HOWTO: Poll Server farm stats on ACE module

Similar Messages

• Client accessing a specific server under a vip ACE Module

  Hi All,
  I have a need to allow QA/developers to check updated appliactions on a particluar server.
  Is there any way on an ACE blade to allow a client to access a particular server under a vip?
  The ACE is configured in Routed mode and the version is A2.3.4.
  Any help or pdf's would be much appreciated.
  Thanks.
  Jack.

  Hi,
  Thanks for the response.
  I have one more query, that I would appreciate some assistance with.
  If I have an exisitng serverfarm with 6 rservers in it, is there any way to direct a specific client to a specific server.
  I understand in one respect that if they are all inservice this may not be possible, but I thought I would ask the question anyway.
  Thanks again for the assistance.
  Jack

• VIP still reachable even if primary server farm is down

  Hi,
  I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).
  For that I have the following configuration :
  serverfarm host NCL_FARM_TEST
  probe NCL_PROBE_HTTP
  rserver CHPAUN028 443
  inservice
  policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
  description *** Load balancing rule for test in http mode ***
  class L7_CLASS_TEST
  serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
  compress default-method gzip
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  policy-map multi-match VIP_PROD_AND_TEST
  class L4_CLASS_NCL_TEST_HTTP
  loadbalance vip inservice
  loadbalance policy L7_POLICY_NCL_TEST_HTTP
  loadbalance vip icmp-reply active primary-inservice
  nat dynamic 2 vlan 115
  appl-parameter http advanced-options NCL_HTTP_PARAM
  While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).
  Here is the server farm status, while PING is still possible :
  CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail
  serverfarm : NCL_FARM_TEST, type: HOST
  total rservers : 1
  active rservers: 0
  description : *** Test Server Farm ***
  state : INACTIVE
  predictor : ROUNDROBIN
  failaction : -
  back-inservice : 0
  partial-threshold : 0
  num times failover : 27
  num times back inservice : 28
  total conn-dropcount : 0
  Probe(s) :
  NCL_PROBE_HTTP, type = HTTP
  ----------connections-----------
  real weight state current total failures
  ---+---------------------+------+------------+----------+----------+---------
  rserver: CHPAUN028
  10.240.3.128:443 8 PROBE-FAILED 0 609 8
  description : -
  max-conns : - , out-of-rotation count : -
  min-conns : -
  conn-rate-limit : - , out-of-rotation count : -
  bandwidth-rate-limit : - , out-of-rotation count : -
  retcode out-of-rotation count : -
  In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.
  I probably missed something, but what ?
  Here is the service-policy status :
  Policy-map : VIP_PROD_AND_TEST
  Status : ACTIVE
  Interface: vlan 1 115
  class: L4_CLASS_NCL_TEST_HTTP
  nat:
  nat dynamic 2 vlan 115
  curr conns : 0 , hit count : 56
  dropped conns : 0
  client pkt count : 809 , client byte count: 231750
  server pkt count : 1262 , server byte count: 1375334
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  loadbalance:
  L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP
  VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
  VIP State: INSERVICE
  Persistence Rebalance: ENABLED
  curr conns : 0 , hit count : 56
  dropped conns : 0
  client pkt count : 809 , client byte count: 231750
  server pkt count : 1262 , server byte count: 1375334
  conn-rate-limit : 0 , drop-count : 0
  bandwidth-rate-limit : 0 , drop-count : 0
  compression:
  bytes_in : 1052393
  bytes_out : 309229
  Compression ratio : 70.61%
  Parameter-map(s):
  NCL_HTTP_PARAM
  Thank you for any hints,
  Yves Haemmerli

  Gilles,
  I have effectively four diferent policy maps :
  - one for PROD when the client arrives withh HTTP
  - one for PROD when the client arrives with HTTPS
  - one for TEST when the client arrives with HTTP
  one for TEST when the client arrives with HTTPS
  However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.
  Here are the four polici maps :
  policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP
  description *** Load balancing rule for production in http mode ***
  class L7_CLASS_PROD
  serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_PROD_HTTP
  policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS
  description *** Load balancing rule for production in https mode ***
  class L7_CLASS_PROD
  serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_PROD_HTTPS
  policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
  description *** Load balancing rule for test in http mode ***
  class L7_CLASS_TEST
  serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
  compress default-method gzip
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_TEST_HTTP
  policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS
  description *** Load balancing rule for test in https mode ***
  class L7_CLASS_TEST
  serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
  insert-http Source-IP header-value "%is"
  insert-http Remote-Port header-value "%pd"
  ssl-proxy client NCL_SSL_CLIENT
  class L7_CLASS_REDIRECT
  serverfarm NCL_REDIRECT_FARM_TEST_HTTPS
  Yves

