Do i have a dead ACE module?
I rebooted one of my HA ACE modules and it hasn't come back up. The logs on the 6500 show the following..
Mar 23 08:54:25: %DIAG-SP-6-RUN_COMPLETE: Module 4: Running Complete Diagnostics...
Mar 23 08:54:28: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
Mar 23 08:54:28: %SNMP-5-MODULETRAP: Module 4 [Up] Trap
Mar 23 08:54:27: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
Mar 23 08:54:28: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mar 23 08:54:43: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 08:55:18: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
Mar 23 08:57:30: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:07:23: %SNMP-5-MODULETRAP: Module 4 [Down] Trap
Mar 23 09:07:23: SP: The PC in slot 4 is shutting down. Please wait ...
Mar 23 09:07:56: SP: PC shutdown completed for module 4
Mar 23 09:08:06: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Fabric channel errors)
Mar 23 09:15:48: %DIAG-SP-6-RUN_COMPLETE: Module 4: Running Complete Diagnostics...
Mar 23 09:15:50: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
Mar 23 09:15:51: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
Mar 23 09:15:51: %SNMP-5-MODULETRAP: Module 4 [Up] Trap
Mar 23 09:15:51: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mar 23 09:16:06: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:16:41: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
Mar 23 09:17:45: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:28:00: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:28:46: %SNMP-5-MODULETRAP: Module 4 [Down] Trap
Mar 23 09:28:46: SP: The PC in slot 4 is shutting down. Please wait ...
Mar 23 09:29:19: SP: PC shutdown completed for module 4
Mar 23 09:29:29: %C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (Fabric channel errors)
Mar 23 09:37:11: %DIAG-SP-6-RUN_COMPLETE: Module 4: Running Complete Diagnostics...
Mar 23 09:37:13: %SVCLC-5-SVCLCVTPMODE: VTP mode is set to non-transparent
Mar 23 09:37:13: %SNMP-5-MODULETRAP: Module 4 [Up] Trap
Mar 23 09:37:12: %DIAG-SP-6-DIAG_OK: Module 4: Passed Online Diagnostics
Mar 23 09:37:13: %OIR-SP-6-INSCARD: Card inserted in slot 4, interfaces are now online
Mar 23 09:37:28: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
Mar 23 09:38:03: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
Mar 23 09:38:15: %SVCLC-5-SVCLCNTP: Could not update clock on the module 4, rc is -1
The output of the ACE console is the following....
System Bootstrap, Version 12.2[123],
Copyright (c) 1994-2009 by cisco Systems, Inc.
Slot 4 : Running DEFAULT rommon image ...
.ACE platform with 1048576 Kbytes of main memory
.Loading disk0:c6ace-t1k9-mz.A2_3_4.bin. Please wait ....
Uncompressing Linux...
Starting the kernel...
INIT: version 2.78 booting
Mounting Second Ramdisk ....
Second Ramdisk successfully mounted
Configuring network interfaces.
CF dump: Register callback functions
dosfsck 2.11, 12 Mar 2005, FAT32, LFN
/dev/cf: 11 files, 26575/63414 clusters
FAT FS is ok
Compact Flash size 1014624(in 1k blocks) ...
Core file size 204800
Available free size in cf is 589424 (in 1k blocks) ...
set_coredump 2.11, 12 Mar 2005, FAT32, LFN
first_cluster = 0x5102 num_cluster = 0x40 (64)
inserting procfs
inserting isan_kthread
inserting wiremod
inserting klib
inserting resdrv
inserting tlv
inserting sse
inserting kpss
inserting sdwrap
creating sdwrap device
inserting klm_tl
creating tl device
inserting klm_scp
inserting klm_mts
creating mts0 device
creating mtscfg0 device
inserting utaker
creating utaker0 device
creating utaker1 device
inserting sysmgr-hb
creating sysmgr-hb device
inserting modlock
creating modlock device
inserting bufmgr
inserting pkt_fifo
inserting encdec
creating encdec device
inserting pseudo
inserting drammap mod
creating drammap device
inserting ixp_dnld
creating ixp_dnld device
inserting sysdrv
creating sysdrv device
New registry installed.
