ACE RHI problem

Hello,
I have two 6509 switches with ACE modules installed and configured as active/standby. There is no FWSM installed, so MSFC shares a common subnet with the external interface of ACE. On both MSFCs, I can see the static route injected (RHI) by ACE. However, those routes are different. On the MSFC hosting the active ACE, the next hop of the static route installed is the alias IP address of the external ACE interface. On the MSFC hosting the standby ACE has the next hop as the IP address of the external interface of the standby ACE not the alias.
This causes a problem when traffic is routed through the second MSFC where it will send traffic destined to my VIP to the standby ACE causing traffic to be dropped.
Why this behaviour happens? I started to see this behaviour after a sudden reboot on the standby ACE. Before that, I am not sure what was the route injected into the second MSFC but I had no problem with my VIP.
Can anyone help me how I can tell the second MSFC to route traffic towards the alias instead of the interface IP?
Thanks.

The TAC case is resolved.  Posting back to the community so the solution can be shared with a wider audience.
Thanks to Mohammed for keeping outputs of troubleshooting at the time of problem, it was found that after the standby ACE rebooted, BOTH the active ACE and standby ACE were injecting the host route to the VIP, this is not expected behaviour.  The expected behaviour is for the active ACE to inject the host route with the ACE alias IP as the next hop, and the standby to not inject the route.
This problem is due to a software defect CSCsx67908 "When you configure ACEs for redundancy and Route Health Injection (RHI) and the standby ACE reboots, duplicate RHI entries can exist on the supervisor."
ref: http://www.cisco.com/en/US/partner/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html
Software fix integrated is available.  There is also workaround by a "FT switchover" on the ACE.
Another workaround by routing is to disable RHI for the VIP, and instead advertise the VIP subnet by routing protocol on the switch supervisor (eg, advertising the connected Vlan via EIGRP, OSPF, etc...).
RHI of the VIP is not enable by default, and can be disabled with the following from ACE:
policy-map multi-match XYZ
  class ABC
    no loadbalance vip advertise active
More info on RHI can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/getting/started/guide/rhi.html
Regards,
Simon

Similar Messages

  • Using ACE RHI to inject a default route

    I think I posted this onto the wrong Forum. Anyone able to advise here?
    SteveK.
    Posted by: stevek1 - Network Administrator, Dept Natural Resources and Mines
    Apr 18, 2008, 12:04am PST
    Hi Folks,
    I need to provide internal devices with active-active access to our clustered firewall which sits across 2 data centres.
    I need to allow internal hosts to reach external/unknown networks via a default route.
    We have ACE modules in our internal network aggregation 6513s at each site.
    I aim to achieve this using RHI...ie...device at site 1 reaches the internet via firewall at site 1, device at site 2 reaches internet via firewall at site 2 (due to better route). If the firewall is inaccessible from site 2, ACE at site 2 removes the route from the MSFC using RHI and site 2 device traffic is re-routed to the site 1 exit point.
    Has anyone out there done this before?
    Regards, Steve.
    | Outline | Subscribe | E-Mail this Message
    Replied by: stevek1 - Network Administrator, Dept Natural Resources and Mines - Apr 20, 2008, 6:48pm PST
    Hi Folks,
    It's Steve here again. I haven't had a response to my query as yet, but basically I need to know the validity of using ACE RHI to inject a default route as opposed to a host route.
    Can anyone please advise?
    Best Wishes, Steve.

    Thanks so much for your response Zahoor.
    The solution you have provided is more complicated than I had in mind. For example we had not intended using FWSM (we don't have these modules). I just want to use our existing ACEs at each Data Centre to provide the injection of a default route to our internal EIGRP process based on the result of a probe to our Checkpoint FW. What do you think?
    Steve.

  • ACE License Problem

    Hi,
    I've a problem with license install procedure on ACE. If I try to perform cisco procedure:
    LICENSE KEY INSTALLATION INSTRUCTIONS
    After you have received the software license key for a new or upgraded license in an e-mail from Cisco Systems, you must copy the license file to a network server and then use the copy command in Exec mode to copy the file to disk0 on the ACE. The syntax for this command is:
    3-4
    copy tftp://server_name/path_filename disk0:
    The arguments are:
    . server_name-Network server where you copied the license file.
    . path_filename-URL location of the license file and the name of the file.
    . disk0:-Flash disk in the ACE.
    For example, to copy the ACE-VIRT-020.lic license file from the license directory on the track network server, enter:
    host1/Admin# copy tftp://track/license/ace-virt-020.lic disk0:
    To install a new software license on your ACE or to update an existing license to increase the number of virtual contexts, use the license install command in Exec mode. The syntax of this command is:
    license install disk0:filename
    The arguments are:
    . disk0:-Flash disk in the ACE.
    . filename-Filename for the license file.
    For example, enter:
    host1/Admin# license install disk0:ACE-VIRT-020.lic
    I received this message:
    Installing license... failed: License server does not support this feature
    Could somebody help me?
    Regards,
    Dino

    Hi Dino,
    the first license that i received was a text file with ASCII DOS control codes but the ACE needs Unix/Linux style ASCII control codes.
    If you have Linux machine around you should be able to use the programm dos2unix and convert it.
    There are also Editors around which can save the file in DOS or UNIX flavor.
    Anyhow if the license file is converted and you created an online lincse this should work.
    Copy the file with tftp: to disk0: and use license install disk0:name.lic.
    Hope it helps.
    Roble

