ACE Rserver "inservice" - probing?

Hello all
We recently upgraded an ACE module from A1 code straight through to A2(3.4)
Theres a behaviour change we werent expecting -
probe tcp t2-probe-3133
port 3133
interval 4
faildetect 4
passdetect interval 4
passdetect count 4
receive 1
serverfarm host ext-gxr-3133
probe t2-probe-3133
rserver server-testing 3133
inservice
If I take the "rserver server-testing" out of service and then bring it back in, it goes straight to OPERATONAL even if the service listening on port 3133 is not there - the probe eventually fails, the server drops to OUTOFSERVICE.
During this time we drop transactions on the serverfarm.
This is different from the A1 behaviour - it used to wait till the probe finished (We're pretty sure anyway :-) )
Am I dreaming - this hasnt changed ? - And regardless, is there a way to make the behaviour "Wait until the probes work before bringing the server in" ?
Cheers
Graeme.

Graeme-
I just tested this on A1(6.3) and A2(3.3) - both do exactly the same in terms of thier default action. When the rserver is operational with no probe configured, and you add a probe, the rserver stays operational until the probe fails. If the rserver was in probe failed state to begin with and you add a 2nd probe to the serverfarm, the rserver stays in probe-failed while testing the the new probe.
There was a difference in A1(6.X) vs A2(3.X) - the addition of "fail-on-all" under the serverfarm which makes all probes have to fail prior to removing it from loadbalancing rotation. I did test with that feature on, and it still has the same result.
If you are getting something different from this, go ahead and get a TAC case open to have a bug investigated/filed.
Regards,
Chris Higgins

Similar Messages

ACE : Rserver connection failures ?

Hi,
In a productive environment, I observe rserver counters and I can read several connection failures. However, the site seems to work correctly.
What are the conditions under which he ACE increments the connection failures counter ?
Here is an extract of the show serverfarm command :
CH01AC03/P-115-A# sh serverfarm NCL_FARM_PROD
serverfarm     : NCL_FARM_PROD, type: HOST
total rservers : 6
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: HQBUUN203
       10.56.7.209:443       12     OPERATIONAL 11         2363414    334
   rserver: HQBUUN205
       10.56.7.210:443       12     OPERATIONAL 11         2321347    2055
   rserver: HQBUUN221
       10.56.7.94:443        8      OPERATIONAL 10         1611561    1270
   rserver: HQBUUN222
       10.56.7.93:443        8      OPERATIONAL 20         1608550    189
   rserver: HQVEUN218
       10.56.7.96:443        8      OPERATIONAL 15         1532865    1307
   rserver: HQVEUN219
       10.56.7.95:443        8      OPERATIONAL 12         1607162    304
Thank you for any hints
Yves Haemmerli

Yves,
normally only RST from the rserver or no response to SYN from the rserver are counted as failure.
However, we had issues with this as identified in CSCtd22008 "ACE- Client RST in End-to-End SSL generates Rserver conn-failures."
An old one is CSCsh14278 "sh serverfarm failure conn incremented for successful connection".
So, if you want to be sure, the only option is to capture a sniffer trace.
Gilles.

