HOWTO: Poll Server farm stats on ACE module
Hi All,
We are currently working on providing network monitoring information of our server farms programmed on our ACE modules, what is the best OID's to use?
Hi Rob,
Unless there's something already out with the release of code 4.X and ACE 30 then I'd say the MIB that can help you here would be the .CISCO-ENHANCED-SLB-MIB
Here is the info from the SNMP object navigator
http://xrl.us/bk2vmo
Here is the list of supported MIBs by the ACE module just for reference and download
ftp://ftp.cisco.com/pub/mibs/supportlists/ace/ace-supportlist.html
HTH
Pablo
Similar Messages
-
Client accessing a specific server under a vip ACE Module
Hi All,
I have a need to allow QA/developers to check updated appliactions on a particluar server.
Is there any way on an ACE blade to allow a client to access a particular server under a vip?
The ACE is configured in Routed mode and the version is A2.3.4.
Any help or pdf's would be much appreciated.
Thanks.
Jack.Hi,
Thanks for the response.
I have one more query, that I would appreciate some assistance with.
If I have an exisitng serverfarm with 6 rservers in it, is there any way to direct a specific client to a specific server.
I understand in one respect that if they are all inservice this may not be possible, but I thought I would ask the question anyway.
Thanks again for the assistance.
Jack -
VIP still reachable even if primary server farm is down
Hi,
I want to make sure that the a VIP is not PING-able anymore when the primary server farm is down (all servers are down).
For that I have the following configuration :
serverfarm host NCL_FARM_TEST
probe NCL_PROBE_HTTP
rserver CHPAUN028 443
inservice
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
policy-map multi-match VIP_PROD_AND_TEST
class L4_CLASS_NCL_TEST_HTTP
loadbalance vip inservice
loadbalance policy L7_POLICY_NCL_TEST_HTTP
loadbalance vip icmp-reply active primary-inservice
nat dynamic 2 vlan 115
appl-parameter http advanced-options NCL_HTTP_PARAM
While testing this feature, I realize that the VIP is still reachable (PING), even if the server in the farm is in PROBE_FAILED status (For test, I have only one srserver in the farm).
Here is the server farm status, while PING is still possible :
CH01AC03/P-115-A# sh serverfarm NCL_FARM_TEST detail
serverfarm : NCL_FARM_TEST, type: HOST
total rservers : 1
active rservers: 0
description : *** Test Server Farm ***
state : INACTIVE
predictor : ROUNDROBIN
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 27
num times back inservice : 28
total conn-dropcount : 0
Probe(s) :
NCL_PROBE_HTTP, type = HTTP
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: CHPAUN028
10.240.3.128:443 8 PROBE-FAILED 0 609 8
description : -
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
In the documentation, the following is written regarding the command "vip loadbalance icmp-reply active primary-inservice" it is stated that the ACE shold discard ping packets if all servers in the primary server farm are down.
I probably missed something, but what ?
Here is the service-policy status :
Policy-map : VIP_PROD_AND_TEST
Status : ACTIVE
Interface: vlan 1 115
class: L4_CLASS_NCL_TEST_HTTP
nat:
nat dynamic 2 vlan 115
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: L7_POLICY_NCL_TEST_HTTP
VIP ICMP Reply : ENABLED-WHEN-PRIMARY-SF-UP
VIP State: INSERVICE
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 56
dropped conns : 0
client pkt count : 809 , client byte count: 231750
server pkt count : 1262 , server byte count: 1375334
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 1052393
bytes_out : 309229
Compression ratio : 70.61%
Parameter-map(s):
NCL_HTTP_PARAM
Thank you for any hints,
Yves HaemmerliGilles,
I have effectively four diferent policy maps :
- one for PROD when the client arrives withh HTTP
- one for PROD when the client arrives with HTTPS
- one for TEST when the client arrives with HTTP
one for TEST when the client arrives with HTTPS
However, the PROD and the TEST environemnts use different server farms. I am testing the icmp-reply feature on the TEST environment. In the TEST environment, both Layer-7 policy maps use the same server farm.
