Do i have a dead ACE module?

Similar Messages

• ACE Module Software Upgrade

  Hi All,
  We have a two ACE module running in a redentant setup in CAT-6500.
  The  software version is  Version A2(1.6a) [build 3.0(0)A2(1.6a)
  It has started giving many issues lately, promtping us to think of a
  software upgrade.
  Please advice, which version is most stable in your experaince ?
  Thanks in advance.
  Kris

  Hi Daniel,
  I will give A2.3.3 a try in coming days and shall update the results.
  Many thanks for the advice.
  Regards,
  Kris

• Want to know about ACE module in 6509 : load-balancing concept

  Hi,
  I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
  In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
  I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
  I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
  1) what is difference between CSM or any other product load-balancer and ACE module :
  Gone through site as well , but not getting proper answer or comparison.
  1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
  2) If suppose i go for configuring different IP address with all server IP :
  How do i achieve it ?
  3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
  4) will the load-balancing happens based on destination based or session based ?
  Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?

  Hello,
  1) what is  difference between CSM or any other product load-balancer and ACE  module :
  There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
  One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
  ACE serise has specific hardware chip for supporting SSL termination but some others do not.
  For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
  The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
  Let me try clarifying your other questions.
  3)  what is Virtual IP concept in ACE because i do not have and other ACE  module then why do i need virtual IP ?
  4) will the load-balancing happens  based on destination based or session based ?
  I think I'd better to put 3) and 4) first.
  Virtual ip  address (VIP) is the address to which client accesses.
  VIP is tied with a  serverfarm or serverfarms, in a serverfarm one or multiple rservers can  be configured.
  "serverfarm" is a group of "rservers".
  "rserver" means  real-server that has an ip address and processes transactions.
  When a client  accesses to the VIP, ACE picks up a rserver according to algorithm.
  If you configure a  VIP that is tied with a serverfarm where only one rsever is  configured, client accesses to the virtual ip address are
  all forwarded to  the rserver.
  If you configure a  VIP that is tied with a serverfarm where multiple rsevers are  configured,  client accesses to the virtual ip address are
  balanced among  those rservers.
  If you configure  multiple VIPs, client accesses to those VIPs are forwareded to  corresponding rservers according to configuration.
  1)  I have some of the server configured with clustering and getting one  virtual IP, In this case , will ACE work ?
  ACE load-balances connections to configured rservers.
  If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
  sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
  2) If suppose i go for  configuring different IP address with all server IP :
  How do i  achieve it ?
  You can configure those ip addresses as rserver ip address.
  Multiple rservers are tied into a group, "serverfarm".
  I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
  Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
  This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
  Above is just an overveiw. ACE gives you granular control not mentioned above.
  I can provide more specific information if you tell me details of what you are trying to archive with ACE.
  Regards,
  Kimihito.

• Have any one configure transparent caching on ACE module

  How to configure transparent caching on ACE module? Please kindly give me a example configure. Thank you very much.

  here is a basic config.
  The module will intercept traffic coming in on vlan 20 and loadbalance it doing a url hashing to caches in vlan 30.
  The mode is transparent so the destination ip address is preserved.
  serverfarm host CACHES
  transparent
  predictor hash url
  rserver linux1
  inservice
  rserver linux1-24
  inservice
  class-map match-all VIP-TCP80
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
  policy-map type loadbalance first-match SF-CACHES
  class class-default
  serverfarm CACHES
  policy-map multi-match SLB-CACHES
  class VIP-TCP80
  loadbalance vip inservice
  loadbalance policy SF-CACHES
  interface vlan 20
  ip address 192.168.20.123 255.255.255.0
  peer ip address 192.168.20.121 255.255.255.0
  access-group input PERMIT-ANY
  service-policy input ALLOW-ALL
  service-policy input SLB-CACHES
  no shutdown

• ACE module - Resouce in use

  Hello,
  I try to free some memory on a ACe module because I get the resource in use message.
  I spotted 2 contexts with the default RC, however when I try to assign a resource class with a lower percentage to these contexts I get the "Error: resouce in use" message even though these RC have a lower resource allocation.
  Did anybody come accress this situation and fixed it?
  Regards.

  Thanks All for your reply,
  The only configuration is the :
  resource-class ContextID
  limit-resource all minimum 5.00 maximum equal-to-min
  i know i'm "short" of memory there but how could I resize the memory allocation if the command to allocate less memory does not go through.
  I guess in order to assigne that Rc to the context i should have at least the same percentage of free memory as the percentage I want to allocate to the context.
  Looks like the only way to change this is to configure a more detailed memory allocation wihtin the RC (syslog, bandwidth, acl, ...) so I would assign less memory to various resources within the context.
  But then again, I guess the fact that I ran out of memory will prevent me from changing the existing resource allocation. sounds to me like a dead end at this stage.
  Any idea?
  Regards.

