ACE RHI problem
Hello,
I have two 6509 switches with ACE modules installed and configured as active/standby. There is no FWSM installed, so MSFC shares a common subnet with the external interface of ACE. On both MSFCs, I can see the static route injected (RHI) by ACE. However, those routes are different. On the MSFC hosting the active ACE, the next hop of the static route installed is the alias IP address of the external ACE interface. On the MSFC hosting the standby ACE has the next hop as the IP address of the external interface of the standby ACE not the alias.
This causes a problem when traffic is routed through the second MSFC where it will send traffic destined to my VIP to the standby ACE causing traffic to be dropped.
Why this behaviour happens? I started to see this behaviour after a sudden reboot on the standby ACE. Before that, I am not sure what was the route injected into the second MSFC but I had no problem with my VIP.
Can anyone help me how I can tell the second MSFC to route traffic towards the alias instead of the interface IP?
Thanks.
The TAC case is resolved. Posting back to the community so the solution can be shared with a wider audience.
Thanks to Mohammed for keeping outputs of troubleshooting at the time of problem, it was found that after the standby ACE rebooted, BOTH the active ACE and standby ACE were injecting the host route to the VIP, this is not expected behaviour. The expected behaviour is for the active ACE to inject the host route with the ACE alias IP as the next hop, and the standby to not inject the route.
This problem is due to a software defect CSCsx67908 "When you configure ACEs for redundancy and Route Health Injection (RHI) and the standby ACE reboots, duplicate RHI entries can exist on the supervisor."
ref: http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html
Software fix integrated is available. There is also workaround by a "FT switchover" on the ACE.
Another workaround by routing is to disable RHI for the VIP, and instead advertise the VIP subnet by routing protocol on the switch supervisor (eg, advertising the connected Vlan via EIGRP, OSPF, etc...).
RHI of the VIP is not enable by default, and can be disabled with the following from ACE:
policy-map multi-match XYZ
class ABC
no loadbalance vip advertise active
More info on RHI can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/getting/started/guide/rhi.html
Regards,
Simon
Similar Messages
-
Using ACE RHI to inject a default route
I think I posted this onto the wrong Forum. Anyone able to advise here?
SteveK.
Posted by: stevek1 - Network Administrator, Dept Natural Resources and Mines
Apr 18, 2008, 12:04am PST
Hi Folks,
I need to provide internal devices with active-active access to our clustered firewall which sits across 2 data centres.
I need to allow internal hosts to reach external/unknown networks via a default route.
We have ACE modules in our internal network aggregation 6513s at each site.
I aim to achieve this using RHI...ie...device at site 1 reaches the internet via firewall at site 1, device at site 2 reaches internet via firewall at site 2 (due to better route). If the firewall is inaccessible from site 2, ACE at site 2 removes the route from the MSFC using RHI and site 2 device traffic is re-routed to the site 1 exit point.
Has anyone out there done this before?
Regards, Steve.
| Outline | Subscribe | E-Mail this Message
Replied by: stevek1 - Network Administrator, Dept Natural Resources and Mines - Apr 20, 2008, 6:48pm PST
Hi Folks,
It's Steve here again. I haven't had a response to my query as yet, but basically I need to know the validity of using ACE RHI to inject a default route as opposed to a host route.
Can anyone please advise?
Best Wishes, Steve.Thanks so much for your response Zahoor.
The solution you have provided is more complicated than I had in mind. For example we had not intended using FWSM (we don't have these modules). I just want to use our existing ACEs at each Data Centre to provide the injection of a default route to our internal EIGRP process based on the result of a probe to our Checkpoint FW. What do you think?
Steve. -
Hi,
I've a problem with license install procedure on ACE. If I try to perform cisco procedure:
LICENSE KEY INSTALLATION INSTRUCTIONS
After you have received the software license key for a new or upgraded license in an e-mail from Cisco Systems, you must copy the license file to a network server and then use the copy command in Exec mode to copy the file to disk0 on the ACE. The syntax for this command is:
3-4
copy tftp://server_name/path_filename disk0:
The arguments are:
. server_name-Network server where you copied the license file.
. path_filename-URL location of the license file and the name of the file.
. disk0:-Flash disk in the ACE.
For example, to copy the ACE-VIRT-020.lic license file from the license directory on the track network server, enter:
host1/Admin# copy tftp://track/license/ace-virt-020.lic disk0:
To install a new software license on your ACE or to update an existing license to increase the number of virtual contexts, use the license install command in Exec mode. The syntax of this command is:
license install disk0:filename
The arguments are:
. disk0:-Flash disk in the ACE.