  • ACE FTP problem in active mode

    Hi everyone,
    i have a problem with active ftp (passive ftp works fine).
    here is my conf :
    access-list ANY line 8 extended permit icmp any any
    access-list ANY line 16 extended permit ip any any
    rserver host ftp1
      ip address 10.0.151.131
      inservice
    rserver host ftp2
      ip address 10.0.151.132
      inservice
    serverfarm host ftp
      transparent
      failaction reassign
      rserver ftp1
        inservice
      rserver ftp2
        inservice
    class-map match-any vip
      2 match virtual-address X.X.X.X tcp eq ftp
    policy-map multi-match LBPOL
      class vip
        loadbalance vip inservice
        loadbalance policy lbpol
        loadbalance vip icmp-reply active
        inspect ftp
    interface vlan 1000
      description public-side
      ip address Y.Y.Y.Y M.M.M.M
      no normalization
      no icmp-guard
      access-group input ANY
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      service-policy input LBPOL
      no shutdown
    interface vlan 100
      description private-side
      ip address 10.0.99.160 255.255.0.0
      service-policy input REMOTE_MGMT_ALLOW_POLICY
      no shutdown
    on both hosts, i added X.X.X.X vip and the good rule/route with iproute2.
    as i said at the beginning, passive ftp is ok. active is not.
    while in active mode, i can connect to the ftp but any list/put/get fails.
    any idea ?
    MA

    One thing I don't understand here is why do you have
    serverfarm host ftp
      transparent
    With this in place the ACE will not rewrite the destination IP and the server will receive a packet destined to the VIP. This is not very common, but it can work. The rest of your config seems to be fine, except the missing lbpol policy.
    Which sw version are you running?

  • ACE : Stickyness problem with http cookies

    Hi,
    I am facing a serious problem with stickyness in a e-commerce configuration.
    Here is the setup :
    An ACE load balance user requests on two Apache servers
    cookie-insert is used to stick a user on one Apache server
    The home page is accessed via http on port 80
    On the Home page, there is a link to allowing the user to login
    The login process uses SSL
    During the login, backend SSL is required between the ACE and the selected Apache server
    The login is a POST request to the Apache server
    After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
    The ACE configuration :
    Two sticky groups are configured : one for HTTP acess and another for HTTPS access
    Two server farms are defined, both using the same real servers, but with different ports (80 and 441)
         sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
           cookie insert browser-expire
           timeout 240
           replicate sticky
           serverfarm ECOM_FARM_TEST_HTTP
              sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
           cookie insert browser-expire
           timeout 240
           replicate sticky
           serverfarm ECOM_FARM_TEST_HTTPS
         serverfarm host ECOM_FARM_TEST_HTTP
           description *** e-Commerce Test Server Farm ***
           probe ECOM_PROBE_TEST
           rserver HQCHECOM01 80
            inservice
           rserver HQCHECOM02 80
            inservice
             serverfarm host ECOM_FARM_TEST_HTTPS
          description *** e-Commerce Test Server Farm ***
          probe ECOM_PROBE_TEST
          rserver HQCHECOM01 443
           inservice
          rserver HQCHECOM02 443
           inservice
    The problem :
    Let analyse the sequence of events and the value of the http cookie for each of them :
    When the the home page is originally loaded, the ACE selects SERVER-1
    The ACE inserts the cookie "A" in the server responses
    The user is sticked to SERVER-1
    Then, the user tries to login and an SSL session is established with the ACE
    The user sends a POST request containing the cookie "A"
    A backend SSL session is established with SERVER-1
    The POST request is forwarded to SERVER-1
    SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
    The client browser reloads the page on port 80 and provides the cookie "B" (the last received) !!
    The ACE sees the cookie "B" but does not find it in its database for the sticky group ECOM_STICKY_TEST_HTTP
    The ACE perform another load balancing decision and selects SERVER-2 ! (instead of SERVER-1)
    The page is reloaded, but the name of the user does not appear on it
    The question :
    As it is not possible to have only one sticky group in this configuration what would be the solution to make sure that the same server is selected for http and https ?
    Thank you for any hints,
    Yves

