ACE Redundancy
It seems ft groups are the ACE redundancy feature. FT groups are associated with contexts. In turn contexts are associated with slb groups. Does this mean, one must group slb groups into contexts according to failover behavior?
In other words, how do I relate contexts, ft groups and slb groups? I need some to be Active-Active and some Active-Standby.
Thanks Gilles,
Does this not defeat what I understand to be the purpose of contexts, to provide virtual machines for the different business interests to log into?
Am I to understand also then that the entire context will failover, all the slb groups in it, if the ft heartbeat test does not pass? What about the health probes for slb groups, they are purely to determine if a server is elligible for traffic or not, and cannot assist in failing over a group if necessary?
The Active-Active is at the customer's request. They would like read requests to go to all servers, in both locations, and write requests to go to only one (Active-Standby).
Similar Messages
-
Upgrading ACE , redundant active-active context
Hi,
We have 2 ACE's running in our network, and we would like to upgrade the ACE software.
To minimize any disruption to existing network traffic during a software upgrade or downgrade, deploy your ACE modules in a redundant configuration. For details about redundancy, see Chapter 7, Configuring Redundant ACE Modules. The following steps provide an overview on upgrading a redundant configuration used in conjunction with the procedures in this appendix:
1. Upgrade the active module first.
2. Reboot the active ACE after the software installation. When you reboot the active ACE, it fails over to the standby module and existing traffic continues without interruption.
3. Upgrade the new active module.
4. Reload the active ACE after the redundant module is up and the high availability (HA) state is hot. A similar failover occurs when you reboot this ACE and once again the existing traffic continues. The original active ACE is active once again.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/upgrade.html
This section describes the methods and CLI commands that you can use to troubleshoot redundancy issues in your ACE.
1. Ensure that the software versions and licenses installed in the two ACEs are identical. A software or license mismatch may generate the following syslog message:
%ACE-1-727006: HA: Peer is incompatible due to error str. Cannot be Redundant.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Redundancy
Following those step, is there any problem would happen after step 2 , having a different software version on the first and second module?
also on step 4 ' Reload the active ACE after the redundant module is up and the high availability (HA) state is hot. ' , is that possible with both module use a different software version ?Hi,
When you upgrade or downgrade the ACE software in a redundant configuration with different software versions, the STANDBY_WARM and WARM_COMPATIBLE states allow the configuration and state synchronization process between the peers to continue on a best-effort basis. This basis allows the active ACE to synchronize configuration and state information with the standby even though the standby may not recognize or understand the CLI commands or state information.
In the STANDBY_WARM state, as with the STANDBY_HOT state, configuration mode is disabled on the standby ACE and configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can still occur while the standby is in the STANDBY_WARM state. However, while stateful failover is possible for a WARM standby, it is not guaranteed. In general, modules should be allowed to remain in this state only for a short period of time.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide,_Release_A2%28x%29_--_Troubleshooting_Redundancy#About_WARM_COMPATIBLE_and_STANDBY_WARM
Siva -
ACE redundancy tracking and failure detection
Hello,
I have configured redundancy on a pair of ACEs, and looking now for the most approriate method of failure detection.
In the admin guide, 3 possible methodes are explained: host tracking, interface tracking and HSRP group tracking.
I don't have HSRP configured on the Supervisors in the ACEs chassis, the default gateway is on other chassis, so HSRP tracking is not an option.
The ACEs are configured in routed mode.
I have 1 VLAN with all VIPs, and 4 server VLANs.
There are 2 contexts active.
I was thinking of tracking all 5 VLAN interfaces + tracking the default gateway on client side.
Would this be a good approach?
thanks in advance for your input.Hi ,
The ACE supports a maximum of 4,093 VLANs per system and a maximum of 1,024 shared VLANs per system.
Alos note that the ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.
Regards,
Sachin -
ACE redundancy with bridge mode
I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
can anybody explain me, how it works?Yes, that's correct.