. filename-Filename for the license file.
For example, enter:
host1/Admin# license install disk0:ACE-VIRT-020.lic
I received this message:
Installing license... failed: License server does not support this feature
Could somebody help me?
Regards,
DinoHi Dino,
the first license that i received was a text file with ASCII DOS control codes but the ACE needs Unix/Linux style ASCII control codes.
If you have Linux machine around you should be able to use the programm dos2unix and convert it.
There are also Editors around which can save the file in DOS or UNIX flavor.
Anyhow if the license file is converted and you created an online lincse this should work.
Copy the file with tftp: to disk0: and use license install disk0:name.lic.
Hope it helps.
Roble -
ACE FTP problem in active mode
Hi everyone,
i have a problem with active ftp (passive ftp works fine).
here is my conf :
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
rserver host ftp1
ip address 10.0.151.131
inservice
rserver host ftp2
ip address 10.0.151.132
inservice
serverfarm host ftp
transparent
failaction reassign
rserver ftp1
inservice
rserver ftp2
inservice
class-map match-any vip
2 match virtual-address X.X.X.X tcp eq ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
inspect ftp
interface vlan 1000
description public-side
ip address Y.Y.Y.Y M.M.M.M
no normalization
no icmp-guard
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input LBPOL
no shutdown
interface vlan 100
description private-side
ip address 10.0.99.160 255.255.0.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
on both hosts, i added X.X.X.X vip and the good rule/route with iproute2.
as i said at the beginning, passive ftp is ok. active is not.
while in active mode, i can connect to the ftp but any list/put/get fails.
any idea ?
MAOne thing I don't understand here is why do you have
serverfarm host ftp
transparent
With this in place the ACE will not rewrite the destination IP and the server will receive a packet destined to the VIP. This is not very common, but it can work. The rest of your config seems to be fine, except the missing lbpol policy.
Which sw version are you running? -
ACE : Stickyness problem with http cookies
Hi,
I am facing a serious problem with stickyness in a e-commerce configuration.
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
The page is reloaded, but the name of the user does not appear on it
The question :
As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
Thank you for any hints,
YvesHi Gilles,
I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
It seems that the ACE ignores the static entries !
To make my question clear, I repeat hereafter the setup and the encountered problem :
Here is the setup :
An ACE load balance user requests on two Apache servers
cookie-insert is used to stick a user on one Apache server
The home page is accessed via http on port 80
On the Home page, there is a link to allowing the user to login
The login process uses SSL
During the login, backend SSL is required between the ACE and the selected Apache server
The login is a POST request to the Apache server
After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
The ACE configuration :
Two sticky groups are configured : one for HTTP acess and another for HTTPS access
Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
R105816849 for the server HQCHECOM01
R105852786 for the server HQCHECOM02
In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
R355972695 for the server HQCHECOM01
R357158616 for the server HQCHECOM02
I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
56 static cookie-value "R355972695" rserver HQCHECOM01
64 static cookie-value "R357158616" rserver HQCHECOM02
sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
cookie insert browser-expire
timeout 240
replicate sticky
serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
72 static cookie-value "R105816849" rserver HQCHECOM01
80 static cookie-value "R105852786" rserver HQCHECOM02
serverfarm host ECOM_FARM_TEST_HTTP
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 80
inservice
rserver HQCHECOM02 80
inservice
serverfarm host ECOM_FARM_TEST_HTTPS
description *** e-Commerce Test Server Farm ***
probe ECOM_PROBE_TEST
rserver HQCHECOM01 443
inservice
rserver HQCHECOM02 443
inservice
The problem :
Let analyse the sequence of events and the value of the http cookie for each of them :
When the the home page is originally loaded, the ACE selects SERVER-1
The ACE inserts the cookie "A" in the server responses
The user is sticked to SERVER-1
Then, the user tries to login and an SSL session is established with the ACE
The user sends a POST request containing the cookie "A"
A backend SSL session is established with SERVER-1
The POST request is forwarded to SERVER-1
SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
But instead, the ACE perform another load balancing decision and selects SERVER-2 !