• Load Balancing on ACE Modules

  hi,
  Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
  Regards.

  You can have 1 context active on one ACE and the other context active on the other ACE.
  If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
  Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
  If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
  Easier to implement and troubleshoot.
  Gilles.

• Reuse of context in ACE module

  Hi all, just have a question about som reuse of resources in a ACE module context.  I don't want to make a new context, and can reuse most of the existing configuration in one of my context.  The config is not complex and difficult, but I'm not sure if I can do this.
  The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
  Since I haven't decided the ip addresses to be used, they are just xx in the config below.
  The changes I want to implement are in bold.  Will this work for me?
  probe http WEBGUI_D2
  description Probe for http mot webgui
  interval 10
  passdetect interval 10
  passdetect count 1
  request method get url /D2/auth/login.aspx
  expect status 200 302
  header User-Agent header-value "IDENTITY"
  rserver host cwi003
  description content server logon
  ip address 10.163.22.27
  inservice
  rserver host cwi004
  description content server logon
  ip address 10.163.22.28
  inservice
  rserver host cwi503
  description content server logon 2
  ip address 10.163.22.23
  inservice
  rserver host cwi504
  description content server logon 2
  ip address 10.163.22.24
  inservice
  serverfarm host SF_LOGON_D2
  probe WEBGUI_D2
  rserver cwi003 80
     inservice
  rserver cwi004 80
     inservice
  serverfarm host SF_LOGON2_D2
  probe WEBGUI_D2
  rserver cwi503 80
     inservice
  rserver cwi504 80
     inservice
  sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
  timeout 20
  replicate sticky
  serverfarm SF_LOGON_D2
  serverfarm SF_LOGON2_D2
  class-map match-all VS_LOGON_D2
  3 match virtual-address 10.163.22.13 any
  class-map match-all VS_LOGON2_D2
  3 match virtual-address 10.163.22.xx any
  policy-map type loadbalance first-match PM_ONE_ARM_LB
  class class-default
     sticky-serverfarm STICKYGROUP1
  policy-map multi-match PM_ONE_ARM_MULTI_MATCH
  class VS_LOGON_D2
     loadbalance vip inservice
     loadbalance policy PM_ONE_ARM_LB
     nat dynamic 5 vlan 1240
  class VS_LOGON2_D2
     loadbalance vip inservice
     loadbalance policy PM_ONE_ARM_LB
     nat dynamic 6 vlan 1240
  interface vlan 1240
  description Client_server
  ip address 10.163.22.11 255.255.255.0
  peer ip address 10.163.22.12 255.255.255.0
  access-group input INBOUND
  nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
  nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
  service-policy input PM_ONE_ARM_MULTI_MATCH
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.163.22.1
  BR
  Geir

  Thanks for your reply.
  Hope I understand you correct.  This sould be the config I need to paste into the existing context.
  rserver host cwi503
    description content server logon 2
    ip address 10.163.22.23
    inservice
  rserver host cwi504
    description content server logon 2
    ip address 10.163.22.24
    inservice
  serverfarm host SF_LOGON2_D2
    probe WEBGUI_D2
    rserver cwi503 80
      inservice
    rserver cwi504 80
      inservice
  sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
     timeout 20
     replicate sticky
     serverfarm SF_LOGON2_D2
  class-map match-all VS_LOGON2_D2
     3 match virtual-address 10.163.22.xx any
  policy-map type loadbalance first-match PM_ONE_ARM_LB2
    class class-default
      sticky-serverfarm STICKYGROUP2
  policy-map multi-match PM_ONE_ARM_MULTI_MATCH
    class VS_LOGON2_D2
      loadbalance vip inservice
      loadbalance policy PM_ONE_ARM_LB2
      nat dynamic 6 vlan 1240
  interface vlan 1240
    nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
  Br
  Geir

• ACE module - Qos - set ip tos #

  All,
  Trying to mark traffic to/from L4 rules in the ACE.
  Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.
  Enable qos globally on the 6500 host, but don't see the traffic being marked.
  sh mls qos says that packets are being modified by module 5 (ACE)
  But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
  sh mls qos:
  QoS is enabled globally
    Policy marking depends on port_trust
    QoS ip packet dscp rewrite enabled globally
    Input mode for GRE Tunnel is Pipe mode
    Input mode for MPLS is Pipe mode
  QoS Trust state is CoS on the following interface:
  Te3/1
  QoS Trust state is DSCP on the following interface:
  Gi2/3
    Vlan or Portchannel(Multi-Earl) policies supported: Yes
    Egress policies supported: Yes
  ----- Module [5] -----
    QoS global counters:
      Total packets: 207147888661
      IP shortcut packets: 0
      Packets dropped by policing: 0
      IP packets with TOS changed by policing: 2663386
      IP packets with COS changed by policing: 4889352
      Non-IP packets with COS changed by policing: 0
      MPLS packets with EXP changed by policing: 0
  Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

  Well... hopefully someone knows how to classify traffic coming from the ACE.
  I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.
  However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.
  You'll have a bunch of little conversations like this with no tos value full of push-acks:
  10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
  10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
  10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
  10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
  10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
  10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
  10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
  10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
  10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
  10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
  10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
  But then you'll see another conversation pop up with the correct markings
  10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
  I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
  I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
  So.... PLEASE... Anyone???  Ideas???