    Hi Gilles,
    I followed your recommendation to configure static cookie entries in each sticky group, but I still experience the problem of sessions getting re-load balanced to the second server when returning from HTTPS to HTTP :
    It seems that the ACE ignores the static entries !
    To make my question clear, I repeat hereafter the setup and the encountered problem :
    Here is the setup :
    An ACE load balance user requests on two Apache servers
    cookie-insert is used to stick a user on one Apache server
    The home page is accessed via http on port 80
    On the Home page, there is a link to allowing the user to login
    The login process uses SSL
    During the login, backend SSL is required between the ACE and the selected Apache server
    The login is a POST request to the Apache server
    After a successful login, the home page is reloaded on port 80 and the name of the user should appear on the top of the page
    The ACE configuration :
    Two sticky groups are configured : one for HTTP acess and another for HTTPS access
    Two server farms are defined, both using the same real servers, but with different ports (80 and 443)
    In the ECOM_STICKY_TEST_HTTP stick group the two following cookies are automatically generated :
    R105816849   for the server HQCHECOM01
    R105852786   for the server HQCHECOM02
    In the ECOM_STICKY_TEST_HTTPS stick group the two following cookies are automatically generated :
    R355972695   for the server HQCHECOM01
    R357158616   for the server HQCHECOM02
    I statically configured in the each sticky group the cookies used by the other sticky group, to allow stickiness when the browser switches from HTTP to HTTPS and vice versa :
    sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTP
      cookie insert browser-expire
      timeout 240
      replicate sticky
      serverfarm ECOM_FARM_TEST_HTTP backup WEB_REDIRECT_001
      56 static cookie-value "R355972695" rserver HQCHECOM01
      64 static cookie-value "R357158616" rserver HQCHECOM02
    sticky http-cookie STICKED-TO ECOM_STICKY_TEST_HTTPS
      cookie insert browser-expire
      timeout 240
      replicate sticky
      serverfarm ECOM_FARM_TEST_HTTPS backup WEB_REDIRECT_001
      72 static cookie-value "R105816849" rserver HQCHECOM01
      80 static cookie-value "R105852786" rserver HQCHECOM02
    serverfarm host ECOM_FARM_TEST_HTTP
      description *** e-Commerce Test Server Farm ***
      probe ECOM_PROBE_TEST
      rserver HQCHECOM01 80
       inservice
      rserver HQCHECOM02 80
       inservice
    serverfarm host ECOM_FARM_TEST_HTTPS
      description *** e-Commerce Test Server Farm ***
      probe ECOM_PROBE_TEST
      rserver HQCHECOM01 443
       inservice
      rserver HQCHECOM02 443
       inservice
    The problem :
    Let analyse the sequence of events and the value of the http cookie for each of them :
    When the the home page is originally loaded, the ACE selects SERVER-1
    The ACE inserts the cookie "A" in the server responses
    The user is sticked to SERVER-1
    Then, the user tries to login and an SSL session is established with the ACE
    The user sends a POST request containing the cookie "A"
    A backend SSL session is established with SERVER-1
    The POST request is forwarded to SERVER-1
    SERVER-1 responds with a 200 OK and the ACE generates another cookie "B" as it belongs to the sticky group ECOM_STICKY_TEST_HTTPS
    The client browser reloads the page on port 80 and provides the cookie "B" (the last received)
    The ACE sees the cookie "B" and should use the static cookie entry to select the SERVER-1
    But instead, the ACE perform another load balancing decision and selects SERVER-2 !
    The page is reloaded, but the name of the user does not appear on it
    LiveHTTP Trace on Firefox :
    GET /ecom/medias/sys_master/8800775602206/Home-page-main-banners-video.jpg HTTP/1.1
    Host: ecom.test.toto.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
    Accept: image/png,image/*;q=0.8,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://ecom.test.toto.com/uk/en/home
    Cookie: STICKED-TO=R105816849;
    HTTP/1.1 200 OK
    Set-Cookie: STICKED-TO=R105816849; path=/
    Date: Mon, 18 Oct 2010 15:31:37 GMT
    Server: Apache/2.2.13 (Red Hat)
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: image/jpeg
    Here we switch on HTTPS :
    https://ecom.test.toto.com/uk/en/j_spring_security_check
    POST /uk/en/j_spring_security_check HTTP/1.1
    Host: ecom.test.toto.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://ecom.test.toto.com/uk/en/home
    Cookie: STICKED-TO=R105816849; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 75
    spring-security-redirect=&j_username=yves144%40yahoo.com&j_password=junon01
    Here we see cookie for the same server but for the HTTPS sticky group :
    HTTP/1.1 302 Moved Temporarily
    Set-Cookie: STICKED-TO=R355972695; path=/
    Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
    Date: Mon, 18 Oct 2010 15:31:39 GMT
    Server: Apache/2.2.13 (Red Hat)
    Location: http://ecom.test.toto.com/uk/en/home
    Content-Length: 0
    Connection: close
    Content-Type: text/plain; charset=UTF-8
    Here we switch back to HTTP :
    http://ecom.test.toto.com/uk/en/home
    GET /uk/en/home HTTP/1.1
    Host: ecom.test.toto.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://ecom.test.toto.com/uk/en/home
    Cookie: STICKED-TO=R355972695; JSESSIONID=089DCF987DC03CAE0F516298EB886DAB.node1;
    Here we see that the second server has been wrongly selected !
    HTTP/1.1 200 OK
    Set-Cookie: STICKED-TO=R105852786; path=/
    Set-Cookie: _hybris.tenantID_=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
    Set-Cookie: JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2; Path=/; HttpOnly
    Date: Mon, 18 Oct 2010 15:31:40 GMT
    Server: Apache/2.2.13 (Red Hat)
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Cache-Control: no-cache, no-store
    Content-Language: en-GB
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html;charset=UTF-8
    http://ecom.test.toto.com/ecom/medias/sys_master/8796174057502/uk.gif
    GET /ecom/medias/sys_master/8796174057502/uk.gif HTTP/1.1
    Host: ecom.test.toto.com
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8) Gecko/20100202 (CK-IBM) Firefox/3.5.8
    Accept: image/png,image/*;q=0.8,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://ecom.test.toto.com/uk/en/home
    Cookie: STICKED-TO=R105852786; JSESSIONID=5A0F6EB8FBF63D5D0590FECEC62A302E.node2;
    HTTP/1.1 200 OK
    Set-Cookie: STICKED-TO=R105852786; path=/
    Date: Mon, 18 Oct 2010 15:31:40 GMT
    Server: Apache/2.2.13 (Red Hat)
    Content-Length: 382
    Connection: close
    Content-Type: image/gif
    Hypothesis :
    It seems that the static entries are not considered by the ACE...

