ACE SM in a bridge mode
We're architecting a pair of the ACE SM's and trying to better understand the upside/downside of configuring them in the bridged vs. a routed mode. Also, undr what circumstances the bridge mode would be superior to the routing mode?
Thanks..
If running in bridged mode you are free to use any routing protocol your routers support. The ACE will not interfere with the routing.
But beware, the ACE bridges only connected networks. Only version A2 3.0 has secondary address support.
Similar Messages
-
ACE dropped conns problem (Bridged mode)
Dear all,
I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
Can anyone helps?
Regards
AbdelazizHi Olivier,
This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
Thanx,
Abdealziz
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5
rserver host CASHUB131
ip address 172.22.22.131
inservice
rserver host CASHUB132
ip address 172.22.22.132
inservice
serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
inservice
rserver CASHUB132
inservice
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any
class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any
policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
serverfarm SFARM-EXCAS130
policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
loadbalance vip inservice
loadbalance policy POLICY-L7-VIP-EXCAS130
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.22.254 -
ACE; Dynamic SNAT in bridge mode without Dnat (VIP) needed
Hi,
We are interested about the ACE NAT performance. We would like to use this module just for the SNAT feature and only in bridge mode (to facilitate the ACE integration in the current network).
the configuration could be similar to this one:
class-map PrivateSource
match source-address 10.0.0.0 255.0.0.0
policy-map multimatch SourceNat
class PrivateSource
nat dynamic 1 vlan X
interface vlan X (incoming traffic from the source)
bridge-group 1
service-policy in SourceNat
nat-pool 1 publicIP netmask A.B.C.D pat
interface vlan Y
bridge-group 1
Could anyone confirm if this feature is supported on the ACE and if the above configuration could be a good one?
Many thanks for your help.
Regards/Ludovic.Ludovic,
ACE does not NAT bridged traffic.
You could catch it with a catch-all-destination class-map
ie:
class-map all
match virtual 0.0.0.0 0.0.0.0 any
And use a transparent serverfarm sending all traffic to a unique default gateway.
That would work.
Gilles. -
ACE bridge mode , FWSM routed mode
i have the following senario:
MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
vlan 180 is the server side vlan
i want he FWSM ip address to be the Server gateway while ACE module in
bridge mode
i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
ACE
if i change ACE to routed mode , i can ping to FWSM
any body can help me in this issue?The config looks good.
I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
Is evertyhing else working ?
Like ping through the ACE module ?
Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
Gilles. -
Routed or bridged mode + licensing question
Hi Cisco ACE gurus,
I have the following questions and I would be grateful if anyone could answer them.
1) As we know the basic license for ACE limits its throughput to 4Gbps. What does it mean? Does it mean that only load balanced traffic is limited (policed) to 4Gbps? Or any other traffic passing through ACE is limited to 4Gbps (from what I know ACE is a cef720 linecard having 20Gbps to a switch fabric)?
My question comes from the following scenario. Let's say ACE is deployed in routed mode and it has 1 client vlan and 2 server vlans. There are VIPs, serverfarms, rservers defined etc.... Now there is a need for a rserver from vlan1 to communicate with a rserver from vlan2 (directly and not through a VIP). In this scenario def gateway of both servers points to ACE (ACE is doing inter-vlan routing).
So in this case in order to allow for that communication I would need to create ACLs and apply them to ACE interfaces.
Does it mean that the traffic would be limited to only 4Gbps?
2) let's say I have 2 DC (2 different geo locations). ACE is located only in one of them. Real servers are dispersed in both of them. ACE is deployed in routed mode. Is it possible to configure ACE in such a scenario (to server VIPs for clients when rservers are in 2 different DC)?
My assumption is that it is possible and in order to do that I would have to use NAT (and source NAT client traffic) so that traffic sent from client to a VIP could be src natted and go to the other DC (through client vlan), reach the rsevers in the other DC and come back.
Is it possible to also do that while ACE is deployed in bridged mode?