• Maximum number of Real Servers and Server Farms in ACE30 Module

  Hi All,
  Need help for below queries.
  What are the maximum number of real servers, server farms and virtual servers i can configure on ACE30 module?
  Is there any documentation available on cisco site where i can check this?
  Does it depend on the hardware or does it depend on the software version?
  Quick response would be really appreciated.
  Regards,
  Rachit.

  Hello Rachit,
  On the ACE module 30 you can have a maximum of: 16,383 rservers and 16,384 serverfarms
  This is not the same exact version which you have but here you have some addtional details:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/rsfarms.html#wp1014522
  The ACE supports a system-wide maximum of 8192 class maps, here you have the reference about it:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/classmap.html
  Jorge

• ANM Server & ACE Module

  We have a Custom built tool to manage our existing CSS boxes wherein we shutdown multiple Services at one single instance without affecting the entire VIP. The reason to do that is because of the following scenario. 10 Servers. Each server has multiple interfaces configured to support multiple websites thru IIS. Out of the 10 Web servers if we plan to remove one server for code upgrade/deployment, we take that server and shutdown all its configured services from the CSS using our tool.
  I understand in ACE, the control is not at the Rserver level, but at the Server farm wherein you have all you servers configured for multiple ports. If I want to take a server (which is configured for multiple websites and multiple ports), I have to navigate to each server farm in the GUI (ANM) and then select the rserver one at a time..U know, it is time consuming..
  Since ANM uses mysql to store the data collected from ACE module, is there a way we can create custom tools to achieve our requirement. If possible, Could you please provide us more information on the ACE/ANM Interaction and the options to customize ANM features?
  I checked and found from CISCO Site that ANM 1.2 is the latest and only available Software package to Manage ACE in GUI environment. Do you have any other recommendations are products?

  you can do it from the CLI.
  Each rserver is defined with just an ip address and you define the port when using the rserver in a serverfarm.
  By de-activating the rserver in global, you de-activate it in all serverfarms it is being used.
  This does not seem possible with ANM so.
  If you don't like CLI, you could use XML commands.
  Gilles.

• ACE Module: Recover a real server probe-failed status

  How does the ACE module recover a real server that has entered a probe-failed status state? We are doing some testing, purposely dropping a servers interface. ACE recognizes the server as being down and show it in a probe-failed state. When we bring the system's interface back up, will ACE see this and automatically bring the state back into Operational status, or does someone have to do something on the ACE module?

  ACE continues to probe servers that are down or probe_failed. As soon as a server starts responding again its state will switch to alive again.
  Nothing to be done.
  Gilles.

• ACE with sticky http-cookies across two server farms issue

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
  e.g.
  Farm1 (front end HTTP service) - StickyGroup1
  rserver1 - 192.168.0.1:80
  rserver2 - 192.168.0.2:80
  rserver3 - 192.168.0.3:80
  Farm2 (SSL front end authentication service) - StickyGroup2
  rserver1 - 192.168.0.1:443
  rserver2 - 192.168.0.2:443
  rserver3 - 192.168.0.3:443
  We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
  Our service is behind a single virtual server configured as follows (example URL and addresses):
  Virtual Server Configuration
  Virtual server name: www.somedomain.com
  Virtual IP: 2.2.2.2
  TCP/443 (https)
  SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
  L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).*  Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
  Default L7 Load Balancing action : Sticky, Group: StickyGroup1
  So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
  We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
  Any suggestions or solutions appreciated.
  Thanks
  Paul

  The issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
  With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping.