  • ACE redirect problem

    Hi,
    Hopefully someone can tell me if what i'm trying to achieve is possible. I need to append details to a URL, i've attempted a rewrite but dont want to send the 10.10.10.1 address back to the client and want to send their original request with the appended URL. As the ip and port are staying the same the request loops. Hardware ACE 4710 software A3 (2.0)
    I need to loadbalance.
    http://ourdomain.com:9080 > http://10.10.10.1-10:9080/ThisBitAdded
    ourdomain.com resolves to the same address every time, 10.10.10.1-10 are the real servers.
    Any help greatly appreciated.
    Thanks
    Chris

    Chris:
    As I'm preparing a response, I'm curious about how you have it set up at this point.  What is the configuration that you were testing?

  • ACE balancing problems

    Hi everyone.
    We have a customer who has a server farm formed by 3 servers with the following real ip address:
    10.10.24.5-6-7  and a virtual 10.10.24.3 as configured in the ace module.
    We found the following behavior in the session number of the servers. We can conclude that there is a server with much more sessions than the others (10.10.24.6):
    Can sombody help me telling why can happen that?
    I am attaching the ACE config as a reference
    Thanks
    ACE-DIGENERAL/OCS# sh serverfarm Herramientas_Col
    serverfarm     : Herramientas_Col, type: HOST
    total rservers : 3
                                                    ----------connections-----------
           real                  weight state        current    total              
       ---+---------------------+------+------------+----------+--------------------
       rserver: SP1
           10.10.24.5:0          8      OPERATIONAL  390         296043280         
       rserver: SP2
           10.10.24.6:0          8      OPERATIONAL  1003        3371471400         
       rserver: SP3
           10.10.24.7:0          8      OPERATIONAL  354         164816790          
    Como se puede observar el sever 10.10.24.6 posee mas del doble de conexiones que los otros 2.
    5.       En el siguiente pantallazo también se observan conexiones detalladas y los puertos por donde habla:
    ACE-DIGENERAL/OCS# sh conn serverfarm Herramientas_Col
    conn-id    np dir proto vlan source                destination           state
    ----------+--+---+-----+----+---------------------+---------------------+------+
    70         1  in  TCP   951  10.10.22.13:3837      10.10.24.3:80         ESTAB
    17239      1  out TCP   324  10.10.24.7:80         10.10.22.13:3837      ESTAB
    76         1  in  TCP   951  10.83.21.32:1419      10.10.24.3:80         ESTAB
    5531       1  out TCP   324  10.10.24.6:80         10.83.21.32:1419      ESTAB
    95         1  in  TCP   951  10.20.7.51:1702       10.10.24.3:80         ESTAB
    16237      1  out TCP   324  10.10.24.6:80         10.20.7.51:1702       ESTAB
    98         1  in  TCP   951  10.80.31.55:3188      10.10.24.3:80         ESTAB
    11995      1  out TCP   324  10.10.24.6:80         10.80.31.55:3188      ESTAB
    32749      1  in  TCP   951  10.80.21.23:1926      10.10.24.3:80         ESTAB
    108        1  out TCP   324  10.10.24.7:80         10.80.21.23:1926      ESTAB
    110        1  in  TCP   951  10.25.14.231:1705     10.10.24.3:80         ESTAB
    37994      1  out TCP   324  10.10.24.6:80         10.25.14.231:1705     ESTAB
    7438       1  in  TCP   951  10.31.102.32:2329     10.10.24.3:80         ESTAB
    141        1  out TCP   324  10.10.24.7:80         10.31.102.32:2329     ESTAB
    31247      1  in  TCP   951  10.81.36.32:1650      10.10.24.3:80         ESTAB
    151        1  out TCP   324  10.10.24.5:80         10.81.36.32:1650      ESTAB
    176        1  in  TCP   951  10.20.208.124:2598    10.10.24.3:80         ESTAB
    13219      1  out TCP   324  10.10.24.7:80         10.20.208.124:2598    ESTAB
    32576      1  in  TCP   951  10.233.9.40:1577      10.10.24.3:80         ESTAB
    233        1  out TCP   324  10.10.24.6:80         10.233.9.40:1577      ESTAB
    27499      1  in  TCP   951  10.218.16.28:2902     10.10.24.3:80         ESTAB
    244        1  out TCP   324  10.10.24.5:80         10.218.16.28:2902     ESTAB
    248        1  in  TCP   951  10.85.19.55:1540      10.10.24.3:80         ESTAB
    14014      1  out TCP   324  10.10.24.7:80         10.85.19.55:1540      ESTAB
    27166      1  in  TCP   951  10.25.22.90:1766      10.10.24.3:80         ESTAB
    254        1  out TCP   324  10.10.24.6:80         10.25.22.90:1766      ESTAB
    380        1  in  TCP   951  10.23.22.62:1855      10.10.24.3:80         ESTAB
    11563      1  out TCP   324  10.10.24.6:80         10.23.22.62:1855      ESTAB
    397        1  in  TCP   951  10.212.35.30:1540     10.10.24.3:80         ESTAB
    15491      1  out TCP   324  10.10.24.7:80         10.212.35.30:1540     ESTAB
    35588      1  in  TCP   951  10.100.30.5:1773      10.10.24.3:80         ESTAB
    405        1  out TCP   324  10.10.24.6:80         10.100.30.5:1773      ESTAB
    31392      1  in  TCP   951  10.216.27.41:1524     10.10.24.3:80         ESTAB
    449        1  out TCP   324  10.10.24.6:80         10.216.27.41:1524     ESTAB
    592        1  in  TCP   951  10.25.21.219:1364     10.10.24.3:80         ESTAB
    2988       1  out TCP   324  10.10.24.5:80         10.25.21.219:1364     ESTAB
    614        1  in  TCP   951  10.25.42.221:1517     10.10.24.3:80         ESTAB
    18877      1  out TCP   324  10.10.24.6:80         10.25.42.221:1517     ESTAB
    21553      1  in  TCP   951  10.80.39.123:1634     10.10.24.3:80         ESTAB