If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
access-list NONIP ethertype permit bdpu
int vlan 10 ! client-side
access-group input NONIP
int vlan 20 ! server-side
access-group input NONIP
more info:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
Please rate if this was useful for you.
Kind regards,
Dario -
Ace redundancy with different software licences
Hi,
We have 4710 with ACE-4710-1F-K9.
1G Bundle: Includes ACE 4710 Hardware, 1 Gbps Throughput, 5,000 SSL TPS, 500 Mbps Compression, 5 Virtual Devices, 50 Application Acceleration Connection License, Embedded Device Manager
We have another 4710 with ACE-4710-2F-K9.
2G Bundle: Includes ACE 4710 Hardware, 2 Gbps Throughput, 7,500 SSL TPS, 1Gbps Compression, 5 Virtual Devices, 50 Application Acceleration Connection License, Embedded Device Manager
Is that possible to make redundancy (FT GROUP) with 2 devices has different software bundles?Hello-
When you initially setup the ACE's in an FT pair, they initially figure out who is master based on priority, then they check if the licenses that they each have installed are the same. If there is a mismatch, FT will continue to check the configuration and will eventually go into a "standby warm" state. It will not config-sync the startup or running configurations until you install the correct license and toggle config sync.
This is what yo uwould see:
ACE-A/Admin# show ft group 1 status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_STANDBY_WARM
Peer Id : 1
No. of Contexts : 1
Running cfg sync status : Detected license mismatch with peer, disabling running-config auto sync
Startup cfg sync status : Detected license mismatch with peer, disabling running-config auto sync
If you disable config sync, it will still stay in a warm state and ignore the license mismatch:
ACE-A/Admin# show ft group 1 status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_STANDBY_WARM
Peer Id : 1
No. of Contexts : 1
Running cfg sync status : Sync disabled by CLI.
Startup cfg sync status : Sync disabled by CLI.
It is not recommended to run with 2 different licenses because it is possible that you failover and don't have enough resources to carry the traffic that the active was running - however - if you disable configuration sync, it will allow you to do such.
Regards,
Chris Higgins -
Hi All,
Simple question.
Assuming to have two ACE load balancer installed in two different Catalyst 6500.
The two Catalyst are directly connected over a L2 connection and all the flow-state information and the redundancy heartbeat information are transmitted over this connection.
One LB is in active and the second one in stand by. The two load balancer processing traffic for the same virtual devices, of course.
Assuming now that the link is in shutdown state.
In this case both ACE LB will be in the Active state.
Could you please briefly describe what are the impact of having two load balancer active at the same time?
Thank you.Hi Tom,
It looks the vlan and the physical interface are up. You can anyway check the following to confirm:
sh interface gi 1/4
sh interface vlan 12
In "sh interface gi 1/4 counters", do you see the "RX packets" counter increasing?
You should be able to ping 192.168.12.2 from 192.168.12.1 and vice versa. Which ip did you assign to the other peer. Should be:
ft interface vlan 12
peer ip address 192.168.12.2 255.255.255.0
ip address 192.168.12.1 255.255.255.0
no shutdown
You can check as well "sh ft stats" and see if the heartbeats counter are increasing.
Regarding to other interfaces, you mention that you can't ping devices on the ACE adjacent vlans. Are you allowing icmp traffic? For instance:
policy-map type management first-match management
class management
permit
class-map type management match-any management
match protocol icmp any
service-policy input management
Finally, did you check whether you are able to resolve mac addresses?
I hope it helps,
Olivier -
ACE virtual mac address allocation
We're running ACE SM and seeing all the VIP addresses, NAT addresses and alias addresses in the ARP table below being assigned the same virtual MAC address. How then would a packet find the correct source/destination if all these MAC addresses are the same?
