C6513 Ace Module Pair not syncing

Similar Messages

• ACE modules not syncing up

  Hi,
  I was adding logging and snmp to my ACE modules this weekend. I first made the changes to the primary ACE module and did a wr mem; I then went to my secondary module and noticed that the modules did not sync.
  After some troubleshooting; I decided to reboot the secondary module, when the module came back, it was in sync.
  As anyone run into this issue before? What is the command that will show me who is my primary module and the state of the modules?
  I am running ACE code: A2.1.2
  Regards,
  John...

  Thank you for your reply; I think that this was my problem:
  14:1007 => Feb 01 07:57:27: ha_process_message:1818 Running sync info: mode 0, s
  tatus 0, reason Detected license mismatch with peer, disabling running-config au
  to sync
  14:1008 => Feb 01 07:57:27: ha_process_message:1822 Startup sync info: mode 0, s
  tatus 0, reason Detected license mismatch with peer, disabling running-config au
  to sync
  I first upgraded the license on my primary and made my changes, then tried to sync. The only problem I see here is that when I did the wr mem the module starting to sync and said that the sync process was complete.
  John...

• ACE MODULE IN BRIDGE MODE NOT LOADBALANCING

  Hi,
  I setup an ace module in bridge mode as follows:
  mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
  and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
  The config script is attached. Is their anything I am missing?
  Attach

  Check my troubleshooting guide on this forum.
  There are few things to do to narrow down the issue.
  Gilles.

• ACE Module not supporting

  Hi,
  We have migrated CSM to ACE Module recentlym all the applications are working fine. But one of our real server , Hosting team did NIC Teaming (Active-Active) which was working fine but not with ACE Module (Briding Mode).
  My assumtion is because of ACE in Bridge mode all the non-loadbalancing traffic has to go through ACE Module, So we couldnt access the server directly. If ACE is in One-armed mode i think it should be fine.
  But with bridge mode do we have any option to make it working.

  there is a restriction regarding NIC teaming in active/active mode.
  The ACE uses an hardcoded mac-to-IP mapping with ARP. As with active active nic teaming you'll have 2 different mac addresses, the one which is not present in the ARP cache of the ACE is considered as a security violation.

• I upgraded to iOS 5 and lost all my apps on my iPad. They are in iTunes, but iTunes will not sync because "the pairing record is missing." HELP!

  I upgraded to iOS 5 and lost all my apps on my iPad. They are in iTunes, but will not sync "because the pairing record is missing." Please help!

  On your iPad and iPod touch tap Settings > Store
  Make sure Music is switched On under Automatic Downloads.
  Now restart your iPad and your iPod touch.
  Hold the On/Off Sleep/Wake button down until the red slider appears. Slide your finger across the slider to turn off iPhone. To turn iPhone back on, press and hold the On/Off Sleep/Wake button until the Apple logo appears.
  You can re download iTunes purchases for free if necessary >  Downloading past purchases from the App Store, iBookstore, and iTunes Store

• Can not import ACE module to ANM

  Hello,
  Good day.
  I recently facing an interesting problem.
  We are running ANM 5.1.0 to manage our LB contexts, those contexts are configured on ACE20-MOD-K9 module which installed in Catalyst6500 switch. Our installation is like this, two ACE20-MOD-K9 modules installed into same Catalyst6513 different slots. And  those two ACE modules serves different Data Halls, contexts configured on those modules are completely seperated, different VLAN, different subnet no relation at all.
  I'm able to import the catalyst chassis into ANM and under Config>Guided Setup>Import Device>Modules, I'm able to see both ACE modules but only one module able to be imported, another one I can not even choose it. There are slightly difference those two modules show themselves in that page. The one I'm able to import shows exactly it's module type and version number but another one is showing someting strange.
  Slot#      Model                     Type            Serial #      State                 Version                Description                                      #VC
  3            ACE20-MOD-K9      ACE v2.3      XXXXXX      up                     A2(3.5)                Application Control Engine Module      28
  9            ACE20-MOD-K9      Module         XXXXXX      Not Imported      ace2t_main_d      Application Control Engine Module      N/A  <---problem module
  Does any was facing samiliar problem?
  Thanks