ACE Redirection

I have ACE 4710 and I want to use this to redirect port 80 traffic to my proxy server. But I am not able to do that. MY ACE is in routed mode. Below is my ACE configuration when I am applying the policy on the interface I am not able to browse the Internet.
I am connected to the Interface VLAN 300. Below is the configuration for ACE.
class-map type management match-any CM_ALL
2 match protocol snmp any
3 match protocol http any
4 match protocol https any
5 match protocol icmp any
6 match protocol telnet any
class-map match-any CM_BYPASS_FOR_LAN
3 match virtual-address 100.1.1.0 255.255.255.0 tcp eq www
8 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
9 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
10 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
11 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
12 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
13 match virtual-address 172.23.16.0 255.255.255.0 tcp eq www
class-map match-any CM_BYPASS_SUBNET
9 match virtual-address 100.0.0.0 255.0.0.0 tcp eq www
15 match virtual-address 192.168.0.0 255.255.0.0 tcp eq www
16 match virtual-address 172.20.0.0 255.255.0.0 tcp eq www
17 match virtual-address 172.16.0.0 255.255.0.0 tcp eq www
18 match virtual-address 172.23.16.0 255.255.255.0 tcp eq www
19 match virtual-address 172.23.15.0 255.255.255.0 tcp eq www
20 match virtual-address 10.0.0.0 255.0.0.0 tcp eq www
class-map match-any CM_IM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5050
3 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 1080
4 match virtual-address 0.0.0.0 0.0.0.0 tcp eq 5101
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type management first-match PM_ALL
class CM_ALL
permit
policy-map type loadbalance http first-match PM_L7_BYPASS_FOR_LAN_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_L7_BYPASS_HTTP
class class-default
forward
policy-map type loadbalance http first-match PM_LB_SF_BCPROXY
class class-default
serverfarm SF_BCPR
policy-map multi-match PM_BYPASS_FOR_LAN_HTTP
class CM_BYPASS_FOR_LAN
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_FOR_LAN_HTTP
policy-map multi-match PM_BYPASS_HTTP
class CM_BYPASS_SUBNET
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_HTTP
policy-map multi-match PM_MAIN_BCPROXY
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
service-policy input PM_ALL
interface vlan 100
description FW-INSIDE CONTEXT1
ip address 192.168.180.5 255.255.255.240
no icmp-guard
access-group input acl-out
no shutdown
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.10.5 255.255.255.0
no normalization
no icmp-guard
access-group input acl-in
service-policy input PM_BYPASS_FOR_LAN_HTTP
service-policy input PM_BYPASS_HTTP
service-policy input PM_MAIN_BCPROXY
no shutdown
interface vlan 301
description BC-VLAN CONTEXT RACK1
ip address 192.168.180.97 255.255.255.240
access-group input acl-proxy
no shutdown
Please let me know where I am missing the configuration. I will be very thankful for the prompt help.

Hi,
You need to put your rserver inservice.
rserver host RS_BCPR01
ip address 192.168.180.103
inservice
As you can see, when you're displaying your rserver/serverfarm, it's current status is OUTOFSERVICE, which indicates, that the rserver has been manually suspended for service.
hth

Two-tier ACE config question

Hi,
I am an ACE newbie - I have a two-tier ACE setup and I am basically trying to get the front-end ACE to divert to a sorry page if the back end servers hanging of the Back-end ACE do not reply to their probes.
I have the following setup...
Internet
|
DMZ ACE (doing SSL termination)
|
Reverse Proxy Server farm
|
Corporate LAN ACE
|
Application Server farm
DMZ ACE is probing Rev Proxy farm on TCP 2000 - and using sticky cookie insertion.
Corporate LAN ACE is probing App Server farm on TCP 2000 - and using sticky cookie insertion.
If the Application server farm becomes unavailable, I would like the DMZ ACE to detect this and then redirect the clients to a 'service unavailable' page hosted on the Reverse Proxy Servers.
My thought so far is the following...
DMZ ACE
rserver Rev_proxy1
rserver Rev_proxy2
probe icmp probe_icmp
ip address <App_Server_VIP>
serverfarm Rev_proxy_farm
probe probe_icmp
prove probe_tcp_2000
rserver Rev_proxy1, Rev_proxy2
So the above Rev_proxy_farm availability is tied to the appearance of the App Server vip due to the directed icmp probe to the Corporate LAN ACE VIP - the VIP will disappear if the App Server farm does not respond to it's TCP probe.
I am then not sure how to redirect the HTTP request to the Reverse Proxy Server seeing as though these have already been flagged unavailable.
Should I then follow 'Configuring a Sorry Server Farm' as per http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1049254 to divert the connections from the Reverse_proxy:2000 to Reverse_proxy:3000 (which serves Service unavailable page)?
Any advice on whether this is the best way to go would be much appreciated.
Cheers,
Al

you need to create a redirect host and serverfarm and use this serverfarm as a backup serverfarm for your main serverfarm.
I'm not sure that the icmp ping will work.
Because the ping will be sent to dest ip address of the vip, but the dest mac-address ill the rev-proxy where your configured the probe.
Give it a try.
Gilles.