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
204.107.54.1 00.24.f9.03.08.00 vlan810 GATEWAY 300 263 sec up
204.107.54.4 00.1e.13.3c.ab.80 vlan810 LEARNED 24 7631 sec up
204.107.54.5 00.1e.13.3c.a6.00 vlan810 LEARNED 331 8992 sec up
204.107.55.5 00.1f.ca.7b.70.23 vlan810 INTERFACE LOCAL _ up
204.107.55.6 00.0b.fc.fe.1b.05 vlan810 ALIAS LOCAL _ up
204.107.54.20 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
204.107.54.21 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
204.107.54.22 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
204.107.54.23 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
204.107.54.31 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
204.107.54.32 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
204.107.54.33 00.0b.fc.fe.1b.05 vlan810 VSERVER LOCAL _ up
Thanks.ACE uses the concept of Virtual Mac Addresses , which are the addresses used for VIP addresses, NAT addresses (dynamic and static), and alias addresses These will all always use a MAC address in the following form 00.0b.fc.fe.1b.
If you are using single ACE SM in a cat6k box, and you are seeing duplicate MAC, its normal. Cat6k Supervisor is L2 Adjacent with ACE, Any traffic received by Supervisor in VLAN 810 will be sent to ACE and then ACE will determine which VIP that packet is going to.
Real Problem will come when you are using multiple ACE modules in Same Chassis or you are doing Chassis to Chassis ACE Redundancy. In such situation your Cat6k Switch will have duplicate MAC entries.
To avoid this, you need to keep your Contexts in diffrent context groups in each Module i.e something like this
ft group 5
peer 1
priority X
associate-context default3
inservice -
REDUNDANT ACE 20 WITH SSL CERTIFICATE
Hi
I have an ACE 20 redundant infrastructure (Active-Standby),and it´s needed to implement a secure aplication with SSL certificate.
The question I have is, for this solution is neccesary to generate a digital certificate and key for each ACE module? and, It´s is possible to use the same certificate and key in both ACE modules?
Thanks for your help.
RegardsRicardo,
You can just the same certificates for both devices.
Jorge -
Can ACE module and 4710 appliance work redundant together
Hi.
I am setting up a testlab for ACE loadbalancing and need to test functionality on both the ACE module and the 4710 appliance.
Can one of each of these two be set up redundant together with full functionality? Or do I have to test redundancy for 2x ACE modules and 2x 4710 appliances seperate?
Thanks in advance for any help!It won't work.
The code checks if the devices are the same during the HA negotiation.
If you do a 'show ft peer detail' you should see at the end :
SRG Compatibility : WARM_COMPATIBLE
License Compatibility : INCOMPATIBLE
These 2 entries indicate if the box are compatible to run HA between each other.
The version is checked and the license.
Both would be different between an ACE module and ACE appliance.
Gilles -
ACE active active service redundancy
Hi,
I want to deploy two ACE modules in redundant configuration. I want ACE_1 to be active for Web-server-LB service and ACE_2 to be active for DNS-server-LB.
All my clients are coming to ACE on a single VLAN. But as per the above configuration, the web traffic of clients should go to ACE_1 and the DNS traffic should go to ACE_2. Can anyone suggest how to achieve this.
thanksYou can share client side vlan with multiple contexts on ACE in routed mode.So If your client vlan is 10 then you can assign same VLAN to both ACE Contexts.
Lets say Vlan10 is using 10.10.10.0/24 subnet.
You can assign two different IP addresses to the two contexts. For example
You can assign 10.10.10.100/24 to WEB-context's VLAN10 interface &
Similarly 10.10.10.200/24 to DNS-context's VLAN10 interface.
When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context
Now if you define VIP-DNS with ip 10.10.10.150/24 in DNS-Context & VIP-WWW with ip 10.10.10.250 in WEB-Context then for request destined to 10.10.10.150 ACE will respond back with MAC address associated with DNS-context. Similary for ARP request asking for 10.10.10.250 ACE will respond back with MAC assigned to WEB-context.
