ACE Topology

Hi,
I have two ACE 4710 with four gig ports appliacne in head office and one ACE in the DR site. In head office I am running Active Active Context in Routed Mode. My ACE is doing the routing as well as Load balancing. The Disaster recovery site ACE is stand alone routed mode with one context.
In current situation if ACE one box goes down load balancing will start happening from the ACE two box context two.
But now I wanted add the third ACE which is located in DR in a way that in case of both ACE in head office goes down Load balancing will start working from the DR ACE.
Head office has four gigabit port one for LAN, WAN, Internet and one for the management. I dont have the extra port in head office.
I need the assistance if this is possible then any example or someone configure it in his network.

Fault tolerance configuration in ACE is limited to two physical devices which will be configured in active/standby mode and exchange state, configuration and heart beats via a dedicated Fault Tolerant VLAN. You can configure fault tolerance for virtual contexts seperately, and they do not have to follow the device level active/standby assignment but you are still limited to two physical devices. If this is the configuration you have at the head office, then you will not be able to add a third device regardless of how ports or contexts have been configured.
For fail-over across sites (ie head office and DR site) you should consider a global site loadbalancing solution such as Cisco Global Site Selector (GSS). Using GSS you can monitor for availability of ACE devices at the head-office and in case of failure, trigger a DNS based rule which will direct traffic to the DR site ACE. -George K.

Similar Messages

Moving from CSS to ACE

I'm trying to find documentation on moving from a CSS to the ACE but have not been able to find much on the ACE in general (no books at all). Does anyone have any info on this? We are currently using the CSS for multiple Web and Server farms, and are looking to add SSL in the mix. Trying to decide if we should just offload the SSL to the ACE for now (eventually migrating completely to the ACE) or if we should convert everything over at the same time.
Any links or book suggestions would be appreciated!

Hi,
Here is the official link to ACE documentaton (but you probably have already found this...):
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
I don't believe that there is a book, as this is relatively new product. Also don't hope too much to find migration guide :)
You may use some design guides for CSM module and try to apply a part of it to ACE (Topology will be simmilar for ACE and CSM, but with ACE you additionaly have possibility of virtualization/contexts).
But, pay attention, becouse ACE and CSM have completely different config command syntax and configuration philosophy!
I did not quite understand your dilemma regarding migration?
Personally, I have not yet had a chance to implement SSL offload on ACE, but it sounds logical to move the server farm that will use SSL offload behind ACE, and do SSL termination and load-balancing for that server farm on ACE. Then, gradually you can move other servers behind ACE...
You will have to decide based on conditions and requirements in your network, and after reading thousands of pages of documentation... ;)
Good luck!
Best regards,
Jasmina

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

ACE as cache engine for wccp redirection

Does anybody know if the ACE 4710 appliance supports WCCP acting as a web-cache engine? I am exausting all possible options, and then some, for deploying a new application networking environment. I just returned from ACE training last week and found myself ramping up to deploy a new ACE.
I have pretty much exhausted my options for topology. We discussed several different designs in class and I don't like any of them. I have some serious problems with using the ACE as a default-gateway for servers. That options is out due to how other "non application" traffic is handled. Traffic such as RDP from IT support staff, patching from SMS servers, virus dat updates, vulnerability scanning... it all routes to the ACE which has to have static routes... then clients hitting the application VIPs have to be natted so the ACE does not use the static routes and reply directly... it all becomes a very big problem over time.
Second and third options are one-armed and direct server return... both not suitable for my requirements.
Now... that leaves me with an option we currently have deployed. That is to use a distribution route-switch (Catalyst 4500 Sup-IV) in the middle. The Cat uses PBR to return http traffic from the web servers back to the ACE. All other traffic follows normal routing table.
Ok... that works perfect... except PBR is not supported in the Sup-6 engine. Unbelievable... I know. This is a major fly in the ointment for this new deployment.
Now... there is another protocol that is often used for redirection... WCCP. If the ACE were a wccp web-cache, the router could be configured to redirect ingress http to the ACE. But... the ACE would have to act as a web-cache engine and register with the Cat as a home-router.
I am sure this option is not an option... but it would be nice. The ACE 4710 appliance has the general processor to do it but it would have to be implemented in software. I'm running A3(1.0) and I cannot find anything related to wccp. Nothing in the command-reference.
If there are any Cisco developers interested in adding some killer funtionality... this would be it. Wccp can be done in layer-2 as well as layer-3. The Sup-6 supports layer-2 redirection. Since the ACE is generally layer-2 adjacent this would be rather easy to implement. Anyway... food for thought.