Here are the four polici maps :
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTP
description *** Load balancing rule for production in http mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_PROD_HTTPS
description *** Load balancing rule for production in https mode ***
class L7_CLASS_PROD
serverfarm NCL_FARM_PROD backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_PROD_HTTPS
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTP
description *** Load balancing rule for test in http mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
compress default-method gzip
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTP
policy-map type loadbalance http first-match L7_POLICY_NCL_TEST_HTTPS
description *** Load balancing rule for test in https mode ***
class L7_CLASS_TEST
serverfarm NCL_FARM_TEST backup NCL_REDIRECT_FARM_SORRY
insert-http Source-IP header-value "%is"
insert-http Remote-Port header-value "%pd"
ssl-proxy client NCL_SSL_CLIENT
class L7_CLASS_REDIRECT
serverfarm NCL_REDIRECT_FARM_TEST_HTTPS
Yves -
Maximum number of Real Servers and Server Farms in ACE30 Module
Hi All,
Need help for below queries.
What are the maximum number of real servers, server farms and virtual servers i can configure on ACE30 module?
Is there any documentation available on cisco site where i can check this?
Does it depend on the hardware or does it depend on the software version?
Quick response would be really appreciated.
Regards,
Rachit.Hello Rachit,
On the ACE module 30 you can have a maximum of: 16,383 rservers and 16,384 serverfarms
This is not the same exact version which you have but here you have some addtional details:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/rsfarms.html#wp1014522
The ACE supports a system-wide maximum of 8192 class maps, here you have the reference about it:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/classmap.html
Jorge -
We have a Custom built tool to manage our existing CSS boxes wherein we shutdown multiple Services at one single instance without affecting the entire VIP. The reason to do that is because of the following scenario. 10 Servers. Each server has multiple interfaces configured to support multiple websites thru IIS. Out of the 10 Web servers if we plan to remove one server for code upgrade/deployment, we take that server and shutdown all its configured services from the CSS using our tool.
I understand in ACE, the control is not at the Rserver level, but at the Server farm wherein you have all you servers configured for multiple ports. If I want to take a server (which is configured for multiple websites and multiple ports), I have to navigate to each server farm in the GUI (ANM) and then select the rserver one at a time..U know, it is time consuming..
Since ANM uses mysql to store the data collected from ACE module, is there a way we can create custom tools to achieve our requirement. If possible, Could you please provide us more information on the ACE/ANM Interaction and the options to customize ANM features?
I checked and found from CISCO Site that ANM 1.2 is the latest and only available Software package to Manage ACE in GUI environment. Do you have any other recommendations are products?you can do it from the CLI.
Each rserver is defined with just an ip address and you define the port when using the rserver in a serverfarm.
By de-activating the rserver in global, you de-activate it in all serverfarms it is being used.
This does not seem possible with ANM so.
If you don't like CLI, you could use XML commands.
Gilles. -
ACE Module: Recover a real server probe-failed status
How does the ACE module recover a real server that has entered a probe-failed status state? We are doing some testing, purposely dropping a servers interface. ACE recognizes the server as being down and show it in a probe-failed state. When we bring the system's interface back up, will ACE see this and automatically bring the state back into Operational status, or does someone have to do something on the ACE module?
ACE continues to probe servers that are down or probe_failed. As soon as a server starts responding again its state will switch to alive again.
Nothing to be done.
Gilles. -
ACE with sticky http-cookies across two server farms issue
Hi,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
e.g.
Farm1 (front end HTTP service) - StickyGroup1
rserver1 - 192.168.0.1:80
rserver2 - 192.168.0.2:80
rserver3 - 192.168.0.3:80
Farm2 (SSL front end authentication service) - StickyGroup2
rserver1 - 192.168.0.1:443
rserver2 - 192.168.0.2:443
rserver3 - 192.168.0.3:443
We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
Our service is behind a single virtual server configured as follows (example URL and addresses):
Virtual Server Configuration
Virtual server name: www.somedomain.com
Virtual IP: 2.2.2.2
TCP/443 (https)
SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).* Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
Default L7 Load Balancing action : Sticky, Group: StickyGroup1
So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
Any suggestions or solutions appreciated.