HTH
Syed Iftekhar Ahmed -
Configuring ACE Module for Redundancy
Hi Sir,
I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
ft group 1
peer 1
priority 110
peer priority 105
associate-context Admin
inservice
ft group 2
peer 1
priority 110
peer priority 105
associate-context ace-context1
inservice
ft group 3
peer 1
priority 105
peer priority 110
associate-context ace-context2
inservice
ft group 4
peer 1
priority 105
peer priority 110
associate-context ace-context3
inservice
Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
Thank you.
B.Rgds,
Lim TSHi Gilles,
I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
I noticed a few things:
(1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
(2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
(3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
One issue I encountered in one of the user contexts is as follows:
ace1/ace-context-1# sh run int
Generating configuration....
interface vlan 950
description *** Client-Facing VLAN ***
ip address 10.1.35.5 255.255.255.0
alias 10.1.35.4 255.255.255.0
peer ip address 10.1.35.6 255.255.255.0
access-group input ACL_VL950_IN
service-policy input REMOTE_MGMT
service-policy input MY_LB
no shutdown
interface vlan 951
description *** Connection to Real Servers ***
ip address 10.1.36.2 255.255.255.0
alias 10.1.36.1 255.255.255.0
peer ip address 10.1.36.3 255.255.255.0
access-group input ACL_VL951_IN
service-policy input NAT_REAL
no shutdown
This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
Please advise.
Thank you.
B.Rgds,
Lim TS -
Cisco ACE Appliance Redundant configuration
How cisco ACE appliance changes its Ip address and MAC address after failover???
Hi Birendra,
Could you please elaborate more on your question?
FT mac's depend upon FT group that you have configured and they remain same. They will not change after failover.
Here's a document at the link which explains in details about different MAC addresses in ACE:
https://supportforums.cisco.com/docs/DOC-8723
Let me know if you have any questions.
Regards,
Kanwal -
Hello,
How does it work VSS (C6500) with ACE Module in mode redundancy?
The ACE Module going to install for Catalyst each C6500.
Best RegardsSee http://www.cisco.com/en/US/products/ps9336/products_tech_note09186a0080a7c72b.shtml for outline information on how the VSS handles ACE with VSL.
HTH
Cathy -
ACE Drop (Dest nat fail):
Hi All,
I'm using ACE module A2(2.4)
I'm trying to use parameter server-conn reuse, but clients get sometimes statuscode 503.
A#1/Test1# show np 1 me-stats "-socm -v"
OCM Statistics: (Current)
Errors: 0 0
Connection create received: 231121503 1142
LB dest decision received: 365473159 1473
Nat app fixup recieved: 0 0
Connection unproxy received: 52997475 393
Connection reproxy received: 51249279 375
IPCP received: 83227 2
ACK trigger received: 52733008 390
TCP connected received 218498529 1065
Unknown message received: 0 0
Drop [LB dest decision fail]: 29392 0
Drop [invalid ifid] 0 0
Drop [Out of buffers]: 0 0
Dest decision transmitted: 248735645 1174
TCP connect transmitted: 212827881 828
ACK trigger transmitted: 12 0
IPCP transmitted: 83227 2
NAT[static mapped]: 0 0
NAT[static real]: 0 0
NAT[xlate alloc fail]: 0 0
NAT[xlate real hit]: 0 0
NAT[xlate mapped hit]: 0 0
NAT[invalid xlate]: 0 0
NAT[dump xlate]: 0 0
NAT[xlate release failed]: 0 0
NAT Pool Alloc [fail]: 0 0
NAT Pool Alloc [addr]: 0 0
NAT Pool Alloc [addr/port]: 33689970 81
NAT Pool Free [addr]: 0 0
NAT Pool Free [addr/port]: 33689214 88
NAT Pool Free [orphan IP]: 0 0
Reuse retrieve link update conn invalid 0 0
Reuse retrieve link update conn not on r 0 0
Reuse retrieve success but conn invalid: 0 0
Drop [Next Hop queue full]: 0 0
Reuse retrieve miss: 845627 3
OCM Packet count (Hi & Lo): 976499360 4850
Packet forward received: 4343180 10
NAF Error [no route or unresolved adjace 0 0
NAF Error [nat resp fail]: 0 0
UDP Chaser received: 10406 0
(Context 1 Statistics)
Drop [out of connections]: 0 0
Drop [out of proxies]: 0 0
Drop [out of ssl]: 0 0
Drop [mac lookup fail]: 0 0
Drop [route lookup fail]: 0 0
Drop [nat fail] 0 0
Drop [ip sanity check fail] 0 0
Drop [acl deny]: 0 0
Drop [redundant connection]: 0 0
Connection inserted: 862670 3
Packet message transmitted: 6409302 230
Reuse conns retrieved: 6390611 238
Drop [Reproxy fail]: 171 0
Drop [dest nat fail]: 58286 2
The last counter is increasing. What does it mean? Can this be the problem?