INIT: Entering runlevel: 3
inserting i2c module
inserting ssa driver
inserting cde driver
inserting bf_dnld driver
inserting pfm_drv driver
inserting regaccess driver
inserting bf_nvram driver
Firmware compiled 21-Jan-11 13:14 by integ Build [25600]
ACE Daughter boards DB1 not present DB2 not present.
downloading fpga to cde 1
Read 3262454 bytes from ./cde1_core.bit
FPGA Date: 2007/12/18 Time: 14:22: 0
CDE 1 download successful
downloading fpga to cde 2
Read 2377744 bytes from ./cde2_core.bit
FPGA Date: 2007/ 8/15 Time: 20:59:47
CDE 2 download successful
FPGA Programming Done
CDE 1 revision ID 0403
CDE 2 revision ID 0402
enabling cde 0 interrupts
finished CDE setup
Configuring NP 1 Memory
Configuring NP 2 Memory
Waiting for NP 1 SRAM memory to clear...success
Downloading NP 1 Image
Waiting for NP 2 SRAM memory to clear...success
Downloading NP 2 Image
..... 0x4eef60 (5173088) bytes downloaded
..... 0x4eef60 (5173088) bytes downloaded
Loading Nitrox driver.
PCI device 177d:0002
Writing register at address 3838 with e00
size = 8108
Ctx memory range(0x0000000-0x10000000)
Cleared 262144 1024-byte blocks in 5 requests.
N2SetupMicrocode: failed; error code 3
Writing register at address 3898 with 1
N2LoadMicrocode: failed; error code 3
N2LoadMicrocode: failed; error code 3
Hello Akhtar,
Can you upload the command: #show version?
Can you upload the dir core: , hopefully the ACE might have generated some core dumps which might help us to determine the failure?
Here you have a link about getting the core dumps:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Overview_of_ACE_Troubleshooting#Copying_Core_Dumps
Have you experienced this issue before? Did you experience this issue during a high peak of traffic?
Did you apply any change in the configuration?
#show tech-support and core dumps would help to determine if this was a hardware failure or a software defect
Jorge
Similar Messages
-
Hi All,
We have a two ACE module running in a redentant setup in CAT-6500.
The software version is Version A2(1.6a) [build 3.0(0)A2(1.6a)
It has started giving many issues lately, promtping us to think of a
software upgrade.
Please advice, which version is most stable in your experaince ?
Thanks in advance.
KrisHi Daniel,
I will give A2.3.3 a try in coming days and shall update the results.
Many thanks for the advice.
Regards,
Kris -
Want to know about ACE module in 6509 : load-balancing concept
Hi,
I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
1) what is difference between CSM or any other product load-balancer and ACE module :
Gone through site as well , but not getting proper answer or comparison.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?Hello,
1) what is difference between CSM or any other product load-balancer and ACE module :
There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
ACE serise has specific hardware chip for supporting SSL termination but some others do not.
For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
Let me try clarifying your other questions.
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
I think I'd better to put 3) and 4) first.
Virtual ip address (VIP) is the address to which client accesses.
VIP is tied with a serverfarm or serverfarms, in a serverfarm one or multiple rservers can be configured.
"serverfarm" is a group of "rservers".
"rserver" means real-server that has an ip address and processes transactions.
When a client accesses to the VIP, ACE picks up a rserver according to algorithm.
If you configure a VIP that is tied with a serverfarm where only one rsever is configured, client accesses to the virtual ip address are
all forwarded to the rserver.
If you configure a VIP that is tied with a serverfarm where multiple rsevers are configured, client accesses to the virtual ip address are
balanced among those rservers.
If you configure multiple VIPs, client accesses to those VIPs are forwareded to corresponding rservers according to configuration.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
ACE load-balances connections to configured rservers.
If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
You can configure those ip addresses as rserver ip address.
Multiple rservers are tied into a group, "serverfarm".
I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
Above is just an overveiw. ACE gives you granular control not mentioned above.
I can provide more specific information if you tell me details of what you are trying to archive with ACE.
Regards,
Kimihito. -
Have any one configure transparent caching on ACE module
How to configure transparent caching on ACE module? Please kindly give me a example configure. Thank you very much.
here is a basic config.
The module will intercept traffic coming in on vlan 20 and loadbalance it doing a url hashing to caches in vlan 30.