• ACE module not load balancing across two servers

  We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers.  At various times the application team is seeing active connections on only one real server.  They see no connection attempts on the other server.  The ACE sees both servers as up and active within the serverfarm.  However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers.  The issue is fixed by restarting the application on the server that is not receiving any connections.  However, it reappears again.  And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
  The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers.  I'm kind of curious myself.  Does anyone have some tips on where we can look next to isolate the cause?
  We're running A2(3.3).  The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday.  The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
  Here are the show serverfarm statistics as of today:
  ACE# show serverfarm farma-8000
  serverfarm     : farma-8000, type: HOST
  total rservers : 2
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: server#1
         x.x.x.20:8000      8      OPERATIONAL  0          186617     3839
     rserver: server#2
         x.x.x.21:8000      8      OPERATIONAL  67         83513      1754

  Are you enabling sticky feature? What kind of predictor are you using?
  If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
  Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
  The behavior seems to depend on the configuration.
  So, please let me know a part of configuration?
  Regards,
  Yuji

• What is the maximun recommended number of probes, rservers, server-farms

  Team,
  What is the maximun recommended number of probes, rservers, server-farms, class-maps, policy-maps per context on an ACE module?
  Regards,
  John...

  John,
  A practical limit on ACE module is 4k each for probes, serverfarms, class-maps & policy-maps. Rserver instances can be up to 16K. These limits represent total per system. They may exist all in a single context if desired. These numbers will vary based on specific configuration requirements.
  For more specific guidance please reach out to your account team or technical marketing engineer.
  Other resource info can be found under Cisco Application Control Engine (ACE) Troubleshooting Guide -> ACE Module Resource Limits:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_ACE_Module_Resource_Limits
  DocWiki for ACE:
  http://docwiki.cisco.com/wiki/ACE
  HTH.

• ACE module - Qos - set ip tos #

  All,
  Trying to mark traffic to/from L4 rules in the ACE.
  Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.
  Enable qos globally on the 6500 host, but don't see the traffic being marked.
  sh mls qos says that packets are being modified by module 5 (ACE)
  But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
  sh mls qos:
  QoS is enabled globally
    Policy marking depends on port_trust
    QoS ip packet dscp rewrite enabled globally
    Input mode for GRE Tunnel is Pipe mode
    Input mode for MPLS is Pipe mode
  QoS Trust state is CoS on the following interface:
  Te3/1
  QoS Trust state is DSCP on the following interface:
  Gi2/3
    Vlan or Portchannel(Multi-Earl) policies supported: Yes
    Egress policies supported: Yes
  ----- Module [5] -----
    QoS global counters:
      Total packets: 207147888661
      IP shortcut packets: 0
      Packets dropped by policing: 0
      IP packets with TOS changed by policing: 2663386
      IP packets with COS changed by policing: 4889352
      Non-IP packets with COS changed by policing: 0
      MPLS packets with EXP changed by policing: 0
  Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

  Well... hopefully someone knows how to classify traffic coming from the ACE.
  I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.
  However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.
  You'll have a bunch of little conversations like this with no tos value full of push-acks:
  10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
  10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
  10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
  10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
  10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
  10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
  10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
  10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
  10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
  10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
  10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
  But then you'll see another conversation pop up with the correct markings
  10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
  I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
  I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
  So.... PLEASE... Anyone???  Ideas???

• Simple SLB with the ACE Module

  Hello,
  i have some problems with a ACE module i am currently tesing.
  I have a simple Serverfarm with two Servers.
  But there seems to be some Problems with the Loadbalancing i not understand:
  1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
  2) withz the show serverfarm statement the total connects do not increment.
  switch/slb-c1# show serverfarm webfarm
  serverfarm : webfarm, type: HOST
  total rservers : 2
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  rserver: web1
  10.0.33.201:0 8 OPERATIONAL 0 0
  rserver: web2
  10.0.33.200:0 8 OPERATIONAL 0 0
  switch/slb-c1# show service-policy L4_LB_VIP
  Status : ACTIVE
  Interface: vlan 300
  service-policy: L4_LB_VIP
  class: L4_VIP_CLASS
  loadbalance:
  L7 loadbalance policy: L7_SLB_POLICY
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED
  VIP State: INSERVICE
  curr conns : 0 , hit count : 15
  dropped conns : 0
  client pkt count : 10198 , client byte count: 420991
  server pkt count : 23367 , server byte count: 34915173
  I have attatched the Config.
  Any Idea what is going on?

  what version do you have ?
  I would recommend to run the very recent A1.4.
  This is something that really should work.
  Gilles.