I do not get 503 in the retcode map of the servers.
Regards
MatsHi Mats,
I find it very strange that the ACE is sending a 503 message back to the client, because, in case of issues, it normally just resets the connection. With that in mind, we should also investigate the server itself. This is not trivial, so, you should open a TAC case.
Let me just explain the meaning of the "Drop [dest nat fail]" counter. It will be incremented if, after a connection has been natted, one of the servers tries to open a new connection against the natted IP and port. This shouldn't happen unless you are using a protocol composed of several connections (for example, FTP)
Regards
Daniel -
Unable to get connectivity to ACE
i am trying to get ip connectivity to my ace-module from the 6509.
In the switch i enter;
svclc multiple-vlan-interfaces
svclc switch 1 module 3 vlan-group 1
svclc vlan-group 1 505
There is an ip-adress on vlan 505 in the 6509. In the admin context of the ACE-module there is a vlan 505 up and running. Why can i not ping between the modules?
The sh arp in the ace displays;
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.x.x.x 00.00.00.00.00.00 vlan505 GATEWAY - * 2 req dnI assume you ment from the ACE, here it is..
sh int vlan 505
vlan505 is up
Hardware type is VLAN
MAC address is 00:1f:ca:7b:7d:e3
Mode : routed
IP address is 10.x.x.x netmask is 255.255.255.0
FT status is non-redundant
Description:not set
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
82 unicast packets input, 2916134 bytes
42798 multicast, 4 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
4 unicast packets output, 5696 bytes
0 multicast, 85 broadcast
0 output errors, 0 ignored
sh arp
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.x.x.2 00.00.00.00.00.00 vlan505 LEARNED - * 2 req dn
10.x.x.10 00.1f.ca.7b.7d.e3 vlan505 INTERFACE LOCAL _ up
================================================================================
Total arp entries 2
Yes, ACE is located in a 6500 VSS-pair.
/Andreas
Maybe you are looking for
-
Systemcopy to Windows 2008 R2 Server
Hello, I have a question concerning SAP Net Weaver Systems and Windows 2008 (R2) Support. Now Windows 2008 R2 is also released from the SAP for a lot u201Colderu201D Products like: - SAP Net Weaver 7.00 SR3 - SAP Net Weaver 7.01 In the SAP Notes it i
-
I can't activate my i phone, what is the solution
i can't activate my 3GS phone, any solution
-
Table Accounting Integration cProject
Hi Gurus, I activated the accounting integration in cProject. I have need the table link project /task with internal order . I have to understand from task which is internal order linked. Thank you in advance Vanessa Edited by: Vanessa Lonati on Oct
-
Dear All, It may seem nonsense (specially to those with 1000+ posts) but many applications still use the Client/Server mythology, and our team is one of them. My question is, what are the steps involved in transferring a set of forms (6/6i) that are
-
HT4528 ios 7.0.3 update
My son downloaded the new ios 7.0.3 update on his phone. now it is stuck on a screen telling us to connect to itunes, we did that and restored the phone and it is still stuck on the same screen. I also have attempted to turn the phone off to reset it