  I think I found something related to my issue.
  In ANM operating Guidance,section"Importing ACE Modules after the Host Chassis has been Imported" mentioned some restriction. The module in slot 9 actually has samiliar situation, show module commands shows that Catalyst chassis doesn't really recognize the software version that might caused ANM not able to figure out if that module is supported or not so it makes a simple decision deny import. I will try to reboot that module see if we can fix this issue.
  "Guidelines and Restrictions
  ANM 3.0 and greater releases do not support the importing of an ACE module that contains an A1(6.x) software release or an ACE appliance that contains an A1(7.x) or A1(8.x) software release. If you attempt to import an ACE that supports one of these releases, ANM displays a message to instruct you that it failed to import the unrecognized ACE configuration and that device discovery failed.
  However, if you perform an ANM upgrade (for example, from ANM 2.2 to ANM 3.0), and the earlier ANM release contained an inventory with an ACE module that supported the A1(6x) software release or an ACE appliance that supported the A1(7.x) or A1(8.x) software release, ANM 3.0 (and greater) allows the A1(x) software release to reside in the ANM database and will support operations for the release. ANM prevents a new import of an ACE module or ACE appliance that contains the unsupported software version.
  We strongly recommend that you upgrade your ACE module or ACE appliance to a supported ACE software release, and that you instruct ANM to recognize the updated release. See the "Instructing ANM to Recognize an ACE Module Software Upgrade" section.
  See the Supported Device Tables for the Cisco Application Networking Manager for a complete list of supported ACE module and ACE appliance software releases."
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/5.2/user/guide/UG_manage_devices.html

• ACE module not load balancing across two servers

  We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers.  At various times the application team is seeing active connections on only one real server.  They see no connection attempts on the other server.  The ACE sees both servers as up and active within the serverfarm.  However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers.  The issue is fixed by restarting the application on the server that is not receiving any connections.  However, it reappears again.  And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
  The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers.  I'm kind of curious myself.  Does anyone have some tips on where we can look next to isolate the cause?
  We're running A2(3.3).  The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday.  The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
  Here are the show serverfarm statistics as of today:
  ACE# show serverfarm farma-8000
  serverfarm     : farma-8000, type: HOST
  total rservers : 2
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: server#1
         x.x.x.20:8000      8      OPERATIONAL  0          186617     3839
     rserver: server#2
         x.x.x.21:8000      8      OPERATIONAL  67         83513      1754

  Are you enabling sticky feature? What kind of predictor are you using?
  If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
  Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
  The behavior seems to depend on the configuration.
  So, please let me know a part of configuration?
  Regards,
  Yuji

• ACE30 not syncing with primary

                     We did a faulty ACE30 module swap in a HA pair. Both the ACEs have stopped syncing since then. Below is the error message I see:
  FT Group ID: 1  My State:FSM_FT_STATE_ACTIVE    Peer State:FSM_FT_STATE_STANDBY_CONFIG
                  Context Name: Admin     Context Id: 0
                  Running Cfg Sync Status:Failed to convert/transform configuration to peer version
  Both ACE modules are running 5.2 with the same license.
  sh ft peer status from both active and standby show the same results.
  Peer Id                      : 1
  State                        : FSM_PEER_STATE_COMPATIBLE
  Maintenance mode             : MAINT_MODE_OFF
  SRG Compatibility            : COMPATIBLE
  License Compatibility        : COMPATIBLE
  FT Groups                    : 15
  Am I missing something here?

  Hey Mini,
  It sounds good it works now.
  For future reference you may see the #show crypto files to compare the SSL files which you got in the boxes.
  Additionally, please be aware that sometimes if there´s any crash in one device and generates a core dump file, they might detect that as a difference.
  Then in general you may follow these instructions:
  1) Check with #show crypto files
  2) Compare both configurations.
  3) Check #show version to see if there was a crash which you did not notice.
  Hope this helps!
  Jorge

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• ACE Module Radius with ACS 4.2

  Hi,
  I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
  John...