I just would like to mention that you could have ACE in bridge mode inserted between your servers and the gateway (4500).
All traffic will go through ACE but no need for nating and no statc routes (just one default route pointing to the 4500).
The only problems would be if you exceed the BW of the 4710 with all your traffic.
Regarding the WCCP support for the 4710 this is not currently in our roadmap.
Ask your cisco account team to introduce the request.
Thanks,
Gilles.

Regarding ACE load balancing

Hi,
I have one server application with two physical servers clustered with one virtual IP address . I have total six ip addresses for one server : details are given below
Cluster IP’s :
Node 1 :
NIC 1 : 10.10.x.x : physical IP address
NIC 2 : 172.16.x.x : heartbeat address used in between server
Node 2 :
NIC 1 : 10.10.x.x : physical ip address
NIC 2 : 172.16.x.x : heartbeat address used in between server
Cluster IP : 10.10.x.x : clustered IP address used to access server
SQL IP : 10.10.x.x : clustered IP address used to access SQL application .
now i want to achieve server load-balancing using ACE module. Please suggest to me fulfil this requirement. how to do this ?
whether i need to remove the virtual IP and directly bind two physical ip to ace virtual ip add.
How do i check ace server load-balancing configuration with live server .... do we have any tool to check the packet behaviour to confirm that load-balancing is happening properly in between two physical servers :
Please guide me and share the knowledge .....................

Hi Vinod,
You are correct. In order to achieve load-balancing with an ACE blade, you need to configure the addresses of the two severs separately. If you look at the documentation page on cisco.com for ACE (http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html) you will find sample configuration for the most commont topologies.
As for how to verify if the load-balancing is working correctly, you can use the command "show serverfarm ", which will list you all the servers in a serverfarm, along with the current and total connection numbers for each of them.

ACE Load Balancing Design L2 Vs L3 Serverfarm

Hi all,
i have to understand in deep good and bad points of topology L2 (server farm L3 directly connected to ACE) and L3 server farm (of course latency maybe just a bit higher and keepalive to tune well).
have you any experience of remote server farm (maximum 1 hop away)?
PS: i'll use ACE module with SUP72010G and FWSM.
tnx anyway
Das

Hi Das,
Well, I've configured all my serverfarms as L3-farms, some of them multible hops away. So far, latency has not been an issue, nor have I felt the need to finetune my probes or spend much time digging into server response time.
I guess it all comes down to your infrastructure and your design scenario, but I would think that directly attached rservers mostly come in handy when deploying your ACE in bridge mode or, for some reason, cannot use client NAT the avoid any possible routing issue.
hth
/Ulrich

ACE 4710 transparent LB with two Caches and two routers.