The page is reloaded, but the name of the user does not appear on it
LiveHTTP Trace on Firefox :
GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105816849; path=/
Date: Mon, 18 Oct 2010 15:31:37 GMT
Server: Apache/2.2.13 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: image/jpeg
Here we switch on HTTPS :
https://ecom.test.toto.com/uk/en/j_spring_security_check
POST /uk/en/j_spring_security_check HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
Here we see cookie for the same server but for the HTTPS sticky group :
HTTP/1.1 302 Moved Temporarily
Set-Cookie: STICKED-TO=R355972695; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:39 GMT
Server: Apache/2.2.13 (Red Hat)
Location: http://ecom.test.toto.com/uk/en/home
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
Here we switch back to HTTP :
http://ecom.test.toto.com/uk/en/home
GET /uk/en/home HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
Here we see that the second server has been wrongly selected !
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store
Content-Language: en-GB
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
Host: ecom.test.toto.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://ecom.test.toto.com/uk/en/home
Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
HTTP/1.1 200 OK
Set-Cookie: STICKED-TO=R105852786; path=/
Date: Mon, 18 Oct 2010 15:31:40 GMT
Server: Apache/2.2.13 (Red Hat)
Content-Length: 382
Connection: close
Content-Type: image/gif
Hypothesis :
It seems that the static entries are not considered by the ACE... -
Hi,
Hopefully someone can tell me if what i'm trying to achieve is possible. I need to append details to a URL, i've attempted a rewrite but dont want to send the 10.10.10.1 address back to the client and want to send their original request with the appended URL. As the ip and port are staying the same the request loops. Hardware ACE 4710 software A3 (2.0)
I need to loadbalance.
http://ourdomain.com:9080 > http://10.10.10.1-10:9080/ThisBitAdded
ourdomain.com resolves to the same address every time, 10.10.10.1-10 are the real servers.
Any help greatly appreciated.
Thanks
ChrisChris:
As I'm preparing a response, I'm curious about how you have it set up at this point. What is the configuration that you were testing? -
Hi everyone.
We have a customer who has a server farm formed by 3 servers with the following real ip address:
10.10.24.5-6-7 and a virtual 10.10.24.3 as configured in the ace module.
We found the following behavior in the session number of the servers. We can conclude that there is a server with much more sessions than the others (10.10.24.6):
Can sombody help me telling why can happen that?
I am attaching the ACE config as a reference
Thanks
ACE-DIGENERAL/OCS# sh serverfarm Herramientas_Col
serverfarm : Herramientas_Col, type: HOST
total rservers : 3
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: SP1
10.10.24.5:0 8 OPERATIONAL 390 296043280
rserver: SP2
10.10.24.6:0 8 OPERATIONAL 1003 3371471400
rserver: SP3
10.10.24.7:0 8 OPERATIONAL 354 164816790
Como se puede observar el sever 10.10.24.6 posee mas del doble de conexiones que los otros 2.