  You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
  Following steps (On tacacs server) will make it work
  1. Select your user
  2. goto tacas+ settings
  3. Select " shell (exec)" checkbox
  4. Select "custom attributes" checkbox
  5. Type your context and role information in custom attrib box, using following format
  shell:*
  for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
  shell:Admin*Admin default-domain
  Hope it helps
  Syed

• Configuring ACE Module for Redundancy

  Hi Sir,
  I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
  Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
  ft group 1
  peer 1
  priority 110
  peer priority 105
  associate-context Admin
  inservice
  ft group 2
  peer 1
  priority 110
  peer priority 105
  associate-context ace-context1
  inservice
  ft group 3
  peer 1
  priority 105
  peer priority 110
  associate-context ace-context2
  inservice
  ft group 4
  peer 1
  priority 105
  peer priority 110
  associate-context ace-context3
  inservice
  Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
  Thank you.
  B.Rgds,
  Lim TS

  Hi Gilles,
  I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
  I noticed a few things:
  (1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
  (2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
  (3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
  One issue I encountered in one of the user contexts is as follows:
  ace1/ace-context-1# sh run int
  Generating configuration....
  interface vlan 950
  description *** Client-Facing VLAN ***
  ip address 10.1.35.5 255.255.255.0
  alias 10.1.35.4 255.255.255.0
  peer ip address 10.1.35.6 255.255.255.0
  access-group input ACL_VL950_IN
  service-policy input REMOTE_MGMT
  service-policy input MY_LB
  no shutdown
  interface vlan 951
  description *** Connection to Real Servers ***
  ip address 10.1.36.2 255.255.255.0
  alias 10.1.36.1 255.255.255.0
  peer ip address 10.1.36.3 255.255.255.0
  access-group input ACL_VL951_IN
  service-policy input NAT_REAL
  no shutdown
  This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
  Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

• ACE Switchover and Config Sync

  Hi
  I'm new to the ACE modul and trying to set up some szenarios and i run already into some troubles.
  Question 1)
  I configured redundancy to another module - virtulised mode. Config sync between the context worked fine. If i change s'thing in the activ context it was copied to the standby context. But if i changed something in the active Admin context it was not copied to the standby Admin context.
  Question 2)
  FT Switchover in the Admin context is not possible returns the following fault:
  ACE_Switch08/Admin# ft switchover
  This command will cause card to switchover (yes/no)? [no] yes
  Invalid FT group. FT switchover command will be ignored.
  ACE_Switch08/Admin#
  If I switch a single FT group it works. But how is it possible to switch all FT groups a the same time? Do i have to switch each context by itself?
  Question 3)
  After i have switched the active context to the standby context, the ft group x command shows both peers as active. After i take the standby ft group no inservice and back inservice it shows correctly Active and standby_HOT.
  The configuration:
  hostname ACE_Switch08
  boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin
  resource-class RC1
  limit-resource all minimum 10.00 maximum equal-to-min
  class-map type management match-any REMOTE_ACCESS
  description -- Remote Access traffic match --
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  interface vlan 2100
  ip address 172.29.190.16 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  ft interface vlan 2020
  ip address 192.168.100.1 255.255.255.0
  peer ip address 192.168.100.2 255.255.255.0
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 2020
  ip route 0.0.0.0 0.0.0.0 172.29.190.1
  context sf0-2200
  allocate-interface vlan 2201
  allocate-interface vlan 2207
  member RC1
  context sf0-2220
  allocate-interface vlan 2221
  allocate-interface vlan 2227
  member RC1
  ft group 1
  peer 1
  no preempt
  priority 200
  peer priority 150
  associate-context sf0-2200
  inservice
  ft group 2
  peer 1
  no preempt
  priority 200
  peer priority 150
  associate-context sf0-2220
  inservice
  username admin password xxx role Admin domain
  default-domain
  username www password xxx role Admin domain de
  fault-domain
  Any help is appreciated
  pat