    652        1  out TCP   324  10.10.24.6:80         10.80.39.123:1634     ESTAB
    13640      1  in  TCP   951  10.206.2.34:1385      10.10.24.3:80         ESTAB
    708        1  out TCP   324  10.10.24.6:80         10.206.2.34:1385      ESTAB
    26959      1  in  TCP   951  10.100.30.7:1289      10.10.24.3:80         ESTAB
    719        1  out TCP   324  10.10.24.5:80         10.100.30.7:1289      ESTAB
    29277      1  in  TCP   951  10.100.202.50:1248    10.10.24.3:80         ESTAB
    758        1  out TCP   324  10.10.24.5:80         10.100.202.50:1248    ESTAB
    6185       1  in  TCP   951  10.25.27.222:1497     10.10.24.3:80         ESTAB
    760        1  out TCP   324  10.10.24.6:80         10.25.27.222:1497     ESTAB
    767        1  in  TCP   951  10.97.21.28:1821      10.10.24.3:80         ESTAB
    23511      1  out TCP   324  10.10.24.7:80         10.97.21.28:1821      ESTAB
    826        1  in  TCP   951  10.31.105.140:3810    10.10.24.3:80         ESTAB
    13460      1  out TCP   324  10.10.24.6:80         10.31.105.140:3810    ESTAB
    21987      1  in  TCP   951  10.25.31.213:1855     10.10.24.3:80         ESTAB
    839        1  out TCP   324  10.10.24.5:80         10.25.31.213:1855     ESTAB
    874        1  in  TCP   951  10.88.29.27:1503      10.10.24.3:80         ESTAB
    29839      1  out TCP   324  10.10.24.6:80         10.88.29.27:1503      ESTAB
    945        1  in  TCP   951  10.27.122.13:1286     10.10.24.3:80         ESTAB
    32298      1  out TCP   324  10.10.24.6:80         10.27.122.13:1286     ESTAB
    24330      1  in  TCP   951  10.40.21.50:2368      10.10.24.3:80         ESTAB
    954        1  out TCP   324  10.10.24.6:80         10.40.21.50:2368      ESTAB
    961        1  in  TCP   951  10.80.26.76:1414      10.10.24.3:80         ESTAB
    11176      1  out TCP   324  10.10.24.5:80         10.80.26.76:1414      ESTAB
    28989      1  in  TCP   951  10.91.22.38:1408      10.10.24.3:80         ESTAB
    985        1  out TCP   324  10.10.24.5:80         10.91.22.38:1408      ESTAB
    1006       1  in  TCP   951  10.217.4.20:1522      10.10.24.3:80         ESTAB
    26946      1  out TCP   324  10.10.24.5:80         10.217.4.20:1522      ESTAB
    8360       1  in  TCP   951  10.11.3.28:1679       10.10.24.3:80         ESTAB
    1020       1  out TCP   324  10.10.24.6:80         10.11.3.28:1679       ESTAB
    9498       1  in  TCP   951  10.25.42.221:1519     10.10.24.3:80         ESTAB
    1031       1  out TCP   324  10.10.24.6:80         10.25.42.221:1519     ESTAB
    18510      1  in  TCP   951  10.165.55.51:1232     10.10.24.3:80         ESTAB
    1072       1  out TCP   324  10.10.24.7:80         10.165.55.51:1232     ESTAB
    5583       1  in  TCP   951  10.25.14.12:2086      10.10.24.3:80         ESTAB
    1142       1  out TCP   324  10.10.24.6:80         10.25.14.12:2086      ESTAB
    39713      1  in  TCP   951  10.25.36.58:1663      10.10.24.3:80         ESTAB
    1144       1  out TCP   324  10.10.24.7:80         10.25.36.58:1663      ESTAB
    8601       1  in  TCP   951  10.217.26.34:1677     10.10.24.3:80         ESTAB
    1167       1  out TCP   324  10.10.24.6:80         10.217.26.34:1677     ESTAB
    17209      1  in  TCP   951  10.165.40.45:1526     10.10.24.3:80         ESTAB
    1173       1  out TCP   324  10.10.24.5:80         10.165.40.45:1526     ESTAB
    18708      1  in  TCP   951  10.31.105.137:3714    10.10.24.3:80         ESTAB
    1175       1  out TCP   324  10.10.24.6:80         10.31.105.137:3714    ESTAB
    1180       1  in  TCP   951  10.201.18.40:4777     10.10.24.3:80         ESTAB
    6528       1  out TCP   324  10.10.24.6:80         10.201.18.40:4777     ESTAB
    1214       1  in  TCP   951  10.31.104.46:1501     10.10.24.3:80         ESTAB
    5924       1  out TCP   324  10.10.24.6:80         10.31.104.46:1501     ESTAB
    1228       1  in  TCP   951  10.231.37.32:1161     10.10.24.3:80         ESTAB
    15171      1  out TCP   324  10.10.24.6:80         10.231.37.32:1161     ESTAB
    28431      1  in  TCP   951  10.25.5.76:2317       10.10.24.3:80         ESTAB
    1293       1  out TCP   324  10.10.24.5:80         10.25.5.76:2317       ESTAB
    1328       1  in  TCP   951  10.201.2.26:1293      10.10.24.3:80         ESTAB
    19276      1  out TCP   324  10.10.24.7:80         10.201.2.26:1293      ESTAB
    1356       1  in  TCP   951  10.80.23.27:1396      10.10.24.3:80         ESTAB
    4141       1  out TCP   324  10.10.24.6:80         10.80.23.27:1396      ESTAB
    1368       1  in  TCP   951  10.80.36.124:1428     10.10.24.3:80         ESTAB
    19905      1  out TCP   324  10.10.24.6:80         10.80.36.124:1428     ESTAB
    30280      1  in  TCP   951  10.25.8.11:4836       10.10.24.3:80         ESTAB
    1438       1  out TCP   324  10.10.24.6:80         10.25.8.11:4836       ESTAB
    1478       1  in  TCP   951  10.216.6.46:4153      10.10.24.3:80         ESTAB
    12312      1  out TCP   324  10.10.24.6:80         10.216.6.46:4153      ESTAB
    23389      1  in  TCP   951  10.211.30.38:1593     10.10.24.3:80         ESTAB
    1527       1  out TCP   324  10.10.24.6:80         10.211.30.38:1593     ESTAB
    1562       1  in  TCP   951  10.90.21.58:2889      10.10.24.3:80         ESTAB
    36398      1  out TCP   324  10.10.24.7:80         10.90.21.58:2889      ESTAB
    1587       1  in  TCP   951  10.84.22.29:2121      10.10.24.3:80         ESTAB
    37031      1  out TCP   324  10.10.24.6:80         10.84.22.29:2121      ESTAB
    1624       1  in  TCP   951  10.25.21.218:1465     10.10.24.3:80         ESTAB
    4941       1  out TCP   324  10.10.24.6:80         10.25.21.218:1465     ESTAB