5. En el siguiente pantallazo también se observan conexiones detalladas y los puertos por donde habla:
ACE-DIGENERAL/OCS# sh conn serverfarm Herramientas_Col
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
70 1 in TCP 951 10.10.22.13:3837 10.10.24.3:80 ESTAB
17239 1 out TCP 324 10.10.24.7:80 10.10.22.13:3837 ESTAB
76 1 in TCP 951 10.83.21.32:1419 10.10.24.3:80 ESTAB
5531 1 out TCP 324 10.10.24.6:80 10.83.21.32:1419 ESTAB
95 1 in TCP 951 10.20.7.51:1702 10.10.24.3:80 ESTAB
16237 1 out TCP 324 10.10.24.6:80 10.20.7.51:1702 ESTAB
98 1 in TCP 951 10.80.31.55:3188 10.10.24.3:80 ESTAB
11995 1 out TCP 324 10.10.24.6:80 10.80.31.55:3188 ESTAB
32749 1 in TCP 951 10.80.21.23:1926 10.10.24.3:80 ESTAB
108 1 out TCP 324 10.10.24.7:80 10.80.21.23:1926 ESTAB
110 1 in TCP 951 10.25.14.231:1705 10.10.24.3:80 ESTAB
37994 1 out TCP 324 10.10.24.6:80 10.25.14.231:1705 ESTAB
7438 1 in TCP 951 10.31.102.32:2329 10.10.24.3:80 ESTAB
141 1 out TCP 324 10.10.24.7:80 10.31.102.32:2329 ESTAB
31247 1 in TCP 951 10.81.36.32:1650 10.10.24.3:80 ESTAB
151 1 out TCP 324 10.10.24.5:80 10.81.36.32:1650 ESTAB
176 1 in TCP 951 10.20.208.124:2598 10.10.24.3:80 ESTAB
13219 1 out TCP 324 10.10.24.7:80 10.20.208.124:2598 ESTAB
32576 1 in TCP 951 10.233.9.40:1577 10.10.24.3:80 ESTAB
233 1 out TCP 324 10.10.24.6:80 10.233.9.40:1577 ESTAB
27499 1 in TCP 951 10.218.16.28:2902 10.10.24.3:80 ESTAB
244 1 out TCP 324 10.10.24.5:80 10.218.16.28:2902 ESTAB
248 1 in TCP 951 10.85.19.55:1540 10.10.24.3:80 ESTAB
14014 1 out TCP 324 10.10.24.7:80 10.85.19.55:1540 ESTAB
27166 1 in TCP 951 10.25.22.90:1766 10.10.24.3:80 ESTAB
254 1 out TCP 324 10.10.24.6:80 10.25.22.90:1766 ESTAB
380 1 in TCP 951 10.23.22.62:1855 10.10.24.3:80 ESTAB
11563 1 out TCP 324 10.10.24.6:80 10.23.22.62:1855 ESTAB
397 1 in TCP 951 10.212.35.30:1540 10.10.24.3:80 ESTAB
15491 1 out TCP 324 10.10.24.7:80 10.212.35.30:1540 ESTAB
35588 1 in TCP 951 10.100.30.5:1773 10.10.24.3:80 ESTAB
405 1 out TCP 324 10.10.24.6:80 10.100.30.5:1773 ESTAB
31392 1 in TCP 951 10.216.27.41:1524 10.10.24.3:80 ESTAB
449 1 out TCP 324 10.10.24.6:80 10.216.27.41:1524 ESTAB
592 1 in TCP 951 10.25.21.219:1364 10.10.24.3:80 ESTAB
2988 1 out TCP 324 10.10.24.5:80 10.25.21.219:1364 ESTAB
614 1 in TCP 951 10.25.42.221:1517 10.10.24.3:80 ESTAB
18877 1 out TCP 324 10.10.24.6:80 10.25.42.221:1517 ESTAB
21553 1 in TCP 951 10.80.39.123:1634 10.10.24.3:80 ESTAB
652 1 out TCP 324 10.10.24.6:80 10.80.39.123:1634 ESTAB
13640 1 in TCP 951 10.206.2.34:1385 10.10.24.3:80 ESTAB
708 1 out TCP 324 10.10.24.6:80 10.206.2.34:1385 ESTAB
26959 1 in TCP 951 10.100.30.7:1289 10.10.24.3:80 ESTAB
719 1 out TCP 324 10.10.24.5:80 10.100.30.7:1289 ESTAB
29277 1 in TCP 951 10.100.202.50:1248 10.10.24.3:80 ESTAB
758 1 out TCP 324 10.10.24.5:80 10.100.202.50:1248 ESTAB
6185 1 in TCP 951 10.25.27.222:1497 10.10.24.3:80 ESTAB
760 1 out TCP 324 10.10.24.6:80 10.25.27.222:1497 ESTAB
767 1 in TCP 951 10.97.21.28:1821 10.10.24.3:80 ESTAB
23511 1 out TCP 324 10.10.24.7:80 10.97.21.28:1821 ESTAB
826 1 in TCP 951 10.31.105.140:3810 10.10.24.3:80 ESTAB
13460 1 out TCP 324 10.10.24.6:80 10.31.105.140:3810 ESTAB