• Bizarre ACE module behavior

  Hi,
  I configured a new serverfarm with leastconns predictor for two servers on our ACE module Version A2(2.3). Probes (show probes XX detail) to the servers are successful and both servers are operational (show serverfarm APPLI detail) but connections are directed only to one server.
  When I deactived the server which is receiving the connections (no inservice), the ACE start to direct connection to the second server.
  There are several serverfarm, configured the same way, that are Loadbalancing traffic as correctly.
  Here is a sample of my config
  serverfarm host TEST_443
  predictor leastconns
    probe TEST_443_PROBE01
    rserver TEST_RS01 443
      inservice
    rserver TEST_RS02 443
      inservice
  sticky http-cookie TEST_HTTPS TEST_443_STKY
    cookie insert
    timeout 720
    replicate sticky
    serverfarm TEST_443
  probe http TEST_443_PROBE01
    port 443
    interval 20
    passdetect interval 60
    passdetect count 5
    request method get url /test
    expect status 302 302
    connection term forced
  policy-map type loadbalance first-match TEST_L7PLB_HTTPS
    class class-default
      sticky-serverfarm TEST_443_STKY_SF
      insert-http X-Forwarded-Proto header-value "https"
      insert-http X-Forwarded-For header-value "%is"
  policy-map multi-match SLB-HTTP-POLICY
  class TEST_L4VIP_HTTPS
      loadbalance vip inservice
      loadbalance policy TEST_L7PLB_HTTPS
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      nat dynamic 1 vlan 202
      appl-parameter http advanced-options PERSIST
      ssl-proxy server TEST_SSL_PROXY_SERVER
  PS : ACE uptime is 291days, could that impact ACE behavior ?
  Thanks for any troubleshooting hints

  Looking at this on my phone but it looks like you L7 policy is referencing a sticky server farm that does not exist.
  ie TEST_443_STKY_SF is incorrect name for sticky
  If that's not it. Then check that the first server actually has a number of conns on it when a new connection is established. Sometimes when both servers have 0 conns - new incoming conns will always go to the first server
  Regards
  Stephen
  ===============================
  Free network configuration management software at www.rconfig.com
  Sent from Cisco Technical Support iPhone App

• Failover between server farms

  Hi,
  I'm requesting advise on problem below :
  - I have 2 datacenter with one server farm on each DC and 5 servers behind each server farm
  - each server has 5k max connection limit on each server farm
  - I want to be able to be able to failover to one SF to another when max connection for the server farm reach 25k (that mean each of 5 servers has reached its max conn)
  Can I do that with partial-threshold ?
  in Cisco documentation it's stated : "
  Each time that a server is taken out of service (for example, using the CLI, a probe failure, or the retcode threshold is exceeded), the ACE is updated"
  Would max-conn exceed be equivalent to "out of service" ?
  thanks for any contribution
  cheers

  Hi,
  I beleive Cisco ACE platform because of H/w design will not do failover for partial-threshold when primary server farms servers reached "MAXCONN" state and partial-threshold trigger. you will observe connection drop in that condition.
  for your setup i will suggest to use simple backup server farm with no partial threshold. this work and when all the server in serverfarm are no longer usable (out of service or maxconn) back server farm will be activated.

• Per-ServerFarm SNAT on ACE Module.

  Dear all,
  I hace an ACE Module configured in Multiple Routed Contexts.
  My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
  Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
  I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
  Is this correct?
  The software version is A2(3,5).
  Thanks a lot!
  David

  Hi David
  Could you please calrify and maybe separate tasks you have ?
  As I understand you have such tasks for now :
  1) Don't show rserver IPs anywere outside ACE
  2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
  First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
  Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
  2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
  E.g.
  policy-map multi-match VIP_IN
  class MY-CLASS
  loadb vip ins
  loadb policy MY-L7Policy
  nat 1 dynamic vlan X << - inside interface
  and then on inside interface
  inter vlan X
  nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
  In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
  Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE.