Thanks
PaulThe issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping. -
ACE module not load balancing across two servers
We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers. At various times the application team is seeing active connections on only one real server. They see no connection attempts on the other server. The ACE sees both servers as up and active within the serverfarm. However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers. The issue is fixed by restarting the application on the server that is not receiving any connections. However, it reappears again. And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers. I'm kind of curious myself. Does anyone have some tips on where we can look next to isolate the cause?
We're running A2(3.3). The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday. The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
Here are the show serverfarm statistics as of today:
ACE# show serverfarm farma-8000
serverfarm : farma-8000, type: HOST
total rservers : 2
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: server#1
x.x.x.20:8000 8 OPERATIONAL 0 186617 3839
rserver: server#2
x.x.x.21:8000 8 OPERATIONAL 67 83513 1754Are you enabling sticky feature? What kind of predictor are you using?
If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
The behavior seems to depend on the configuration.
So, please let me know a part of configuration?
Regards,
Yuji -
What is the maximun recommended number of probes, rservers, server-farms
Team,
What is the maximun recommended number of probes, rservers, server-farms, class-maps, policy-maps per context on an ACE module?
Regards,
John...John,
A practical limit on ACE module is 4k each for probes, serverfarms, class-maps & policy-maps. Rserver instances can be up to 16K. These limits represent total per system. They may exist all in a single context if desired. These numbers will vary based on specific configuration requirements.
For more specific guidance please reach out to your account team or technical marketing engineer.
Other resource info can be found under Cisco Application Control Engine (ACE) Troubleshooting Guide -> ACE Module Resource Limits:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Module_Troubleshooting_Guide%2C_Release_A2%28x%29_--_ACE_Module_Resource_Limits
DocWiki for ACE:
http://docwiki.cisco.com/wiki/ACE
HTH. -
ACE module - Qos - set ip tos #
All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 207147888661
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 2663386
IP packets with COS changed by policing: 4889352
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas??? -
Simple SLB with the ACE Module
Hello,
i have some problems with a ACE module i am currently tesing.
I have a simple Serverfarm with two Servers.
But there seems to be some Problems with the Loadbalancing i not understand:
1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
2) withz the show serverfarm statement the total connects do not increment.
switch/slb-c1# show serverfarm webfarm
serverfarm : webfarm, type: HOST
total rservers : 2
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: web1
10.0.33.201:0 8 OPERATIONAL 0 0
rserver: web2
10.0.33.200:0 8 OPERATIONAL 0 0
switch/slb-c1# show service-policy L4_LB_VIP
Status : ACTIVE
Interface: vlan 300
service-policy: L4_LB_VIP
class: L4_VIP_CLASS
loadbalance:
L7 loadbalance policy: L7_SLB_POLICY
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 15
dropped conns : 0
client pkt count : 10198 , client byte count: 420991
server pkt count : 23367 , server byte count: 34915173
I have attatched the Config.
Any Idea what is going on?what version do you have ?
I would recommend to run the very recent A1.4.
This is something that really should work.
Gilles. -
Hi,
I configured a new serverfarm with leastconns predictor for two servers on our ACE module Version A2(2.3). Probes (show probes XX detail) to the servers are successful and both servers are operational (show serverfarm APPLI detail) but connections are directed only to one server.
When I deactived the server which is receiving the connections (no inservice), the ACE start to direct connection to the second server.
There are several serverfarm, configured the same way, that are Loadbalancing traffic as correctly.
Here is a sample of my config
serverfarm host TEST_443
predictor leastconns
probe TEST_443_PROBE01
rserver TEST_RS01 443
inservice
rserver TEST_RS02 443
inservice
sticky http-cookie TEST_HTTPS TEST_443_STKY
cookie insert
timeout 720
replicate sticky
serverfarm TEST_443
probe http TEST_443_PROBE01
port 443
interval 20
passdetect interval 60
passdetect count 5
request method get url /test
expect status 302 302
connection term forced
policy-map type loadbalance first-match TEST_L7PLB_HTTPS
class class-default
sticky-serverfarm TEST_443_STKY_SF
insert-http X-Forwarded-Proto header-value "https"
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match SLB-HTTP-POLICY
class TEST_L4VIP_HTTPS
loadbalance vip inservice
loadbalance policy TEST_L7PLB_HTTPS
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 202
appl-parameter http advanced-options PERSIST
ssl-proxy server TEST_SSL_PROXY_SERVER
PS : ACE uptime is 291days, could that impact ACE behavior ?