While reading about ACE and NAT I came across the sentence "ACE is not able to NAT bridged traffic". What does it mean?
regardssorry Marko but I am lost. We are talking now about one-armed mode of deployment. There
are 2 contexts and the same vlan is used in both of them (that's why it is shared). In this case I don' understand what you wrote "you have server A in the shared VLAN of context A, you can not reach a VIP from context B" ... that is the same vlan so I can't see any problems..... unless you are describing situation for bridged mode deployment of ACE. -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
Design question: ACE module connected to 2 different L3 engine while in bridge mode
fellow engineers,
i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
configured in bridcge mode.
the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
the extension is based on the bridge mode operation as follow:
need help with the following:
1) if i have 4 bvi's configured, do i need to have default route configured?
2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.
3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
4) is default route neccessary if you hae the ace in bridge mode.
it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
i appreciate any feedback on this inquiry. if you need additional information please le me know.
thanks and best regards,
raman azizianHi Raman,
You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
Exampel:
Interface to ROUTER 6509
interface vlan 300
bridge-group 300
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan300
no shutdown
rserver host 300GATEWAY
ip address 164.135.121.47
inservice
A#1/prod1# sho arp | i 164.135.121.47
164.135.121.47 00.08.e3.ff.fc.14 vlan300 RSERVER 4775 239 sec up
A#1/prod1#
Interface to FIREWALL
interface vlan 802
bridge-group 802
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan802
no shutdown
rserver host 802GATEWAY
ip address 192.168.137.1
inservice
192.168.137.1 00.23.33.6a.bf.80 vlan802 RSERVER 4785 5 sec up
Regards
Mats -
ACE MODULE IN BRIDGE MODE NOT LOADBALANCING
Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
AttachCheck my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles. -
ACE problem - bridge mode - behind a firewall
Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
DamianThanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
⢠Traffic is coming from a separate local subnet
⢠Traffic is not coming from the internet so it does not required a NAT
⢠We need 1 VIP listening on two ports
⢠The backend servers are four Linux boxes
Thanks again,
Damian -
ACE 4170 port redirection in Bridged mode
Hi Friends,
Is it possible to do port redirection on ACE while it is configured on Bridged Mode. For example. a user is accessing the Loadbalancer VIP on port 80 and this is redirected to port 8080 on backend servers?
I have attached a diagram for easier understanding. Is there a need to configure NAT in such cases?
Any help will be appreciated. Thanks in advance guys.Hi,
if you want to allow ping to the VIP address, you only need to apply this command in your L3-4 policy map:
loadbalance vip icmp-reply
example:
policy-map multi-match L4-TEST-VIPS
class WWW-TEST
loadbalance vip inservice
loadbalance policy WWW_POLICY
loadbalance vip icmp-reply
more info can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1000929
If you want ICMP to pass through the ACE tp reach the real servers, you need to allow it in an ACL.
Hope this helps,
Dario -
ACE in bridged mode and multicast
We have configured an ACE SM in bridge mode and have a requirement to enable multicast on one of the networks where the back-end servers are residing. Will ACE support multicast out of the box, or will we need to do any tweaking on the ACE to enable the multicast support?
Thanks..Hi Gilles,
Is it also supported in routed mode?
The ace isn't doing multicast routing right?
Actually, the server-side vlan is being routed on the C6500 and has pim sparse-dense mode enabled.
We want to move this server-side vlan behind the ace in routed mode. What about the pim?
Any ideas?
thanks,
Dario -
Hi All,
I've a quick question about bridged mode in an ACE module.
Is it possible to have the servers on a separate subnet rather than on a directly connected VLAN?
Due to limitations brought on by physical aspects of the setup (and also security policy), I cannot put the ACE right next to the servers. ACE on a stick isn't feasible due to PBR smashing the CPU of the msfc so I'm thinking the ACE needs to be in bridged mode as we have to keep IP address transparency so the servers can perform policy functions based on client IP address.
I've attached a .jpg illustrating the basic setup.