• ACE modules reloaded

  HI Experts,
  We had some issue with Datacentre ACE modules. Both primary and DR ACE modules got restarted in 16 hours difference.
  Unfortunately Syslog was not configured on the ACE and local logging got cleared after restart.
  The current IOS version is A2(3.2). The modules uptime was around 300 Days.
  Here is the log from 6509 switch during the restart
  Primary DC 6509-1 .
  Jul 10 18:52:05.383 WAT: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
  .Jul 10 18:56:47.291 WAT: %SNMP-5-MODULETRAP: Module 9 [Down] Trap
  Jul 10 18:56:47.127 WAT: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Reset - Module Reloaded During Download)
  Jul 10 18:56:47.271 WAT: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Reset - Module Reloaded During Download)
  Jul 10 18:57:00.951 WAT: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Module not responding to Keep Alive polling)
  Jul 10 18:57:00.951 WAT: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Module not responding to Keep Alive polling)
  Jul 10 19:01:57.172 WAT: %DIAG-SP-6-RUN_MINIMUM: Module 9: Running Minimal Diagnostics...
  .Jul 10 19:01:59.256 WAT: %SNMP-5-MODULETRAP: Module 9 [Up] Trap
  Jul 10 19:01:58.700 WAT: %DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics
  Jul 10 19:01:59.256 WAT: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online
  .Jul 10 19:02:04.548 WAT: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
  DR DC 6509-1 .
  Jul 11 09:42:05.759: %LINK-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down .
  Jul 11 09:42:05.763: %SNMP-5-MODULETRAP: Module 9 [Down] Trap
  .Jul 11 09:42:05.763: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to down
  Jul 11 09:42:05.599: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Reset - Module Reloaded During Download)
  Jul 11 09:42:05.747: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Reset - Module Reloaded During Download)
  Jul 11 09:42:05.767: %LINK-SP-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down
  Jul 11 09:42:05.771: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to down .
  Jul 11 09:42:14.535: %SVCLC-5-SVCLCNTP: Could not update clock on the module 9, rc is -1
  Jul 11 09:42:19.395: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Module not responding to Keep Alive polling)
  Jul 11 09:42:19.395: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Module not responding to Keep Alive polling)
  Jul 11 09:47:15.819: %DIAG-SP-6-RUN_MINIMUM: Module 9: Running Minimal Diagnostics... .
  Jul 11 09:47:19.871: %MLS_RATE-4-DISABLING: The global switching mode is now 'truncated'. Disabling the Layer2 Rate Limiters. .
  Jul 11 09:47:19.903: %SNMP-5-MODULETRAP: Module 9 [Up] Trap Jul 11 09:47:19.633: %DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics Jul 11 09:47:19.905: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online .
  Jul 11 09:47:21.079: %LINK-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down
  Jul 11 09:47:20.912: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet9/1, changed state to down
  Jul 11 09:47:21.080: %LINK-SP-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down
  .Jul 11 09:47:25.039: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
  .Jul 11 09:47:25.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to up
  Jul 11 09:47:24.520: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet9/1, changed state to down
  Jul 11 09:47:25.056: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet9/1, changed state to up
  Jul 11 09:47:25.060: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to up
  Please let me did anyone face this issue before or is it any known BUG?

  HI All, Thanx for the help. Got the resaon from show version output.
  last boot reason:  NP 1 Failed : SRAM Parity Error Chan 3
  Also got the TAC comment on SRAM party error
  The SRAM parity error presented in the core file is not due to a software issue.
  The issue is the result of a "bit-flip" within the SRAM itself which can occur as a
  result of environmental conditions. This "bit-flip" is rectified by a simple reboot of
  the system, which would occur with the generation of the core file. Cisco internal
  testing and customer experience has shown that these types of issues can occur
  with very low frequency, but do not required an RMA of the device.
  If there are multiple instances of this issue on the same module, a proactive RMA/EFA
  of the device would be in order.
  ACE is susceptible to this because of the way it uses SRAM to store control information
  and packet data as opposed to scratch-pad storage. Almost any 1-bit flip will be detected as a
  parity error. Cisco has recognized the issue and is taking action to ensure this will not be
  an issue on the next generation of the ACE module. The next generation module design
  and timeline is currently under review.
  Thnx again for the help
  Aslam