21987 1 in TCP 951 10.25.31.213:1855 10.10.24.3:80 ESTAB
839 1 out TCP 324 10.10.24.5:80 10.25.31.213:1855 ESTAB
874 1 in TCP 951 10.88.29.27:1503 10.10.24.3:80 ESTAB
29839 1 out TCP 324 10.10.24.6:80 10.88.29.27:1503 ESTAB
945 1 in TCP 951 10.27.122.13:1286 10.10.24.3:80 ESTAB
32298 1 out TCP 324 10.10.24.6:80 10.27.122.13:1286 ESTAB
24330 1 in TCP 951 10.40.21.50:2368 10.10.24.3:80 ESTAB
954 1 out TCP 324 10.10.24.6:80 10.40.21.50:2368 ESTAB
961 1 in TCP 951 10.80.26.76:1414 10.10.24.3:80 ESTAB
11176 1 out TCP 324 10.10.24.5:80 10.80.26.76:1414 ESTAB
28989 1 in TCP 951 10.91.22.38:1408 10.10.24.3:80 ESTAB
985 1 out TCP 324 10.10.24.5:80 10.91.22.38:1408 ESTAB
1006 1 in TCP 951 10.217.4.20:1522 10.10.24.3:80 ESTAB
26946 1 out TCP 324 10.10.24.5:80 10.217.4.20:1522 ESTAB
8360 1 in TCP 951 10.11.3.28:1679 10.10.24.3:80 ESTAB
1020 1 out TCP 324 10.10.24.6:80 10.11.3.28:1679 ESTAB
9498 1 in TCP 951 10.25.42.221:1519 10.10.24.3:80 ESTAB
1031 1 out TCP 324 10.10.24.6:80 10.25.42.221:1519 ESTAB
18510 1 in TCP 951 10.165.55.51:1232 10.10.24.3:80 ESTAB
1072 1 out TCP 324 10.10.24.7:80 10.165.55.51:1232 ESTAB
5583 1 in TCP 951 10.25.14.12:2086 10.10.24.3:80 ESTAB
1142 1 out TCP 324 10.10.24.6:80 10.25.14.12:2086 ESTAB
39713 1 in TCP 951 10.25.36.58:1663 10.10.24.3:80 ESTAB
1144 1 out TCP 324 10.10.24.7:80 10.25.36.58:1663 ESTAB
8601 1 in TCP 951 10.217.26.34:1677 10.10.24.3:80 ESTAB
1167 1 out TCP 324 10.10.24.6:80 10.217.26.34:1677 ESTAB
17209 1 in TCP 951 10.165.40.45:1526 10.10.24.3:80 ESTAB
1173 1 out TCP 324 10.10.24.5:80 10.165.40.45:1526 ESTAB
18708 1 in TCP 951 10.31.105.137:3714 10.10.24.3:80 ESTAB
1175 1 out TCP 324 10.10.24.6:80 10.31.105.137:3714 ESTAB
1180 1 in TCP 951 10.201.18.40:4777 10.10.24.3:80 ESTAB
6528 1 out TCP 324 10.10.24.6:80 10.201.18.40:4777 ESTAB
1214 1 in TCP 951 10.31.104.46:1501 10.10.24.3:80 ESTAB
5924 1 out TCP 324 10.10.24.6:80 10.31.104.46:1501 ESTAB
1228 1 in TCP 951 10.231.37.32:1161 10.10.24.3:80 ESTAB
15171 1 out TCP 324 10.10.24.6:80 10.231.37.32:1161 ESTAB
28431 1 in TCP 951 10.25.5.76:2317 10.10.24.3:80 ESTAB
1293 1 out TCP 324 10.10.24.5:80 10.25.5.76:2317 ESTAB
1328 1 in TCP 951 10.201.2.26:1293 10.10.24.3:80 ESTAB
19276 1 out TCP 324 10.10.24.7:80 10.201.2.26:1293 ESTAB
1356 1 in TCP 951 10.80.23.27:1396 10.10.24.3:80 ESTAB
4141 1 out TCP 324 10.10.24.6:80 10.80.23.27:1396 ESTAB
1368 1 in TCP 951 10.80.36.124:1428 10.10.24.3:80 ESTAB
19905 1 out TCP 324 10.10.24.6:80 10.80.36.124:1428 ESTAB
30280 1 in TCP 951 10.25.8.11:4836 10.10.24.3:80 ESTAB
1438 1 out TCP 324 10.10.24.6:80 10.25.8.11:4836 ESTAB
1478 1 in TCP 951 10.216.6.46:4153 10.10.24.3:80 ESTAB
12312 1 out TCP 324 10.10.24.6:80 10.216.6.46:4153 ESTAB
23389 1 in TCP 951 10.211.30.38:1593 10.10.24.3:80 ESTAB
1527 1 out TCP 324 10.10.24.6:80 10.211.30.38:1593 ESTAB
1562 1 in TCP 951 10.90.21.58:2889 10.10.24.3:80 ESTAB
36398 1 out TCP 324 10.10.24.7:80 10.90.21.58:2889 ESTAB
1587 1 in TCP 951 10.84.22.29:2121 10.10.24.3:80 ESTAB
37031 1 out TCP 324 10.10.24.6:80 10.84.22.29:2121 ESTAB
1624 1 in TCP 951 10.25.21.218:1465 10.10.24.3:80 ESTAB
4941 1 out TCP 324 10.10.24.6:80 10.25.21.218:1465 ESTABHello!