  Hi Pat,
  1)
  for my config i just put the "user" or "backend" contexts into ft groups. I don't sync the admin contexts on both aces. I am not even sure if that makes sense or is "best practicse".
  So if you don't put the admin context into an extra ft group it won't be synced. you have to configure the admin contexts on each physical ace separately.
  Putting the contexts sf0-2200 & sf0-2220 into an ft group and not having an ft group for admin is the way to go IMHO.
  2)
  If you do a switchover you always have to specify which context you want to switchover. I don't think that you can actually switchover a whole bunch of contexts with this command. If you want to do that a reload is the only way AFAIK.
  Try:
  ft switchover 1
  ft switchover 2
  3)
  This could be because you have not configured the other ACE's admin context to participate in the ft properly.
  My configs looke like this.
  ACE01:
  ft interface vlan 777
  ip address 172.16.99.1 255.255.255.252
  peer ip address 172.16.99.2 255.255.255.252
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 777
  query-interface vlan 444
  ft group 3
  peer 1
  priority 150
  peer priority 110
  associate-context FOO
  inservice
  ft group 4
  peer 1
  priority 150
  peer priority 110
  associate-context BAR
  inservice
  ft group 2
  peer 1
  priority 150
  peer priority 110
  associate-context FOO-BAR
  inservice
  ACE02:
  ft interface vlan 777
  ip address 172.16.99.2 255.255.255.252
  peer ip address 172.16.99.1 255.255.255.252
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 777
  query-interface vlan 444
  ft group 2
  peer 1
  no preempt
  priority 110
  peer priority 150
  associate-context FOO
  inservice
  ft group 3
  peer 1
  no preempt
  priority 110
  peer priority 150
  associate-context BAR
  inservice
  ft group 4
  peer 1
  no preempt
  priority 110
  peer priority 150
  associate-context FOO-BAR
  inservice
  Hope that helps
  Roble

• ACE module - end-to-end SSL

  Hello,
  I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
  I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
  Is there any clear documentation on how to configure an end to end SSL ?
  I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
  I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
  Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

  just don't know where to start.
  I feel like you do not have the right key/cert.
  This would be the very first thing to verify.
  Where did you get your key and cert ?
  What certificate authority signed your certificate ?
  The creation of the session key requires the use of an RSA key pair (private/public).
  Every server must have a public and a private key associated with a certificate signed by a certificate authority.
  If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
  Maybe you should start be reading on the subject from various article available on the WEB.
  openssl is a great tool to generate keys and certficates.
  I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
  Then import everything into ACE.
  Once you have valid key/cert we can continue with the configuration.
  Gilles

• ANM, ACE module device type

  I have a pair of ACE modules installed and maintained through ANM.  We
  started with ANM 2.X and recently upgraded to 3.0.
  The ACE modules were running code A1(6.3) and are now on A2(2.3).
  ANM is identifying the devices as Device Type ACE v1.0, and device types
  seem to limit the features that ANM exposes for configuration.
  The GUI does not expose the HTTP/SSL rewrite features in Expert mode, but I
  can configure the devices in the CLI.
  I have been unable to find an info on how devices are identified, or if they type
  can be changed..
  The exact module installed is a ACE20-MOD-K9.  Can anyone shed some light
  on if this is an 'ACE V1.0' and if not, how to convince ANM of the correct type?

  Just a thought - when you upgraded did you change the default www user password on the ACEs? I remember the upgrade instructions instructing that this step was necessary to allow manipulation of the configuration via xml (which I believe the ANM tool requires to exercise its full functionality).

• ANM 2.0: one of three ACE contexts couldn't "sync to CLI"

  Hello,
  We are using ANM 2.0 Update A to manage an ACE module running A2(1.2). About a week ago, one of our 3 contexts started showing "Out of sync" in the "CLI sync status" column. I tried to sync the context numerous times; no errors were reported but this particular context was always "out of sync".
  Then this morning I tried a "sync to CLI" operation once more and this time it finally worked! The status is now "in sync".
  I was wondering why this happened, and if anything can be done to prevent it in the future.
  Regards,
  Marc.

  Synchronizing configuration files for the standby ACE requires:
  1. Auditing the standby ACE to confirm that its configuration does not agree with the ANM-maintained configuration data for the ACE. See Synchronizing Virtual Context Configurations, page 3-64.
  2. Uploading the configuration from the standby ACE to the ANM server. See Synchronizing Virtual Context Configurations in the below URL:
  http://www.cisco.com/en/US/docs/net_mgmt/application_networking_manager/1.2/user/guide/UG_virtual_contexts.html#wpxref74705
  3. For an Admin context, uploading configurations on any newly imported user contexts. If new user contexts are not updated, they cannot be managed using ANM.