Configuring ACE Module for Redundancy

Hi Sir,
I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
ft group 1
peer 1
priority 110
peer priority 105
associate-context Admin
inservice
ft group 2
peer 1
priority 110
peer priority 105
associate-context ace-context1
inservice
ft group 3
peer 1
priority 105
peer priority 110
associate-context ace-context2
inservice
ft group 4
peer 1
priority 105
peer priority 110
associate-context ace-context3
inservice
Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
Thank you.
B.Rgds,
Lim TS

Hi Gilles,
I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
I noticed a few things:
(1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
(2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
(3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
One issue I encountered in one of the user contexts is as follows:
ace1/ace-context-1# sh run int
Generating configuration....
interface vlan 950
description *** Client-Facing VLAN ***
ip address 10.1.35.5 255.255.255.0
alias 10.1.35.4 255.255.255.0
peer ip address 10.1.35.6 255.255.255.0
access-group input ACL_VL950_IN
service-policy input REMOTE_MGMT
service-policy input MY_LB
no shutdown
interface vlan 951
description *** Connection to Real Servers ***
ip address 10.1.36.2 255.255.255.0
alias 10.1.36.1 255.255.255.0
peer ip address 10.1.36.3 255.255.255.0
access-group input ACL_VL951_IN
service-policy input NAT_REAL
no shutdown
This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
Please advise.
Thank you.
B.Rgds,
Lim TS

Ace load balancing, inservice/no inservice serverfarms

I've started working with an ACE load balancer and came across something that just didn't add up to me. I can pull and put servers in and out of rotation without a problem however when working with a serverfarm or a group of servers I have to pull each one individually and can't find a way to remove say the entire serverfarm via one command. Does anyone know of a way to put a serverfarm 'inservice' or set it to 'no inservice' that would make it easier for large groups of servers needing to be adjusted.
Sorry if this isn't the write forum for this kind of question. Please feel free to move it if needed.

Hello Chris,
There is no toggle to set every rserver under a serverfarm out of service. You can only take a single rserver out of service at a global level, or under a serverfarm inividually.
One thing to think about - bringing down all of the servers would be the same as removing the serverfarm from under the policy map type loadbalance since it would effectively bring the vip down.
Regards,
Chris Higgins

ACE redirect to different URI on rserver

         We use JDE and up to now part of the tools was Apache which would redirect as follows
http://alias.server to http://real.server:13333/main.maf
the latest version no longer uses Apache so I was wondering how I can do it on the ACE
of course there is no problem going from alias.server port 80 to real.server:13333 but how can I add the URI main.maf?

Hi
The configuration would look like the following:
rserver host CHIJTW55
description CHIJTW55
ip address 172.16.98.106
inservice
rserver redirect JDEDV_RED
webhost-redirection http://172.16.73.10:13333/main.maf 301
serverfarm host JDEDV
description JDEDV servers
failaction purge
probe tcp13333
rserver CHIJTW55 13333
    inservice
serverfarm redirect REDIRECT_FARM
     rserver JDEDV_RED
       inservice
class-map match-any JDEDV_vip_80
2 match virtual-address 172.16.73.10 tcp eq www
class-map match-any JDEDV_vip_13333
2 match virtual-address 172.16.73.10 tcp eq 13333
policy-map type loadbalance first-match JDEDV_80
class class-default
    serverfarm REDIRECT_FARM
policy-map type loadbalance first-match JDEDV_13333
class class-default
    serverfarm JDEDV
policy-map multi-match MULTI_POLICY
class JDEDV_vip_80
    loadbalance vip inservice
    loadbalance policy JDEDV_80
class JDEDV_vip_13333
    loadbalance vip inservice
    loadbalance policy JDEDV_13333
interface vlan X
     service-policy input MULTI_POLICY
I hope this helps
Daniel

How the ACE handles rserver failures

Hello
I've got a question re: the ACE module.
Lets say I have 2 web rservers and I have a probe interval for checking them from the ACE of 10 seconds.
Lets say a probe just passed and it is 10 seconds before the next one. The ACE will think the rserver is ok. Then say the rserver httpd service is stopped at 3 seconds after the last successful probe, therefore leaving 7 seconds before the ACE is going to send another probe. The ACE will think it is still 'up' before the next probe is sent.
Given the above, what happens to a) existing connections to the newly failed rserver and b) new connections if the failure occurs between probes?
How does the ACE handle this situation?
Are there any differences between how the ACE handles this between A1 and A2 versions of software?
Thanks
Cameron

