruption.
3. Upgrade the new active module.
4. Reload the active ACE after the redundant module is up and the high availability (HA) state is hot. A similar failover occurs when you reboot this ACE and once again the existing traffic continues. The original active ACE is active once again.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/upgrade.html
This section describes the methods and CLI commands that you can use to troubleshoot redundancy issues in your ACE.
1. Ensure that the software versions and licenses installed in the two ACEs are identical. A software or license mismatch may generate the following syslog message:
%ACE-1-727006: HA: Peer is incompatible due to error str. Cannot be Redundant.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Redundancy
Following those step, is there any problem would happen after step 2 , having a different software version on the first and second module?
also on step 4 ' Reload the active ACE after the redundant module is up and the high availability (HA) state is hot. ' , is that possible with both module use a different software version ?

Hi,
When you upgrade or downgrade the ACE software in a redundant configuration with different software versions, the STANDBY_WARM and WARM_COMPATIBLE states allow the configuration and state synchronization process between the peers to continue on a best-effort basis. This basis allows the active ACE to synchronize configuration and state information with the standby even though the standby may not recognize or understand the CLI commands or state information.
In the STANDBY_WARM state, as with the STANDBY_HOT state, configuration mode is disabled on the standby ACE and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state. However, while stateful failover is possible for a WARM standby, it is not guaranteed. In general, modules should be allowed to remain in this state only for a short period of time.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_Troubleshooting_Redundancy#About_WARM_COMPATIBLE_and_STANDBY_WARM
Siva

ACE probe failure - service down – Can we inform to the end client?

Hi Guys,
Anybody knows if is it possible to inform with some specific error page to the end client when a service is down. Can we configure something in our ACEs?
Thanks in advance,
Oscar

Yep, I think like you Cathy, Nops is the answer. However I like the idea to redirect the traffic to a webpage on a sorry server. I will try it.
Stephen… yes, nice too, it could be an option but I am looking for something faster when a client is trying to connect to the specific service and it is down, something like a “sorry” server page.
Thank you very much for all you contribution and help.
Regards.
Oscar

CSM VLANs down on 6513

Hi
I configured a CSM for a customer on a 6513 a couple of weeks ago and it worked fine. It's configured in routed mode with a client and server VLAN. There are no clients on the client VLAN and no servers on the server VLAN as they are all mutilpe hops away.It's not in prodcution yet as they want to do some testing.
Today I got an email saying taht it had stopped working and when the client looked at the 6500 both the client and server VLANs showed as down.
To fix it he recreated the VLANs on the CSM module and it all burst into life. Unfortunatley they don't have suslog on the 6500 so there is no record of any errors.
Has anyone seen anything like this before ?
Thanks
Pat

Hi Pat,
This problem description is too vague to comment on. Would help to know:
-version of chassis IOS and CSM code.
-relevant configuration snippet.
-for 'when looked at 6500 both client & server VLANs showed down':
    -what command(s) showed this?
    -provide actual output seen here?
-for 'it stopped working':
    -what type of traffic was it? LB or pass through?
-did this config disappear or did they do delete/recreate?
Best regards.

Ace redundancy with different software licences

Hi,
We have 4710 with ACE-4710-1F-K9.
1G Bundle: Includes ACE 4710 Hardware, 1 Gbps Throughput, 5,000 SSL TPS, 500 Mbps Compression, 5 Virtual Devices, 50 Application Acceleration Connection License, Embedded Device Manager
We have another 4710 with ACE-4710-2F-K9.
2G Bundle: Includes ACE 4710 Hardware, 2 Gbps Throughput, 7,500 SSL TPS, 1Gbps Compression, 5 Virtual Devices, 50 Application Acceleration Connection License, Embedded Device Manager
Is that possible to make redundancy (FT GROUP) with 2 devices has different software bundles?

Hello-
When you initially setup the ACE's in an FT pair, they initially figure out who is master based on priority, then they check if the licenses that they each have installed are the same. If there is a mismatch, FT will continue to check the configuration and will eventually go into a "standby warm" state. It will not config-sync the startup or running configurations until you install the correct license and toggle config sync.
This is what yo uwould see:
ACE-A/Admin# show ft group 1 status
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
Peer State                   : FSM_FT_STATE_STANDBY_WARM
Peer Id                      : 1
No. of Contexts              : 1
Running cfg sync status      : Detected license mismatch with peer, disabling running-config auto sync
Startup cfg sync status      : Detected license mismatch with peer, disabling running-config auto sync
If you disable config sync, it will still stay in a warm state and ignore the license mismatch:
ACE-A/Admin# show ft group 1 status
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
Peer State                   : FSM_FT_STATE_STANDBY_WARM
Peer Id                      : 1
No. of Contexts              : 1
Running cfg sync status      : Sync disabled by CLI.
Startup cfg sync status      : Sync disabled by CLI.
It is not recommended to run with 2 different licenses because it is possible that you failover and don't have enough resources to carry the traffic that the active was running - however - if you disable configuration sync, it will allow you to do such.
Regards,
Chris Higgins