Hello,
I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
Kindly I need some assistance
Thank you and regards,
George
access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any
ip name-server 8.8.8.8
ip name-server 4.2.2.2
##################################Config for Cache Cache Servers###################
probe http CISCO_WWW_PROBE
ip address 72.163.4.161
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
probe http YAHOO_WWW_PROBE
ip address 87.248.112.181
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
serverfarm host TRANSPARENT_PROXY_SF
description Transparent Proxy Farm
transparent
predictor hash url
probe CISCO_WWW_PROBE
probe YAHOO_WWW_PROBE
rserver CFLOW01
    inservice
rserver CFLOW02
    inservice
exit
exit
############################################# Router Cache Farm ############################
probe icmp ICMP_PROBE
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
exit
rserver host Router01
description Connection to Sodetel Router
ip address 192.168.14.4
probe ICMP_PROBE
inservice
rserver host Router02
description Connection to IDM Router
ip address 192.168.14.5
probe ICMP_PROBE
inservice
serverfarm host Routers
description Transparent Proxy Farm
transparent
predictor hash url
probe ICMP_PROBE
rserver Router01
    inservice
rserver Router02
    inservice
exit
exit
################################# Management################################
class-map type management match-any REMOTE_MGMT
description Allow Remote management for below protocols
8 match protocol icmp any
9 match protocol ssh source-address 172.31.13.31 255.255.255.255
10 match protocol ssh source-address 172.31.31.21 255.255.255.255
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGMT
    permit
class-map match-all CFLO2Internet
2 match virtual-address 0.0.0.0 0.0.0.0 any
class-map match-all TRANSPARENT_VIP_CM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class class-default
    serverfarm TRANSPARENT_PROXY_SF backup Routers
policy-map type loadbalance first-match CFLO2Internet_LB
class class-default
    serverfarm Routers
policy-map multi-match CFLO2Internet_PM
class CFLO2Internet
    loadbalance vip inservice
    loadbalance policy CFLO2Internet_LB
    loadbalance vip icmp-reply active
    connection advanced-options TCP
policy-map multi-match L3L4_PM
class TRANSPARENT_VIP_CM
    loadbalance vip inservice
    loadbalance policy TRANSPARENT_LB_PM
    loadbalance vip icmp-reply active
    connection advanced-options TCP
====Interfaces======
interface vlan 11
description Interface between Routers and ACE
ip address 192.168.14.2 255.255.255.224
alias 192.168.14.1 255.255.255.224
peer ip address 192.168.14.3 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input L3L4_PM
no shutdown
interface vlan 21
description Connection to CFlow ServerFarm
ip address 192.168.12.2 255.255.255.224
alias 192.168.12.1 255.255.255.224
peer ip address 192.168.12.3 255.255.255.224
no icmp-guard
access-group input CFLOW
service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
no shutdown

Hi George,
In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
Regards
Daniel

Why do I see "FAILED" for probes on standby ACE?

Here there,
I am running a pair of ACE in redundancy mode for HA and have created multiple context.
here is my basic config for the serverfarm.
serverfarm host VPN_Farm
transparent
failaction purge
predictor leastconns
probe ICMP_Probe
rserver SVR_A
    probe ICMP_Probe
    inservice
rserver SVR_B
    probe ICMP_Probe
    inservice
So, on the active unit, I can see that the probes are running fine. However, if I do "show probe" on the standby unit, it appears that all my probes fail.
Result of "show probe" captured from Standby Unit.
probe       : ICMP_Probe
type        : ICMP
state       : ACTIVE
   port      : 0       address     : 0.0.0.0         addr type : -
   interval : 15      pass intvl : 60              pass count : 3
   fail count: 3       recv timeout: 10
                ------------------ probe results ------------------
   associations ip-address      port porttype probes   failed   passed   health
   ------------ ---------------+-----+--------+--------+--------+--------+------
   rserver        : SVR_A
                      1.1.1.1   0     --                       109      109      0        FAILED
is it normal to see failed probe on the standby unit?
Thank you
Best Regards

Hi Hyeon,
Some questions here.
Is this an ACE module or an ACE 4710? What version?
Are both ACEs peers connected to the same switch or how you got them setup? Can you describe a little bit your topology?
From the standby, Did you try to ping/telnet the servers?
Did you try to remove the probe and re-add it back? (get a #show tech-support before and after)
Is there any firewall or L3 device between the ACEs and the servers?
Do you use these servers for several contexts? Is the probe failing in all the contexts?
Jorge

ACE 4700 one-arm design with SSL termination

Hi,
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I would appreciate if you can share some sample configs
Regards,
George Georgiou