URL rewrite only comes into play when REAL Server (Rserver )sends a clear text redirect. Such as 302 for http://investor.nice360.com. If client recieves this 302 it will attempt the next request using HTTP.With Url rewrite feature we configure ACE to change these redirects from Http tp HTTPS.
What you are looking for is a simple redirection of client request from port 80 to port 443. This can be achieved using redirect server farm and redirect rserver.
You will need to create two sets of configs (class-maps, rserver, sfarm,policy map) for port 80 & port 443 traffic. Port 80 policy will simply redirect the port 80 request to port 443.
Following example will give you some idea
rserver redirect HTTP2HTTPS
webhost-redirection https://%h%p 301
inservice
serverfarm redirect HTTP2HTTP-SF
rserver HTTP2HTTPS
inservice
class-map match-all WEB-HTTP
2 match virtual-address 172.25.250.245 tcp eq http
class-map match-all WEB-HTTPS
2 match virtual-address 172.25.250.245 tcp eq 443
policy-map type loadbalance first-match HTTP2HTTPS-POLICY
class class-default
serverfarm HTTP2HTTPS-SF
policy-map type loadbalance first-match L7-POLICY
class class-default
sticky-serverfarm STICKY_IP
policy-map multi-match L4-POLICY
class WEB-HTTP
loadbalance vip inservice
loadbalance policy HTTP2HTTPS-POLICY
loadbalance vip icmp-reply
class WEB-HTTPS
loadbalance vip inservice
loadbalance policy L7-POLICY
loadbalance vip icmp-reply
ssl-proxy server INVESTOR-CLIENT
Syed

ACE new rserver

Hi All
I am trying to move to real server's from the current configuration and adding to a new VIP, does anyone know what changes I would need to make.
I am trying to move the 2 proxies BCPROXY1 and BCPROXY2.
Any help much appreciated
Regards MJ

Hi Jorge
Thanks for the response, please see the configuration.
access-list ALL line 1 extended permit ip any any
probe icmp icmp_probe
interval 5
passdetect interval 60
rserver host BCPROXY1
description NEW HBC WEB PROXY 1
ip address 10.100.102.22
probe icmp_probe
inservice
rserver host BCPROXY2
description NEW HBC WEB PROXY 2
ip address 10.100.102.23
probe icmp_probe
inservice
rserver host PROXY1
description WEB PROXY 1
ip address 10.100.102.20
probe icmp_probe
inservice
rserver host PROXY2
description WEB PROXY 2
ip address 10.100.102.21
probe icmp_probe
inservice
serverfarm host PROXY-PRODUCTION
description PRODUCTION WEB PROXY
predictor response app-req-to-resp
rserver BCPROXY1
    inservice
rserver BCPROXY2
    inservice
rserver PROXY1
    inservice
rserver PROXY2
    inservice
class-map match-all CLASSIFY-INCOMING-TRAFFIC
2 match virtual-address 10.100.101.10 tcp eq 8080
policy-map type loadbalance first-match WEB-POLICY-L7
class class-default
    serverfarm PROXY-PRODUCTION
policy-map multi-match INCOMING-WEB-TRAFFIC
class CLASSIFY-INCOMING-TRAFFIC
    loadbalance vip inservice
    loadbalance policy WEB-POLICY-L7
    loadbalance vip icmp-reply
interface vlan 1111
description ACE-VIPS-MAIL - Incoming Traffic
ip address 10.100.101.253 255.255.255.0
alias 10.100.101.254 255.255.255.0
peer ip address 10.100.101.252 255.255.255.0
access-group input ALL
service-policy input remote_management_access
service-policy input INCOMING-WEB-TRAFFIC
no shutdown
interface vlan 1112
description ACE-SERVER-VLAN
ip address 10.100.102.3 255.255.255.0
alias 10.100.102.1 255.255.255.0
peer ip address 10.100.102.2 255.255.255.0
access-group input ALL
service-policy input remote_management_access
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.101.1
All I am wanting to do is remove the to test proxy servers to a new VIP for (for test before putting back into production)
will I need a new service policy or can I use the existing one (INCOMING-WEB-TRAFFIC)
Regards MJ

ACE NAT configuration - is it possible to use a different source PAT IP per rserver in a serverfarm?