The mode is transparent so the destination ip address is preserved.
serverfarm host CACHES
transparent
predictor hash url
rserver linux1
inservice
rserver linux1-24
inservice
class-map match-all VIP-TCP80
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match SF-CACHES
class class-default
serverfarm CACHES
policy-map multi-match SLB-CACHES
class VIP-TCP80
loadbalance vip inservice
loadbalance policy SF-CACHES
interface vlan 20
ip address 192.168.20.123 255.255.255.0
peer ip address 192.168.20.121 255.255.255.0
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input SLB-CACHES
no shutdown -
Hello,
I try to free some memory on a ACe module because I get the resource in use message.
I spotted 2 contexts with the default RC, however when I try to assign a resource class with a lower percentage to these contexts I get the "Error: resouce in use" message even though these RC have a lower resource allocation.
Did anybody come accress this situation and fixed it?
Regards.Thanks All for your reply,
The only configuration is the :
resource-class ContextID
limit-resource all minimum 5.00 maximum equal-to-min
i know i'm "short" of memory there but how could I resize the memory allocation if the command to allocate less memory does not go through.
I guess in order to assigne that Rc to the context i should have at least the same percentage of free memory as the percentage I want to allocate to the context.
Looks like the only way to change this is to configure a more detailed memory allocation wihtin the RC (syslog, bandwidth, acl, ...) so I would assign less memory to various resources within the context.
But then again, I guess the fact that I ran out of memory will prevent me from changing the existing resource allocation. sounds to me like a dead end at this stage.
Any idea?
Regards. -
hi,
Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
Regards.You can have 1 context active on one ACE and the other context active on the other ACE.
If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
Easier to implement and troubleshoot.
Gilles. -
Reuse of context in ACE module
Hi all, just have a question about som reuse of resources in a ACE module context. I don't want to make a new context, and can reuse most of the existing configuration in one of my context. The config is not complex and difficult, but I'm not sure if I can do this.
The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
Since I haven't decided the ip addresses to be used, they are just xx in the config below.
The changes I want to implement are in bold. Will this work for me?
probe http WEBGUI_D2
description Probe for http mot webgui
interval 10
passdetect interval 10
passdetect count 1
request method get url /D2/auth/login.aspx
expect status 200 302
header User-Agent header-value "IDENTITY"
rserver host cwi003
description content server logon
ip address 10.163.22.27
inservice
rserver host cwi004
description content server logon
ip address 10.163.22.28
inservice
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON_D2
probe WEBGUI_D2
rserver cwi003 80
inservice
rserver cwi004 80
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 20
replicate sticky
serverfarm SF_LOGON_D2
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON_D2
3 match virtual-address 10.163.22.13 any
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB
class class-default
sticky-serverfarm STICKYGROUP1
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 5 vlan 1240
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 6 vlan 1240
interface vlan 1240
description Client_server
ip address 10.163.22.11 255.255.255.0
peer ip address 10.163.22.12 255.255.255.0
access-group input INBOUND
nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
service-policy input PM_ONE_ARM_MULTI_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 10.163.22.1
BR
GeirThanks for your reply.
Hope I understand you correct. This sould be the config I need to paste into the existing context.
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
timeout 20
replicate sticky
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB2
class class-default
sticky-serverfarm STICKYGROUP2
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB2
nat dynamic 6 vlan 1240
interface vlan 1240
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
Br
Geir -
ACE module - Qos - set ip tos #
All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 207147888661
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 2663386
IP packets with COS changed by policing: 4889352
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas??? -
[UDP fast age support for ACE Module]
Hello,
I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
(I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
Thanks in advance!