Thanks for any troubleshooting hintsLooking at this on my phone but it looks like you L7 policy is referencing a sticky server farm that does not exist.
ie TEST_443_STKY_SF is incorrect name for sticky
If that's not it. Then check that the first server actually has a number of conns on it when a new connection is established. Sometimes when both servers have 0 conns - new incoming conns will always go to the first server
Regards
Stephen
===============================
Free network configuration management software at www.rconfig.com
Sent from Cisco Technical Support iPhone App -
Hi,
I'm requesting advise on problem below :
- I have 2 datacenter with one server farm on each DC and 5 servers behind each server farm
- each server has 5k max connection limit on each server farm
- I want to be able to be able to failover to one SF to another when max connection for the server farm reach 25k (that mean each of 5 servers has reached its max conn)
Can I do that with partial-threshold ?
in Cisco documentation it's stated : "
Each time that a server is taken out of service (for example, using the CLI, a probe failure, or the retcode threshold is exceeded), the ACE is updated"
Would max-conn exceed be equivalent to "out of service" ?
thanks for any contribution
cheersHi,
I beleive Cisco ACE platform because of H/w design will not do failover for partial-threshold when primary server farms servers reached "MAXCONN" state and partial-threshold trigger. you will observe connection drop in that condition.
for your setup i will suggest to use simple backup server farm with no partial threshold. this work and when all the server in serverfarm are no longer usable (out of service or maxconn) back server farm will be activated. -
Per-ServerFarm SNAT on ACE Module.
Dear all,
I hace an ACE Module configured in Multiple Routed Contexts.
My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
Is this correct?
The software version is A2(3,5).
Thanks a lot!
DavidHi David
Could you please calrify and maybe separate tasks you have ?
As I understand you have such tasks for now :
1) Don't show rserver IPs anywere outside ACE
2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
E.g.
policy-map multi-match VIP_IN
class MY-CLASS
loadb vip ins
loadb policy MY-L7Policy
nat 1 dynamic vlan X << - inside interface
and then on inside interface
inter vlan X
nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE. -
HI Experts,
We had some issue with Datacentre ACE modules. Both primary and DR ACE modules got restarted in 16 hours difference.
Unfortunately Syslog was not configured on the ACE and local logging got cleared after restart.
The current IOS version is A2(3.2). The modules uptime was around 300 Days.
Here is the log from 6509 switch during the restart
Primary DC 6509-1 .
Jul 10 18:52:05.383 WAT: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
.Jul 10 18:56:47.291 WAT: %SNMP-5-MODULETRAP: Module 9 [Down] Trap
Jul 10 18:56:47.127 WAT: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Reset - Module Reloaded During Download)
Jul 10 18:56:47.271 WAT: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Reset - Module Reloaded During Download)
Jul 10 18:57:00.951 WAT: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Module not responding to Keep Alive polling)
Jul 10 18:57:00.951 WAT: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Module not responding to Keep Alive polling)
Jul 10 19:01:57.172 WAT: %DIAG-SP-6-RUN_MINIMUM: Module 9: Running Minimal Diagnostics...
.Jul 10 19:01:59.256 WAT: %SNMP-5-MODULETRAP: Module 9 [Up] Trap
Jul 10 19:01:58.700 WAT: %DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics
Jul 10 19:01:59.256 WAT: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online
.Jul 10 19:02:04.548 WAT: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
DR DC 6509-1 .
Jul 11 09:42:05.759: %LINK-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down .
Jul 11 09:42:05.763: %SNMP-5-MODULETRAP: Module 9 [Down] Trap
.Jul 11 09:42:05.763: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to down
Jul 11 09:42:05.599: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Reset - Module Reloaded During Download)
Jul 11 09:42:05.747: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Reset - Module Reloaded During Download)
Jul 11 09:42:05.767: %LINK-SP-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down
Jul 11 09:42:05.771: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to down .