    Hello!
    A "show connection serverfarm Herramientas_Col detail"  and "show sticky database group POOL3" would be handy in this situation.  You have sticky configured which will intentionally throw off the loadbalancing predictor.  My guess at this point is that rserver SP2 might not close connections in the same manner that SP1 and SP3 do.  If that was true, that would result in a longer connection time, which means the sticky database would not idle out as fast, hence more connection for SP2.
    Regards,
    Chris

  • ACE traceroute problem

    Traceroute does not work when initiated from a server behind the ACE module. The output shows only the destination ip.
    The ACE is in routed mode.

    Traceroute is a widely available utility on most operating systems today. Much like ping, it is a valuable tool for determining connectivity in a network. Ping allows the user to find out if there is a connection between two end systems. Traceroute does this as well, but it additionally lists the intermediate routers between the two systems. Users can therefore see the routes that packets can take from the Content Engine to another system. Use the traceroute EXEC command to find the route to a remote host, when either the host name or IP address is known.

  • ACE ping problem

    hello
    i have ace running in the router mode
    i have server and client different vlan
    (server vlan 20, client vlan 192)
    1. client vlan(20) -> vip(20.1.1.102) service ok
    2. client vlan(20) -> vip(20.1.1.102) ping fail?
    why happen ping fail ?
    Hope this helps
    [Configuration]
    access-list ALL line 10 extended permit ip any any
    access-list ALL line 11 extended permit icmp any any
    probe tcp tcp_21
    port 21
    interval 2
    faildetect 2
    passdetect interval 5
    passdetect count 2
    serverfarm host slb
    probe tcp_21
    rserver test_01
    inservice
    rserver test_02
    inservice
    class-map type management match-any REMOTE_ACCESS
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
    class-map match-all slb
    2 match virtual-address 20.1.1.102 any
    policy-map type management first-match REMOTE_MGMT
    class REMOTE_ACCESS
    permit
    policy-map type loadbalance first-match slb
    class class-default
    serverfarm slb
    policy-map multi-match test
    class slb
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply active
    interface vlan 20
    ip address 20.1.1.2 255.255.255.0
    alias 20.1.1.1 255.255.255.0
    peer ip address 20.1.1.3 255.255.255.0
    access-group input ALL
    access-group output ALL
    service-policy input REMOTE_MGMT
    service-policy input test
    no shutdown
    interface vlan 192
    ip address 192.168.1.102 255.255.255.0
    alias 192.168.1.1 255.255.255.0
    peer ip address 192.168.1.103 255.255.255.0
    access-group input ALL
    access-group output ALL
    service-policy input test
    no shutdown

    Is the A2 train the current version recommended by Cisco? These devices load balance critical systems so we usually try and stay with Safe Harbor code were ever possible. In my deployment I require stability over features and in the past have stayed away from the "newest" code releases for fear of flaky or buggy behavior.
    Thanks

  • ACE sticky problem

    Hi,
    I have an issue with sticky server that I’m hope might just be a command I’m missing.
    I am inserting a cookie and the sticky works fine.
    When my browser has a successful sticky connection i take the server that has the sticky connection out of service. I try to make another connection, i see the connection round robin to all remaining servers but i don’t get a successful connection i do see the connection failure count increment on all other servers in the farm. Only when i bring the server back into service can i get a successful connection.
    Any advice appreciated.
    Sticky config below.
    sticky http-cookie WEB-Cookie-1 WEB-Sticky-1
      cookie insert
      serverfarm WEB-SERVERS-80
    Code
    Version A3(2.0) [build 3.0(0)A3(2.0
    Thanks
    Chris

    Hello Chris, This will be an easy fix for you.  The command you are looking for is defined under the serverfarm inwhich you are creating sticky entries against.. You need to add a failaction.. I'm pasting the command syntax and options for the command.. Based on your breif description failaction purge will give you the desired result:
    (config-sfarm-host) failaction
    To configure the action that the ACE takes if a real server in a server farm goes down, use the failaction command. Use the no form of this command to reset the ACE to its default of taking no action when a server fails.
    failaction {purge | reassign [across-interface]}
    no failaction
    Syntax Description
    purge
    Specifies that the ACE remove the connections to a real server if that  real server in the server farm fails after you configure this command.  The appliance sends a reset (RST) both to the client and to the server  that failed.
    reassign
    Specifies that the ACE reassigns existing server connections to the  backup real server, if a backup real server is configured. If no backup  real server is configured, this keyword has no effect.
    across-interface
    (Optional) Instructs the ACE to reassign all connections from the failed  real server to a backup real server on a different VLAN that is  commonly referred to as a bypass VLAN. By default, this feature is  disabled.