Hi,
I've a quick question regarding using PAT (port address translation) on an ACE module specifically for the purpose of load-balancing requests to a cluster of Exchange CAS servers.
Each CAS server needs to see requests from the same source IP which can be achieved by using source NAT / PAT but due to the scale of this Exchange deployment a single NAT pool with one PAT'd IP will not provide enough ports (i.e. there may well be more than ~64,000 ports required at any one time).
Is it possible to configure PAT on the ACE so that each individual rserver will see requests from a unique source PAT address, i.e., each rserver sees a different source PAT IP, i.e., in order to provide ~64,000 ports per source PAT IP <-> CAS server pair as opposed to ~64,000 ports shared between all the CAS servers?
If so, does anyone have any configuration examples (based on a single-armed configuration)?
TIA

Hi Tia,
I don't think we can do this. We can easily configure a different nat pool per serverfarm but not per rserver.
--Olivier

ACE isssue for rserver with multiple IP on the same NIC

Dear all,
I'm doing to configure an ACE with bridged mode to load balance incoming traffic to 3 TMG servers following this network diagram:
The system design require to have 4 IP address on the same NIC, and 3 VIP for each pool of the IP as presented in the diagram (rserver: 172.22.14.52 & 62 & 72 - VIP: 172.22.14.82). The attached configuration of the ACE was tested successfully, but we discover that some NIC crash after a non-specific period (Server cannot ping their default gateway: Destination unreachable). I need then to restart the server to get things going well.
After troubleshooting many things, I discover that when I remove the service policy on the ACE interface, the problem disappears and server continue to work correctly.
Is it possible that this problem is due to having on the ACE arp table 3 IP address having the same mac? and how I can solve it?
Thanks, Abdelaziz

This is for help the show arp result. I see that the four IP address of each server have the same mac address but only the first IP is LEARNED. Is it normal?
================================================================================
IP ADDRESS      MAC-ADDRESS        Interface Type      Encap NextArp(s) Status
================================================================================
172.22.14.51    00.c0.dd.16.90.4c vlan2014 LEARNED    15067 13964 sec    up
172.22.14.52    00.c0.dd.16.90.4c vlan2014 RSERVER    15051 173 sec      up
172.22.14.53    00.c0.dd.16.90.4c vlan2014 RSERVER    15057 177 sec      up
172.22.14.54    00.c0.dd.16.90.4c vlan2014 RSERVER    15059 178 sec      up
172.22.14.61    00.c0.dd.16.ae.60 vlan2014 LEARNED    15058 13677 sec    up
172.22.14.62    00.c0.dd.16.ae.60 vlan2014 RSERVER    15050 172 sec      up
172.22.14.63    00.c0.dd.16.ae.60 vlan2014 RSERVER    15064 181 sec      up
172.22.14.64    00.c0.dd.16.ae.60 vlan2014 RSERVER    15061 179 sec      up
172.22.14.71    00.c0.dd.16.93.b8 vlan2014 LEARNED    15065 13700 sec    up
172.22.14.72    00.c0.dd.16.93.b8 vlan2014 RSERVER    15048 171 sec      up
172.22.14.73    00.c0.dd.16.93.b8 vlan2014 RSERVER    15062 179 sec      up
172.22.14.74    00.c0.dd.16.93.b8 vlan2014 RSERVER    15068 291 sec      up
172.22.14.253   88.43.e1.75.9a.80 vlan2024 LEARNED    15019 9328 sec     up
172.22.14.254   88.43.e1.75.96.00 vlan2024 GATEWAY    14463 36 sec       up
172.22.14.250   00.23.5e.26.1e.71 bvi3      INTERFACE LOCAL     _         up
================================================================================

Cisco ACE can rserver use it's own VIP address ?

we've configured a serverfarm with a real server and a VIP.
The serverfarm can be reached and is functioning well.
Now we want the rserver to be able to reach it's own VIP address.
This is needed because the rserver has multiple websites which need each other
and we want to have load balancing.
Is this a supported configuration ?
regards,
Sebastian

you can simply add a new policy to match the servers ip addresses and then configure nat.
ie:
class-map match-all servers
2 match source-address 192.168.30.48 255.255.255.255
policy-map multi-match client-nat
class servers
nat dynamic 1 vlan 30
interface vlan 20
ip address 192.168.20.121 255.255.255.0
alias 192.168.20.124 255.255.255.0
peer ip address 192.168.20.123 255.255.255.0
no normalization
mac-sticky enable
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input client-nat
service-policy input SLB1
no shutdown
interface vlan 30
bridge-group 30
no normalization
mac-sticky enable
access-group input PERMIT-ANY
nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0
In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.
You could also use a free ip from the same server subnet and no static route would be required.
Also if ACE is already the default gateway for the servers, no specific static route is required.
Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.
Gilles.