A "show connection serverfarm Herramientas_Col detail" and "show sticky database group POOL3" would be handy in this situation. You have sticky configured which will intentionally throw off the loadbalancing predictor. My guess at this point is that rserver SP2 might not close connections in the same manner that SP1 and SP3 do. If that was true, that would result in a longer connection time, which means the sticky database would not idle out as fast, hence more connection for SP2.
Regards,
Chris -
Traceroute does not work when initiated from a server behind the ACE module. The output shows only the destination ip.
The ACE is in routed mode.Traceroute is a widely available utility on most operating systems today. Much like ping, it is a valuable tool for determining connectivity in a network. Ping allows the user to find out if there is a connection between two end systems. Traceroute does this as well, but it additionally lists the intermediate routers between the two systems. Users can therefore see the routes that packets can take from the Content Engine to another system. Use the traceroute EXEC command to find the route to a remote host, when either the host name or IP address is known.
-
hello
i have ace running in the router mode
i have server and client different vlan
(server vlan 20, client vlan 192)
1. client vlan(20) -> vip(20.1.1.102) service ok
2. client vlan(20) -> vip(20.1.1.102) ping fail?
why happen ping fail ?
Hope this helps
[Configuration]
access-list ALL line 10 extended permit ip any any
access-list ALL line 11 extended permit icmp any any
probe tcp tcp_21
port 21
interval 2
faildetect 2
passdetect interval 5
passdetect count 2
serverfarm host slb
probe tcp_21
rserver test_01
inservice
rserver test_02
inservice
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
class-map match-all slb
2 match virtual-address 20.1.1.102 any
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm slb
policy-map multi-match test
class slb
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
interface vlan 20
ip address 20.1.1.2 255.255.255.0
alias 20.1.1.1 255.255.255.0
peer ip address 20.1.1.3 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input REMOTE_MGMT
service-policy input test
no shutdown
interface vlan 192
ip address 192.168.1.102 255.255.255.0
alias 192.168.1.1 255.255.255.0
peer ip address 192.168.1.103 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input test
no shutdownIs the A2 train the current version recommended by Cisco? These devices load balance critical systems so we usually try and stay with Safe Harbor code were ever possible. In my deployment I require stability over features and in the past have stayed away from the "newest" code releases for fear of flaky or buggy behavior.
Thanks -
Hi,
I have an issue with sticky server that I’m hope might just be a command I’m missing.
I am inserting a cookie and the sticky works fine.
When my browser has a successful sticky connection i take the server that has the sticky connection out of service. I try to make another connection, i see the connection round robin to all remaining servers but i don’t get a successful connection i do see the connection failure count increment on all other servers in the farm. Only when i bring the server back into service can i get a successful connection.
Any advice appreciated.
Sticky config below.
sticky http-cookie WEB-Cookie-1 WEB-Sticky-1
cookie insert
serverfarm WEB-SERVERS-80
Code
Version A3(2.0) [build 3.0(0)A3(2.0
Thanks
ChrisHello Chris, This will be an easy fix for you. The command you are looking for is defined under the serverfarm inwhich you are creating sticky entries against.. You need to add a failaction.. I'm pasting the command syntax and options for the command.. Based on your breif description failaction purge will give you the desired result:
(config-sfarm-host) failaction
To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction command. Use the no form of this command to reset the ACE to its default of taking no action when a server fails.
failaction {purge | reassign [across-interface]}
no failaction
Syntax Description
purge
Specifies that the ACE remove the connections to a real server if that real server in the server farm fails after you configure this command. The appliance sends a reset (RST) both to the client and to the server that failed.
reassign
Specifies that the ACE reassigns existing server connections to the backup real server, if a backup real server is configured. If no backup real server is configured, this keyword has no effect.
across-interface
(Optional) Instructs the ACE to reassign all connections from the failed real server to a backup real server on a different VLAN that is commonly referred to as a bypass VLAN. By default, this feature is disabled. -
I am trying to configure stickyness on an ACE appliance. I can't seem to get it to work. I have tried a http cookie and a IP Netmask and can't get it to work. When I do a show stat sticky or a show sticky database I get nothing. Attached is the config of my ace.
you need to assign sticky resources to your context before you can start using it.
Use the following command to see if you have allocated sticky resources
switch/Admin# show np 1 me-stats "-slb -v" | i Stick
Num Active Sticky Entry: 1 0
Num Active Reverse Sticky Entry: 0 0
Free Sticky Entry Count: 944765 0
switch/Admin#
Gilles. -
Hi ,
We can not solve the following situation.