There are two ways to implement One Arm topology.
1. One Arm with PBR & 2.One Arm with SRC NAT
PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
1. Are there any limitations in the one-arm design and the SSL offloading
The limitations/config issues I can think of are following
One ARM with PBR:
Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
One ARM with SRC NAT:
You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
Yes you can do that but wouldnt it make it routed mode topology?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
Details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
HTH
Syed Iftekhar Ahmed

Help in design ace "waas"

I designing a waas solution and ace interception and i found some issues i attached simple topology for the network it has 150 branch and we will implement waas in 6 branches as start the topology has 2 6500 each with 1 ACE moduel .
1.as start i know that i shoul make 3 vlans one for server & 1 for WAEs and 1 for client i don't have problme in servers or WAEs my issue is branches connected to 6500 directly via serial so i can't make vlan for client to apply load balance service policy on it i need to apply it to serial interfaces directly
can i do that with ACE for example in case of client Vlan i was assign vlan to ACE do i need same thing for serial interfaces?
2.should i configure default gateway for core WAE on interface vlan500 of 6500(which contain WAEs).
3.I didn't configure fallover 2 ACEs that mean sepearet vlan for right WAes and one for left so will that cause any problme note that some branchs connected to each other i'm talking about asymitric routing.

Usama,
Are you configuring ACE in bridged or routed mode? I have attached 2 sample configurations, depending on which mode you are using.
Answers to your questions:
1. The service-policy is applied on the Vlan interfaces created on the ACE module, not on the Vlan interfaces created on the MSFC.
2. In the examples I attached, the default-gateway for the WAEs in the Vlan interface on ACE where the WAEs reside.
3. You need to ensure that ACE (and WAAS) see the traffic symmetrically. I would recommend configuring the ACE modules in a redundant pair.
Zach

How to install a root certificate of private CA for SSL initiation in ACE 4710 ?

Hello ACE Gurus,
We have to deploy end-to-end SSL for one of our application, but of course we won't be buying Entrust or other big name certificates for each web server : we want to use self-issued certs signed by our private CA.The topology looks like this :
Internet Client ----HTTPs_Entrust_Cert----> ACE ------HTTPs_Private_Cert------> WebServers
Maybe my search skills are soft, but I haven't found how to import a private CA certificate in the ACE, so that when the ACE initiates an SSL session with the webserver (as a client), it will recognize the Web Server's SSL Cert as valid, because he already has it in it's root store.
The only thing I've found, is how to configure the ACE to ignore the SSL authentification/validation errors, like this :
host1/Admin(config)# parameter-map type ssl SSL_PARAMMAP_SSL
host1/Admin(config-parammap-ssl)# authentication-failure ignore
Thanks for the help!
Alex.

Hi Alex,
From ACE perspective, it doesn't make differences if you are using certificates issued by your local or a "well known" CA. Moreover, if not mistaken, you have to configure authentication group whatever you are doing client or server authentication.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp1043643
Thanks,
Olivier

Cisco ACE default vlan

Hello everybody,
I am installing a ACE 4700 in a customer but when i started to work and saw their topology, then i realized that i had a problem. The problem is that i cannot create the interface vlan 1 and assign an ip address to it. I saw some documments is cisco.com site that the ACE hide this vlan.
Follows my topology:
Servers vlan are the vlan 1
Clients vlans are 5
Management vlan is 8
As i undertood, the ACE has to have at least one interface in the servers vlan, but i cant create the VLAN 1. So my problem is, how do i unhide the vlan 1 in the ACE so i can configure an ip address on it.
Leandro

If you can't have the customer migrate the servers into a different VLAN, you need to trick a bit, as VLAN1 is not usable on the ACE.
Pick a VLAN number that you will use inside the ACE for the outer VLAN1. Say, VLAN101.
If you have an access port connecting to the server segment, just set it to 101:
switchport access vlan 101
If you connect via a trunk, set your native VLAN to 101:
switchport trunk native vlan 101