  • ACE Stickyness problem

    I am trying to configure stickyness on an ACE appliance. I can't seem to get it to work. I have tried a http cookie and a IP Netmask and can't get it to work. When I do a show stat sticky or a show sticky database I get nothing. Attached is the config of my ace.

    you need to assign sticky resources to your context before you can start using it.
    Use the following command to see if you have allocated sticky resources
    switch/Admin# show np 1 me-stats "-slb -v" | i Stick
    Num Active Sticky Entry: 1 0
    Num Active Reverse Sticky Entry: 0 0
    Free Sticky Entry Count: 944765 0
    switch/Admin#
    Gilles.

  • ACE RST problem

    Hi ,
    We can not solve the following situation.
    The client has a normal tcp connection to server via ACE. if network interrupt occured (link up-down ) the client send SYN packet with same source port number what was used in the previously session between them. The ACE send the SYN to server but the server respond ACK packet only and not SYN,ACK packet because the TCP session is live for server. The client send the rst packet after syn but the ACE drops it.
    The show conn shows the in and out sessions which were originaly betwen client and server.
    Can ACE solve this situation ?
    Regards,

    hi !
    Thanks the ideas. We tried them.
    The output the supposed command
    Lajos-ACE/Admin# sho np 1 me-stats "-stcp" | i dow
    Segs outside window: 0
    Connection shutdown FIN: 0
    Connection shutdown RST: 0
    We disabled the normalization without results.
    The idle timeout does not help because the ACE
    feels that client and server continue the old session. !!!!
    the show conn output shwos the following while the client send the SYN and RST and the server send the ACK only.
    8 2 in TCP 73 10.46.2.2:12346 192.168.37.221:1072 ESTAB
    [ idle time : 00:00:01, byte count : 2049 ]
    [ elapsed time: 00:12:41, packet count: 41 ]
    90 2 out TCP 75 192.168.37.217:1072 10.46.2.2:12346 ESTAB
    [ conn in reuse pool : FALSE]
    [ idle time : 00:00:01, byte count : 2319 ]
    [ elapsed time: 00:12:41, packet count: 46 ]
    My opinion the ACE try to make a new ,second connection before SYN . The RST packet resets the second session and the first session unchanged. ( but the idle timer is not increasing )The server respond in the frisst session.
    Unfortunetly the client uses the same source and destination TCP ports in every session. :-)
    Regards,

  • ACE VIP problem

    VIP from servers on port 8888 is visible with telnet and the other way around but HTTP://VIP(IP address):8888 is not working for webportal servers,

    Your server is probably sending a redirect or using hard links with its port referenced in the url.
    Fix the server.
    Gilles.

  • ACE SNAT Problem

    I currently have 2 nat policies that work fine. I'm trying to add the 3rd but it's not working.
    I pretty sure the config is correct but i'm not sure if i can only have 1 snat policy per interface.
    -NAT policy snat's anything coming in externally except smtp & ftp
    -NAT-EMAIL policy snat's anything coming in externally to go back out vlan 215 to our internal lan.
    -NAT-DMZ policy is suppose to allow communication between 204 vlan and 215 VIPS but it doesn't work.
    So the service policy NAT-DMZ on vlan 204 should intercept traffic destined for 10.10.215.0 and snat
    all of it to 10.10.215.88 i believe but it's not work.
    Any thoughts or am i missing something??
    access-list NAT line 10 extended deny tcp any any eq smtp
    access-list NAT line 12 extended deny tcp any any eq ftp
    access-list NAT line 13 extended deny tcp any any eq ftp-data
    access-list NAT line 100 extended permit tcp any any eq www
    access-list NAT line 110 extended permit tcp any any eq https
    access-list NAT line 118 extended permit udp any any eq domain
    access-list NAT line 126 extended permit tcp any any eq domain
    access-list NAT line 134 extended permit tcp any any eq smtp
    access-list NAT line 142 extended permit tcp any any eq 20022
    access-list NAT-DMZ line 8 extended permit tcp any 10.10.215.0 255.255.255.0
    access-list NAT-DMZ line 16 extended permit udp any 10.10.215.0 255.255.255.0
    access-list NAT-DMZ line 24 extended permit tcp 10.10.215.0 255.255.255.0 any
    access-list NAT-DMZ line 32 extended permit udp 10.10.215.0 255.255.255.0 any
    access-list NAT-DMZ line 40 extended permit icmp any 10.10.215.0 255.255.255.0
    access-list NAT-DMZ line 48 extended permit icmp 10.10.215.0 255.255.255.0 any
    access-list NAT-EMAIL line 8 extended permit tcp any any eq www
    access-list NAT-EMAIL line 16 extended permit tcp any any eq https
    class-map match-any NAT
    2 match access-list NAT
    class-map match-any NAT-DMZ
    2 match access-list NAT-DMZ
    class-map match-any NAT-EMAIL
    2 match access-list NAT-EMAIL
    policy-map multi-match NAT
    class NAT
    nat dynamic 1 vlan 204
    policy-map multi-match NAT-DMZ
    class NAT-DMZ
    nat dynamic 5 vlan 215
    policy-map multi-match NAT_EMAIL
    class NAT-EMAIL
    nat dynamic 10 vlan 215
    policy-map multi-match VIPS
    class email.microchip.com_80_vs
    loadbalance vip inservice
    loadbalance policy email.microchip.com_80_l7slb
    loadbalance vip icmp-reply
    nat dynamic 10 vlan 215
    class email.microchip.com_443_vs
    loadbalance vip inservice
    loadbalance policy email.microchip.com_443_l7slb
    loadbalance vip icmp-reply
    nat dynamic 10 vlan 215
    appl-parameter http advanced-options HTTP-PARAM
    ssl-proxy server email.microchip.com_allSSL
    interface vlan 204
    description WEBDMZ
    ip address 10.10.204.50 255.255.255.0
    alias 10.10.204.1 255.255.255.0
    peer ip address 10.10.204.3 255.255.255.0
    access-group input EVERYONE
    nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat <--Works
    service-policy input NAT-DMZ <--Doesn't work
    no shutdown
    interface vlan 215
    description WebDMZ External Interface
    ip address 10.10.215.11 255.255.255.0
    alias 10.10.215.10 255.255.255.0
    peer ip address 10.10.215.12 255.255.255.0
    access-group input EXTERNAL
    nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat <--Works
    nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat <--Doesn't work
    service-policy input Management-Policy
    service-policy input VIPS
    service-policy input NAT
    no shutdown