The client has a normal tcp connection to server via ACE. if network interrupt occured (link up-down ) the client send SYN packet with same source port number what was used in the previously session between them. The ACE send the SYN to server but the server respond ACK packet only and not SYN,ACK packet because the TCP session is live for server. The client send the rst packet after syn but the ACE drops it.
The show conn shows the in and out sessions which were originaly betwen client and server.
Can ACE solve this situation ?
Regards,hi !
Thanks the ideas. We tried them.
The output the supposed command
Lajos-ACE/Admin# sho np 1 me-stats "-stcp" | i dow
Segs outside window: 0
Connection shutdown FIN: 0
Connection shutdown RST: 0
We disabled the normalization without results.
The idle timeout does not help because the ACE
feels that client and server continue the old session. !!!!
the show conn output shwos the following while the client send the SYN and RST and the server send the ACK only.
8 2 in TCP 73 10.46.2.2:12346 192.168.37.221:1072 ESTAB
[ idle time : 00:00:01, byte count : 2049 ]
[ elapsed time: 00:12:41, packet count: 41 ]
90 2 out TCP 75 192.168.37.217:1072 10.46.2.2:12346 ESTAB
[ conn in reuse pool : FALSE]
[ idle time : 00:00:01, byte count : 2319 ]
[ elapsed time: 00:12:41, packet count: 46 ]
My opinion the ACE try to make a new ,second connection before SYN . The RST packet resets the second session and the first session unchanged. ( but the idle timer is not increasing )The server respond in the frisst session.
Unfortunetly the client uses the same source and destination TCP ports in every session. :-)
Regards, -
VIP from servers on port 8888 is visible with telnet and the other way around but HTTP://VIP(IP address):8888 is not working for webportal servers,
Your server is probably sending a redirect or using hard links with its port referenced in the url.
Fix the server.
Gilles. -
I currently have 2 nat policies that work fine. I'm trying to add the 3rd but it's not working.
I pretty sure the config is correct but i'm not sure if i can only have 1 snat policy per interface.
-NAT policy snat's anything coming in externally except smtp & ftp
-NAT-EMAIL policy snat's anything coming in externally to go back out vlan 215 to our internal lan.
-NAT-DMZ policy is suppose to allow communication between 204 vlan and 215 VIPS but it doesn't work.
So the service policy NAT-DMZ on vlan 204 should intercept traffic destined for 10.10.215.0 and snat
all of it to 10.10.215.88 i believe but it's not work.
Any thoughts or am i missing something??
access-list NAT line 10 extended deny tcp any any eq smtp
access-list NAT line 12 extended deny tcp any any eq ftp
access-list NAT line 13 extended deny tcp any any eq ftp-data
access-list NAT line 100 extended permit tcp any any eq www
access-list NAT line 110 extended permit tcp any any eq https
access-list NAT line 118 extended permit udp any any eq domain
access-list NAT line 126 extended permit tcp any any eq domain
access-list NAT line 134 extended permit tcp any any eq smtp
access-list NAT line 142 extended permit tcp any any eq 20022
access-list NAT-DMZ line 8 extended permit tcp any 10.10.215.0 255.255.255.0
access-list NAT-DMZ line 16 extended permit udp any 10.10.215.0 255.255.255.0
access-list NAT-DMZ line 24 extended permit tcp 10.10.215.0 255.255.255.0 any
access-list NAT-DMZ line 32 extended permit udp 10.10.215.0 255.255.255.0 any
access-list NAT-DMZ line 40 extended permit icmp any 10.10.215.0 255.255.255.0
access-list NAT-DMZ line 48 extended permit icmp 10.10.215.0 255.255.255.0 any
access-list NAT-EMAIL line 8 extended permit tcp any any eq www
access-list NAT-EMAIL line 16 extended permit tcp any any eq https
class-map match-any NAT
2 match access-list NAT
class-map match-any NAT-DMZ
2 match access-list NAT-DMZ
class-map match-any NAT-EMAIL
2 match access-list NAT-EMAIL
policy-map multi-match NAT
class NAT
nat dynamic 1 vlan 204
policy-map multi-match NAT-DMZ
class NAT-DMZ
nat dynamic 5 vlan 215
policy-map multi-match NAT_EMAIL
class NAT-EMAIL
nat dynamic 10 vlan 215
policy-map multi-match VIPS
class email.microchip.com_80_vs
loadbalance vip inservice
loadbalance policy email.microchip.com_80_l7slb
loadbalance vip icmp-reply
nat dynamic 10 vlan 215
class email.microchip.com_443_vs
loadbalance vip inservice
loadbalance policy email.microchip.com_443_l7slb
loadbalance vip icmp-reply
nat dynamic 10 vlan 215
appl-parameter http advanced-options HTTP-PARAM
ssl-proxy server email.microchip.com_allSSL
interface vlan 204
description WEBDMZ
ip address 10.10.204.50 255.255.255.0
alias 10.10.204.1 255.255.255.0
peer ip address 10.10.204.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat <--Works
service-policy input NAT-DMZ <--Doesn't work
no shutdown
interface vlan 215
description WebDMZ External Interface
ip address 10.10.215.11 255.255.255.0
alias 10.10.215.10 255.255.255.0
peer ip address 10.10.215.12 255.255.255.0
access-group input EXTERNAL
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat <--Works
nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat <--Doesn't work
service-policy input Management-Policy
service-policy input VIPS
service-policy input NAT
no shutdownTried that but the only difference was that i added NAT-DMZ to NAT-EMAIL instead. Just easier for me that way but it didn't work.