• [UDP fast age support for ACE Module]

  Hello,
  I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
  It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
  (I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
  Thanks in advance!
  c.

  Hi Carlos,
  Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
  The "show version" for V2 is slightly better -
  system: Version A2(1.2) [build 3.0(0)A2(1.2)
  Cathy

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• Configuring FT on ACE Modules

  Hi,
  I am trying to configure FT on ACE modules, with the following commands
  ft interface vlan 20
    ip address 172.16.20.1 255.255.255.252
    peer ip address 172.16.20.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 20
  ft group 1
    peer 1
    priority 150
    associate-context Admin
    inservice
  The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

  Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
  ft interface vlan 212
    ip address 172.31.1.221 255.255.255.252
    peer ip address 172.31.1.222 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 212
  ft group 2
    peer 1
    priority 50
    peer priority 150
    associate-context Admin
    inservice
  HQ-ACE1/Admin# sh int
  vlan212 is up, administratively up
    Hardware type is VLAN
    MAC address is 00:23:5e:25:72:f1
    Mode : routed
    IP address is 172.31.1.221 netmask is 255.255.255.252
    FT status is standby
    Description:not set
    MTU: 1500 bytes
    Last cleared: never
    Last Changed: Tue Sep  6 12:46:06 2011
    No of transitions: 1
    Alias IP address not set
    Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
    Assigned from the Supervisor, up on Supervisor
       8654909 unicast packets input, 735611030 bytes
       1151150 multicast, 161 broadcast
       0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
       13020418 unicast packets output, 1672055521 bytes
       0 multicast, 163 broadcast
       0 output errors, 0 ignored

• Simple SLB with the ACE Module

  Hello,
  i have some problems with a ACE module i am currently tesing.
  I have a simple Serverfarm with two Servers.
  But there seems to be some Problems with the Loadbalancing i not understand:
  1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
  2) withz the show serverfarm statement the total connects do not increment.
  switch/slb-c1# show serverfarm webfarm
  serverfarm : webfarm, type: HOST
  total rservers : 2
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  rserver: web1
  10.0.33.201:0 8 OPERATIONAL 0 0
  rserver: web2
  10.0.33.200:0 8 OPERATIONAL 0 0
  switch/slb-c1# show service-policy L4_LB_VIP
  Status : ACTIVE
  Interface: vlan 300
  service-policy: L4_LB_VIP
  class: L4_VIP_CLASS
  loadbalance:
  L7 loadbalance policy: L7_SLB_POLICY
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED
  VIP State: INSERVICE
  curr conns : 0 , hit count : 15
  dropped conns : 0
  client pkt count : 10198 , client byte count: 420991
  server pkt count : 23367 , server byte count: 34915173
  I have attatched the Config.
  Any Idea what is going on?

  what version do you have ?
  I would recommend to run the very recent A1.4.
  This is something that really should work.
  Gilles.

• ACE Module Radius with ACS 4.2

  Hi,
  I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
  John...

  You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
  Following steps (On tacacs server) will make it work
  1. Select your user
  2. goto tacas+ settings
  3. Select " shell (exec)" checkbox
  4. Select "custom attributes" checkbox
  5. Type your context and role information in custom attrib box, using following format
  shell:*
  for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
  shell:Admin*Admin default-domain
  Hope it helps
  Syed

• Inventory collection fails for ACE module (RME 4.3.1)

  I am trying to collect the inventory and ultimately the configurations for my ace modules.  When i try to do an inventory collection I get the error
  Device sensed, but collection failed
  Anybody have any ideas?
  Chris

  Post your IC_Server.log.
  Please support CSC Helps Haiti
  https://supportforums.cisco.com/docs/DOC-8895
  https://supportforums.cisco.com

• ACE MODULE IN BRIDGE MODE NOT LOADBALANCING

  Hi,
  I setup an ace module in bridge mode as follows:
  mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
  and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
  The config script is attached. Is their anything I am missing?
  Attach

  Check my troubleshooting guide on this forum.
  There are few things to do to narrow down the issue.
  Gilles.