Jul 11 09:42:14.535: %SVCLC-5-SVCLCNTP: Could not update clock on the module 9, rc is -1
Jul 11 09:42:19.395: %OIR-SP-3-PWRCYCLE: Card in module 9, is being power-cycled off (Module not responding to Keep Alive polling)
Jul 11 09:42:19.395: %C6KPWR-SP-4-DISABLED: power to module in slot 9 set off (Module not responding to Keep Alive polling)
Jul 11 09:47:15.819: %DIAG-SP-6-RUN_MINIMUM: Module 9: Running Minimal Diagnostics... .
Jul 11 09:47:19.871: %MLS_RATE-4-DISABLING: The global switching mode is now 'truncated'. Disabling the Layer2 Rate Limiters. .
Jul 11 09:47:19.903: %SNMP-5-MODULETRAP: Module 9 [Up] Trap Jul 11 09:47:19.633: %DIAG-SP-6-DIAG_OK: Module 9: Passed Online Diagnostics Jul 11 09:47:19.905: %OIR-SP-6-INSCARD: Card inserted in slot 9, interfaces are now online .
Jul 11 09:47:21.079: %LINK-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down
Jul 11 09:47:20.912: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet9/1, changed state to down
Jul 11 09:47:21.080: %LINK-SP-5-CHANGED: Interface TenGigabitEthernet9/1, changed state to administratively down
.Jul 11 09:47:25.039: %SVCLC-5-FWTRUNK: Firewalled VLANs configured on trunks
.Jul 11 09:47:25.047: %LINEPROTO-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to up
Jul 11 09:47:24.520: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet9/1, changed state to down
Jul 11 09:47:25.056: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet9/1, changed state to up
Jul 11 09:47:25.060: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface TenGigabitEthernet9/1, changed state to up
Please let me did anyone face this issue before or is it any known BUG?HI All, Thanx for the help. Got the resaon from show version output.
last boot reason: NP 1 Failed : SRAM Parity Error Chan 3
Also got the TAC comment on SRAM party error
The SRAM parity error presented in the core file is not due to a software issue.
The issue is the result of a "bit-flip" within the SRAM itself which can occur as a
result of environmental conditions. This "bit-flip" is rectified by a simple reboot of
the system, which would occur with the generation of the core file. Cisco internal
testing and customer experience has shown that these types of issues can occur
with very low frequency, but do not required an RMA of the device.
If there are multiple instances of this issue on the same module, a proactive RMA/EFA
of the device would be in order.
ACE is susceptible to this because of the way it uses SRAM to store control information
and packet data as opposed to scratch-pad storage. Almost any 1-bit flip will be detected as a
parity error. Cisco has recognized the issue and is taking action to ensure this will not be
an issue on the next generation of the ACE module. The next generation module design
and timeline is currently under review.
Thnx again for the help
Aslam
Maybe you are looking for
-
How can I move my albums, including the title of the album , with the pictures to a flash drive. Every thing I try I only get the pictures but they are not in the album.
-
Outllok 2010 does not default to iCloud contacts or iCloud Calendar
When using Outlook 2010, when I co to contacts, it always defaults to the Outlook Data file. How do I get it to default to my iCloud contacts? Same for Calendar. I have already triued moving "up" the iCloud contacts and calendar to the top of the lis
-
Hi there I own a mac book pro with the specs described below.I would like to upgrade my hard drive and i am not sure if i my laptop support Sata 3 drives or only Sata 2 I have never upgraded the OS. http://support.apple.com/kb/SP541 Thank you very mu
-
Extending an Airport Extreme with an Express. Have Windows XP on both a MacBook Pro and and iMac 24. Airport sees both the Extreme and Express on my MacBook Pro, both on the mac side and windows side. My wife's iMac/Airport sees both Extreme and Expr
-
Can I Install PC-BSD with Boot Camp?
Vorrei sapere come installare Pc-BSD tramite Boot Camp e scegliere quale OS far partire al Boot del mio Mac... Grazie...