access-list NAT-DMZ line 56 extended permit tcp any host 10.10.215.210
access-list NAT-DMZ line 64 extended permit tcp host 10.10.215.210 any
access-list NAT-DMZ line 72 extended permit udp any host 10.10.215.210
access-list NAT-DMZ line 80 extended permit udp host 10.10.215.210 any
access-list NAT-EMAIL line 8 extended permit tcp any any eq www
access-list NAT-EMAIL line 16 extended permit tcp any any eq https
policy-map multi-match NAT_EMAIL
class NAT-DMZ
nat dynamic 5 vlan 215
class NAT-EMAIL
nat dynamic 10 vlan 215
interface vlan 204
description WEBDMZ
ip address 10.10.204.50 255.255.255.0
alias 10.10.204.1 255.255.255.0
peer ip address 10.10.204.3 255.255.255.0
access-group input EVERYONE
nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat
service-policy input NAT_EMAIL
no shutdown
interface vlan 215
description WebDMZ External Interface
ip address 10.10.215.11 255.255.255.0
alias 10.10.215.10 255.255.255.0
peer ip address 10.10.215.12 255.255.255.0
access-group input EXTERNAL
nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
service-policy input Management-Policy
service-policy input VIPS
service-policy input NAT
no shutdown
I tested from a host in 10.10.204.x to 10.10.215.210 but it didn't work. I tested to the 10.10.215.210
from the outside(vlan215) and it does work, so i know the VIP works and is taking connections. -
Lcked my apple id trying to find my security question answers how can i solve rhis problem?
How can i unlock my apple id account and how am i going to reset my security questions cause i cant find my answers and i do not have apple care here in greece to contact them...
1. See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities.
2. Here are two different but direct methods:
a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
b. Call Apple Support in your country: Customer Service: Contacting Apple for support
and service.
3. For other queries about Apple ID see Frequently asked questions about Apple ID.
4. Rescue email address and how to reset Apple ID security questions
Maybe you are looking for
-
Loading Images One Page at a Time
Has anyone else encountered this problem whereby when images are loaded into Lightroom and I ask it to load with presets e.g. sharpen portraits, it does the job but only for those images that are on the current view i.e. I have to scroll down to the
-
My ipod touch isn't recognized by my computer or my dock
My ipod touch 4th generation won't connect to my computer or my memorex dock! I tried connecting my ipod with 2 different usb cables to both my computer and my mothers and it wasn't recongized at all by both. I also tried connecting it through an ext
-
Report with Form Passing date to form from report issue
Hi All , I got stuck up in the below issue .Can anyone point out the issue behind it and how to get rid of this. I have created a report page with form page .The report page have 2 column identified as conjugate primary key.the col1 is varchar2 and c
-
How do I get flash movie controller to show up.
I have published a flash movie to "Mobile Me", the movie works as it should but the controls do not show up. I have placed the movie.flv file along with a movie.swf file and a "SkinUnderAllNoVolNoCaptionNoFull.swf" file all in the same folder. The fo
-
I am from the Visual Studio side of the tracks venturing into Java land. While JDev10g is impressive, the tutorials are a bit of a mess. In most cases, menu options simply dont exist or are differently named. I have also wasted loads of time running