ACE Rst Packets

Hello Everyone,
I have ACE10 Module in my switch core 6509, my context "Proxy" was criated for balance connections to Forefront TMG Servers, this balance needs original client IP Address connections end to end in the solution.
My problem is: The clients are complaining of slowness connection to the internet, i captured the traffic in the ace capture feature and i see some RST packets and severals checksum error packets in pcap file.
The topology is:
Client -> ACE VIP VLAN 81 -> RSERVERS VLAN 80
Vlan 80 is in L2 mode(no interface vlan in the switch core 6509, route occurs through the ace appliance).
The IP address 10.96.200.6 is the gw for rservers.
system:    Version A2(3.4) [build 3.0(0)A2(3.4)]
system image file: [LCP] disk0:c6ace-t1k9-mz.A2_3_4.bin
rserver host PANFPRXP301A
ip address 10.96.200.11
inservice
rserver host PANFPRXP301B
ip address 10.96.200.12
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SF-PANPROXY
replicate sticky
serverfarm SF-PAN-PROXY
interface vlan 80
ip address 10.96.200.4 255.255.255.0
alias 10.96.200.6 255.255.255.0
peer ip address 10.96.200.5 255.255.255.0
no normalization
no icmp-guard
access-group input all-access
access-group output all-access
service-policy input ACCESS
no shutdown
interface vlan 81
ip address 10.96.201.4 255.255.255.0
alias 10.96.201.6 255.255.255.0
peer ip address 10.96.201.5 255.255.255.0
no normalization
no icmp-guard
access-group input all-access
access-group output all-access
service-policy input ACCESS
service-policy input INTVLAN80
no shutdown
policy-map multi-match INTVLAN80
class VIP-SF-PANPROXY
    loadbalance vip inservice
    loadbalance policy SLB-SF-PANPROXY
    loadbalance vip icmp-reply active primary-inservice
    appl-parameter http advanced-options PARAMETER-HTTP
Logs
====================================================================
Aug 15 2012 10:24:09 : %ACE-6-302023: Teardown TCP connection 0xb9fec for vlan81
:10.93.15.69/1439 (10.93.15.69/1439) to vlan80:10.96.201.10/8080 (10.96.200.12/8
080) duration 0:01:28 bytes 13741 TCP FINs
Aug 15 2012 10:24:09 : %ACE-6-302022: Built TCP connection 0x1121b8 for vlan81:1
0.93.15.69/1443 (10.93.15.69/1443) to vlan80:10.96.201.10/8080 (10.96.200.12/808
0)
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc400b for vlan81:10
.93.7.69/4863 (10.93.7.69/4863) to vlan80:10.96.201.10/8080 (10.96.200.11/8080)
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc676f for vlan81:10
.93.15.29/2173 (10.93.15.29/2173) to vlan80:10.96.201.10/8080 (10.96.200.12/8080
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0xc3621 for vlan81:10
.93.7.84/54169 (10.93.7.84/54169) to vlan80:10.96.201.10/8080 (10.96.200.11/8080
Aug 15 2012 10:24:10 : %ACE-6-302025: Teardown UDP connection 0x110764 for vlan8
0:10.96.200.11/32230 (10.96.200.11/32230) to vlan81:172.17.2.35/53 (172.17.2.35/
53) duration 0:00:11 bytes 126 Idle Timeout
Aug 15 2012 10:24:10 : %ACE-6-302023: Teardown TCP connection 0x111c70 for vlan8
1:10.93.15.69/1441 (10.93.15.69/1441) to vlan80:10.96.201.10/8080 (10.96.200.12/
8080) duration 0:00:02 bytes 1759 TCP FINs
Aug 15 2012 10:24:10 : %ACE-6-302022: Built TCP connection 0x5fc51 for vlan81:10
.93.7.69/4864 (10.93.7.69/4864) to vlan80:10.96.201.10/8080 (10.96.200.11/8080)
Aug 15 2012 10:24:11 : %ACE-6-302022: Built TCP connection 0xc5282 for vlan81:10
.93.5.157/1522 (10.93.5.157/1522) to vlan80:10.96.201.10/8080 (10.96.200.11/8080
Aug 15 2012 10:24:11 : %ACE-6-302022: Built TCP connection 0x10e7a2 for vlan81:1
0.93.15.29/2174 (10.93.15.29/2174) to vlan80:10.96.201.10/8080 (10.96.200.12/808
0)
Aug 15 2012 10:24:11 : %ACE-6-302023: Teardown TCP connection 0x102c48 for vlan8
1:10.84.34.23/1130 (10.84.34.23/1130) to vlan80:10.96.201.10/8080 (10.96.200.12/
====================================================================
If needed, i can send the pcap file for analyse.
Tks a Lot.
Rafael