    Tried that but the only difference was that i added NAT-DMZ to NAT-EMAIL instead. Just easier for me that way but it didn't work.
    access-list NAT-DMZ line 56 extended permit tcp any host 10.10.215.210
    access-list NAT-DMZ line 64 extended permit tcp host 10.10.215.210 any
    access-list NAT-DMZ line 72 extended permit udp any host 10.10.215.210
    access-list NAT-DMZ line 80 extended permit udp host 10.10.215.210 any
    access-list NAT-EMAIL line 8 extended permit tcp any any eq www
    access-list NAT-EMAIL line 16 extended permit tcp any any eq https
    policy-map multi-match NAT_EMAIL
    class NAT-DMZ
    nat dynamic 5 vlan 215
    class NAT-EMAIL
    nat dynamic 10 vlan 215
    interface vlan 204
    description WEBDMZ
    ip address 10.10.204.50 255.255.255.0
    alias 10.10.204.1 255.255.255.0
    peer ip address 10.10.204.3 255.255.255.0
    access-group input EVERYONE
    nat-pool 1 10.10.204.90 10.10.204.90 netmask 255.255.255.0 pat
    service-policy input NAT_EMAIL
    no shutdown
    interface vlan 215
    description WebDMZ External Interface
    ip address 10.10.215.11 255.255.255.0
    alias 10.10.215.10 255.255.255.0
    peer ip address 10.10.215.12 255.255.255.0
    access-group input EXTERNAL
    nat-pool 10 10.10.215.90 10.10.215.90 netmask 255.255.255.255 pat
    nat-pool 10 10.10.215.88 10.10.215.88 netmask 255.255.255.255 pat
    service-policy input Management-Policy
    service-policy input VIPS
    service-policy input NAT
    no shutdown
    I tested from a host in 10.10.204.x to 10.10.215.210 but it didn't work. I tested to the 10.10.215.210
    from the outside(vlan215) and it does work, so i know the VIP works and is taking connections.

  • Lcked my apple id trying to find my security question answers how can i solve rhis problem?

    How can i unlock my apple id account and how am i going to reset my security questions cause i cant find my answers and i do not have apple care here in greece to contact them...

    1. See my User Tip for some help: Some Solutions for Resetting Forgotten Security Questions: Apple Support Communities.
    2. Here are two different but direct methods:
        a. Send Apple an email request at: Apple - Support - iTunes Store - Contact Us.
        b. Call Apple Support in your country: Customer Service: Contacting Apple for support
            and service.
    3. For other queries about Apple ID see Frequently asked questions about Apple ID.
    4. Rescue email address and how to reset Apple ID security questions

Maybe you are looking for

  • Loading Images One Page at a Time

    Has anyone else encountered this problem whereby when images are loaded into Lightroom and I ask it to load with presets e.g. sharpen portraits, it does the job but only for those images that are on the current view i.e. I have to scroll down to the

  • My ipod touch isn't recognized by my computer or my dock

    My ipod touch 4th generation won't connect to my computer or my memorex dock! I tried connecting my ipod with 2 different usb cables to both my computer and my mothers and it wasn't recongized at all by both. I also tried connecting it through an ext

  • Report with Form Passing date to form from report issue

    Hi All , I got stuck up in the below issue .Can anyone point out the issue behind it and how to get rid of this. I have created a report page with form page .The report page have 2 column identified as conjugate primary key.the col1 is varchar2 and c

  • How do I get flash movie controller to show up.

    I have published a flash movie to "Mobile Me", the movie works as it should but the controls do not show up. I have placed the movie.flv file along with a movie.swf file and a "SkinUnderAllNoVolNoCaptionNoFull.swf" file all in the same folder. The fo

  • New to JDeveloper10g

    I am from the Visual Studio side of the tracks venturing into Java land. While JDev10g is impressive, the tutorials are a bit of a mess. In most cases, menu options simply dont exist or are differently named. I have also wasted loads of time running