ACE Mod20 interface vlan

Hi,
is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?
What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.
Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.
Setup is simple as that:
access-list anyone line 18 extended permit ip any any
interface vlan 1
desc client vlan
ip address 1.1.1.1 255.255.255.0
alias 1.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
interface vlan 2
desc server vlan
ip address 2.1.1.1 255.255.255.0
alias 2.1.1.2 255.255.255.0
access-group input anyone
service-policy input remote-mgmt
no shutdown
Greetings,
Frank

Hi Frank,
Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them. As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE. In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1. A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.
Hope this helps,
Sean

Interface VLAN down

I add VLAN and interface vlan with no shutdown command on MSFC but when i put show ip interface brief comand I have down and down. What cause this problem ??

I guess I should have been more clear in my answer but didn't want to cause confusion.
Now I have not tried this lately on a catos box so it may be different
If a port is down/down it means there is no entry in the vlan database for it. It normally also means that there is no port assigned to that vlan also but you can accomplish this by assigning a port and then deleteing the vlan database. Either way you will get a down/down condition.
Once you add the vlan to the database the interface will go UP/DOWN. This means there is no active access port on the switch and the vlan is not allowed on any trunks that may be up.
Once a vlan becomes active either on a trunk or access port it goes to up/up
Part of the confusion with this is that cisco adds entries to the vlan database automatially when you add access ports to a unkown vlan.
The problems come when someone sees this down/down condition on a switch and checks that they allow all vlans on a active trunk port and it still doesn't work. In this case all you do is add the vlan database entry and it will come up.

ACE 4710 - Gracefully Shutting Down a Server

Hi,
Recently I had to stop an RServer to allow for software upgrades. I entered a no inservice command in the rserver config and all the connections on the serverfarm disappeared. I thought the no inservice should allow existing connections to finish. Is there another way of taking a server out of service?
We are running on an ACE 4710 version A3(2.5). We offload SSL on the ACE and use sticky connections using cookie insert
Thanks for your help

Hi,
To gracefully shutdown use the "no inservice" on the rserver within the serverfarm rather than on the rserver definition.
HTH
Cathy

Sharing a VLAN between FWSM and ACE (Routed Mode)

Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
I wanted to configure it like this.
firewall vlan group 10 <FWSM only vlans>
firewall vlan group 20 <shared FWSM and ACE vlan>
or
svclc vlan group 20 <shared FWSM and ACE vlan>
svclc vlan group 30 <ACE only vlans>
The design hides the client side network and the server side network for the ACE behind the FWSM module.
Layout:
|-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
So allocation on the 65xx would be like this.
firewall module n vlan-group 10,20
svclc module n vlan-group 20,30
Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
FWSM and ACE will be in routed mode.
Thanks for reading...
Roble

Never mind...
Just found the perfect answer for this in a another posting from Syed.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
Roble

Cisco ACE default vlan

Hello everybody,
I am installing a ACE 4700 in a customer but when i started to work and saw their topology, then i realized that i had a problem. The problem is that i cannot create the interface vlan 1 and assign an ip address to it. I saw some documments is cisco.com site that the ACE hide this vlan.
Follows my topology:
Servers vlan are the vlan 1
Clients vlans are 5
Management vlan is 8
As i undertood, the ACE has to have at least one interface in the servers vlan, but i cant create the VLAN 1. So my problem is, how do i unhide the vlan 1 in the ACE so i can configure an ip address on it.
Leandro

If you can't have the customer migrate the servers into a different VLAN, you need to trick a bit, as VLAN1 is not usable on the ACE.
Pick a VLAN number that you will use inside the ACE for the outer VLAN1. Say, VLAN101.
If you have an access port connecting to the server segment, just set it to 101:
switchport access vlan 101
If you connect via a trunk, set your native VLAN to 101:
switchport trunk native vlan 101

ACE Redundancy FT Vlan down

Similar Messages

Maybe you are looking for