ACE keep probing real servers using "https get 302"

Hi all,
I got one problem with cisco ACE in my company. Currently, two ACE appliances are working as HA redundancy. Previously I enabled some https and http probing using get 302 for some servers and services. But then I was told to remove all https or http probing, and instead use tcp port 443 and 80. After that, one of the serverfarm (server groups) is receiving https get 302 and I already checked in the monitoring and see whether there's any https probing regarding the respected real servers. But I could not find any. Even I disable all probing to that serverfarm, all the server members still receiving https get 302. Is this behavior a bug?
The ACE version is A3(2.1). And the HA status is on standby cold. Can standby cold cause this kind of trouble?

Hi Daniel,
I just corrected the cert problem and made the state peer into standby hot. But still it still keep probing the get 302. And then I tried to restart both ACEs. The first step is to restart the second ACE (standby) and then switched over all context to the second one. The problem is that when I made the second one to be active, some services were not working, especially the ones with ssl terminated in ACE. I'm pretty sure that both ACEs were in sync.
Any idea what is the problem?

ACE logging - rserver and probes

on CSS I get an info if a server fails the keepalive and get in state "down, up or suspended". This is logged in the traplog file on the CSS.
Is there any possibility on an ACE to have logs for rserver state changes like "PROBE-FAILED, OPERATIONAL and OUT-OF-SERVICE"
thx in advance

Hi Gilles,
1. looks fine, but I miss the rserver Name in the log. it only appears the ip address of the server.
So it looks like that the "ip address log" is implemented :-(
b-sllb2001-09/db_bku-nK2# show rserver sthon
rserver : sthon, type: HOST
state : PROBE-FAILED
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: test.db.de
172.24.100.98:0 8 PROBE-FAILED 0 0
b-sllb2001-09/db_bku-nK2# show logging | i ACE-3
Jun 25 2008 09:20:14 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:20:23 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:20:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
Jun 25 2008 09:21:54 : %ACE-3-251011: ICMP health probe failed for server 172.24.100.98, server reply timeout
2. I can find nothing in the log when the probe gets "operational" or "out-of-service state".
Is thos correct ?
b-sllb2001-09/db_bku-nK2# show rserver sthon
rserver : sthon, type: HOST
state : OPERATIONAL
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
serverfarm: test.db.de
172.24.100.98:0 8 OPERATIONAL 0 0

ACE Module - Archiving Rserver/Serverfarm connection statistics

Hello,
We have CiscoWorks and Cisco Security Manager in our setup. And we would like to record/archive the rserver/serverfarm connection statistics from ACE20 Module. CiscoWorks is only able to pull CPU & Memory stats.
Is there a way where connections stats can be collected. If so, please advise the method or tool (possibly free) which could record and give historical view of the connection statistics.
Thanks.

Hello Dedra-
What you are looking for is ANM. It is a software that runs on RedHat 5.2.X linux (we also just released a VMWare image for ESXi 4.X) It uses SNMP, SSH, and system logging to manage and monitor CSS, CSM, ACE, and the SSL Service module (and to a minor extent the 6k chassis the devices are in.) It stores information and has the ability not only to show you numbers, but graphs and topological ouputs based on your unique configuration.
Unfortunately, we do not offer it for free, but it is licensed based on how many contexts/physical devices you use it with. Give you Cisco Sales engineer, or Cisco Partner a call and see about getting a demo license. As well, check out the documenation on it located here:
http://cco.cisco.com/en/US/products/ps6904/tsd_products_support_series_home.html
Regards,
Chris Higgins

ACE Rserver "inservice" - probing?

Similar Messages

Maybe you are looking for