c.Hi Carlos,
Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
The "show version" for V2 is slightly better -
system: Version A2(1.2) [build 3.0(0)A2(1.2)
Cathy -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
Hi,
I am trying to configure FT on ACE modules, with the following commands
ft interface vlan 20
ip address 172.16.20.1 255.255.255.252
peer ip address 172.16.20.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 20
ft group 1
peer 1
priority 150
associate-context Admin
inservice
The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?Hi have the following config which seems to be working fine for me... check your vlan20 interface is up
ft interface vlan 212
ip address 172.31.1.221 255.255.255.252
peer ip address 172.31.1.222 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 212
ft group 2
peer 1
priority 50
peer priority 150
associate-context Admin
inservice
HQ-ACE1/Admin# sh int
vlan212 is up, administratively up
Hardware type is VLAN
MAC address is 00:23:5e:25:72:f1
Mode : routed
IP address is 172.31.1.221 netmask is 255.255.255.252
FT status is standby
Description:not set
MTU: 1500 bytes
Last cleared: never
Last Changed: Tue Sep 6 12:46:06 2011
No of transitions: 1
Alias IP address not set
Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
Assigned from the Supervisor, up on Supervisor
8654909 unicast packets input, 735611030 bytes
1151150 multicast, 161 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
13020418 unicast packets output, 1672055521 bytes
0 multicast, 163 broadcast
0 output errors, 0 ignored -
Simple SLB with the ACE Module
Hello,
i have some problems with a ACE module i am currently tesing.
I have a simple Serverfarm with two Servers.
But there seems to be some Problems with the Loadbalancing i not understand:
1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
2) withz the show serverfarm statement the total connects do not increment.
switch/slb-c1# show serverfarm webfarm
serverfarm : webfarm, type: HOST
total rservers : 2
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: web1
10.0.33.201:0 8 OPERATIONAL 0 0
rserver: web2
10.0.33.200:0 8 OPERATIONAL 0 0
switch/slb-c1# show service-policy L4_LB_VIP
Status : ACTIVE
Interface: vlan 300
service-policy: L4_LB_VIP
class: L4_VIP_CLASS
loadbalance:
L7 loadbalance policy: L7_SLB_POLICY
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 15
dropped conns : 0
client pkt count : 10198 , client byte count: 420991
server pkt count : 23367 , server byte count: 34915173
I have attatched the Config.
Any Idea what is going on?what version do you have ?
I would recommend to run the very recent A1.4.
This is something that really should work.
Gilles. -
ACE Module Radius with ACS 4.2
Hi,
I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
John...You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
Following steps (On tacacs server) will make it work
1. Select your user
2. goto tacas+ settings
3. Select " shell (exec)" checkbox
4. Select "custom attributes" checkbox
5. Type your context and role information in custom attrib box, using following format
shell:*
for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
shell:Admin*Admin default-domain
Hope it helps
Syed -
Inventory collection fails for ACE module (RME 4.3.1)
I am trying to collect the inventory and ultimately the configurations for my ace modules. When i try to do an inventory collection I get the error
Device sensed, but collection failed
Anybody have any ideas?
ChrisPost your IC_Server.log.
Please support CSC Helps Haiti
https://supportforums.cisco.com/docs/DOC-8895
https://supportforums.cisco.com -
ACE MODULE IN BRIDGE MODE NOT LOADBALANCING
Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
AttachCheck my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles.
Maybe you are looking for
-
How can I deauthorize an itunes account on a dead computer?
My old laptop died. Before it did, I backed up all of my music to a zip drive and then transferred the music to my new Dell Windows 8 computer. However, half of my songs can't be played because they were purchased on my stepdaughter's old itunes ac
-
Error in Process in PO for Classic Scenario
Hi, I am working with classic scenario. I have created one catalog for services where I used service as a catagory(from backend R/3). I have maintained contracts for this services in the Backend R/3 as well as vendor lists with respective contract in
-
How do i upgrade to iOS 4.3?
how do i upgrade to ios 4.3? Mine has 4.2? I can't install the boggle game, it says i must have ios system 4.3? When I link my ipod to my mac and go into itunes it says i have the latest ios version installed 4.2? Any help would be greatlyl appreciat
-
OraOLEDB error '80040e4b' : Accessor is not a parameter accessor
Hi! I'm seeing the following error, inconsistently, in my ASP application: OraOLEDB error '80040e4b' Accessor is not a parameter accessor The database is an Oracle 9i database - the web server has an Oracle 9i client installation on it. Not sure as t
-
Deleting scenario from Integration Repository.
Dear All, I was having one scenario in the Dev server which was having all the objects in it like namespace, DT, MT, MI, MM & IM. After testing now I want to delete the complete scenario from Repository. I have deleted all the objects like DT, MT, M