Hi Rafael,
Are RST's coming from ACE? What if you access the server directly? If you could raise a TAC case we would do in-depth analysis of the problem.
Regards,
Siva

ACE design and RHI

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi guys!
I'm doing a redundant ACE module installation (using 7600) and I came with some design questions.
From the configurations guides, you configure a VLAN X for clients (where the traffic to be balanced arrives), and VLAN Y for servers (where the real servers are). In all the examples I've seen, the VIP address is from the client VLAN subnet, from that I wonder:
1.- Is this the only way to do this? The 7600 supervisor knows where the VIP is because it has a BVI in that same VLAN X, so it’s directly connected. For the 7600 to reach the real server subnet, it would need a static route pointing to the ACE IP address right?
2.- In that scenario (VIP living in the Client VLAN X), RHI is not necessary right? But when the VIP is not available? What would happen then? You still need RHI so there is a "dynamic" host route for the VIP?
3.- Then in what situations would RHI it be needed? I've read that you need RHI when you don’t have the Supervisor and the ACE directly connected, but I don’t quite get this, can someone clarify?
4.- Can the VIP be a member of a different subnet? For example can it be a member of the Server VLAN Y? Or a completely different VLAN Z?, what would be the necessary changes?
Thanks a lot for your time guys, any help is greatly appreciated.
Omar M.

RHI is mainly used for inter site redundancy, instead of relying on DNS for your VIP HA, you rely on routing by announcing a /32 route in your OSPF backbone.
1 - yes
2 - it depends on the way you want to ensure inter site HA.
3 - the purpose is only to send a /32 route from multiple ACE clusters or sites. When your whole cluster or datacenters is down, the routing topology is built again pointing the same IP address to the new site (with playing on the OSPF cost) without any problem of DNS dead A record with client cache.
4 - No problem. You can even do it manually with a conditionnal host route defined on the upstream router (conditionned with an IP SLA sensor) redistributed into your OSPF process

FWLB with one ACE

Hello.
I am planning the deployment of FWLB with only one ACE in routed mode. I have more than 20 DMZ and all traffic between then must be balanced by the ACE to be filtered by one of the FWSMs.
On ACE, I am planing to create one interface vlan per DMZ (default gateway for each DMZ) with a catch-all VIP (0.0.0.0 0.0.0.0). My problem is that all vlans/networks will be directly connected with ACE and I dont know what is it that ACE does first... if it "catches" the traffic to load-balance or if it routes traffic first (if routing is done fist, then FWLB will fail).
All documents that I saw have more than one ACE in their topology for load-balancing.
Also, using several contexts doesn't seem to be an option because I don't have an in/out topology (return traffic may fail, hash predictor source/destination would fail).
Anyone with experience with this type of topology?
Thanks in advance for all the help you can give me.
Best regards,
Joao Carvalho

ACE will first catch the traffic and perform the configured action.
If nothing to catch the traffic, ACE will route.
Multiple ACEs are usually used because very often the response needs to come back to the same firewall.
So some reverse-sticky operation is required.
Or some other mechanism.
Not sure how you planned to guarantee this.
Gilles.

ACE Topology

Similar Messages

Maybe you are looking for