The pertinent question i guess is: Can we use the ACE to loadbalance to servers that are NOT on the bridged VLAN subnet and will also quite possibly be on different subnets themselves?
Any suggestions are very much appreciated.
Thanks All!
BradHi Brad,
As long as there is one to one nat on the firewall it should work just fine.
Even though the servers will be one subnet away but the natted IP will act as local IP for the ACE.
For config reference look at the following link :
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
hope that helps.
regards,
Ajay Kumar -
ACE Bridge-mode: How to do FT?
Dear All,
I've set up a test user context in Bridge mode on an ACE blade and now want to set up FT to a second blade. The manuals have confused me slightly and most of the examples I have seen relate to routed mode.
In my topology I have Router1 connected to Router2 which has the ACE blade. Router1 is also connected to Router3 which is in turn connected to Router4 which contains a second ACE blade.
Do I create an identical configuration for the context on the second blade and how to I define the FT vlan?
The current configuration and toplogy are attached. Any pointers would be much appreciated.
Thank you
CathyGilles,
The Admin Guide warns about the use of the force option (7-20) - and the command itself warns of possible network disruption.
Without the force option these are the states of the two blades:
ace1/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 200
My Net Priority : 200
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Sep 18 08:10:30 2007
No. of Contexts : 1
Context Name : Test
Context Id : 2
ace2/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_HOT
My Config Priority : 100
My Net Priority : 100
My Preempt : Enabled
Peer State : FSM_FT_STATE_ACTIVE
Peer Config Priority : 200
Peer Net Priority : 200
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Sep 18 08:10:29 2007
No. of Contexts : 1
Context Name : Test
Context Id : 1
switchover
ace1/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_BULK
My Config Priority : 200
My Net Priority : 200
My Preempt : Disabled
Peer State : FSM_FT_STATE_ACTIVE
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Sep 18 09:31:20 2007
No. of Contexts : 1
Context Name : Test
Context Id : 2
ace2/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 100
My Net Priority : 100
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 200
Peer Net Priority : 200
Peer Preempt : Disabled
Peer Id : 1
Last State Change time : Tue Sep 18 09:31:33 2007
No. of Contexts : 1
Context Name : Test
Context Id : 1
I can ping my PC from the standby blade, but a traceroute to the VIP for the webservers still shows it going to the router housing the primary ACE blade even though the context on the standby blade is active.
Thanks
Cathy -
I have one ACE configured in bridge mode.
for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
but with destination IP of the websites so the traffice is not comming back as show below
BC-LB1/BlueCoat# sho conn | include 10.1.50.10
1782765 1 in TCP 210 10.1.50.10:52052 67.195.160.76:80 SYNSEEN
1355728 1 out TCP 210 67.195.160.76:80 10.1.50.10:52052 INIT
BC-LB1/BlueCoat#
in the PBR , we used the VIP as next hop address.
please advice what is the problem?
thanks in advanceGood afternoon,
As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
Regards
Daniel
Maybe you are looking for
-
when i log on to the page i get kicked back to the log on screen every other mouse click. == URL of affected sites == http:///s4.travian.us/dorf1.php
-
ICal 3.0: Last day of the month repeating event
I am migrating back to iCal after a few years using Entourage. I am trying to set up calendar events and reminders for the last day of every month, but I can't figure out how to do it. In Entourage this was easy. Any advice? Thank you.
-
I tried to download and install the new IOS7 software to my IPhone 4 three times but nothing happened. What do I do next? I no longer have a "1" by my settings.
-
BOOTMGR missing ( no data on laptop can be found)
Hi, I've purchased an HP Pivillion G6z notebook PC a month ago and my lil nefhew accidently knock down my laptop. it's shut down right away after that i try turing it back on again and again but the white letter keep showing up " BOOTMGR missing" I'v
-
SQL Developer 1.2 for Win hangs on startup
Hi. I have a problem with starting SQL Developer (1.2, JRE included) on certain Windows XP machines - after closing the start-up extensions preferences dialogue window the interface hangs. A shadow of the dialogue window is still visible and the inte