Localdir 416 real servers not failing..

We have a localdirector sitting in front of two real servers(IIS).
Load balancing works fine with both backend servers connected, and show real produces:
# show real
Real Machines:
No Answer TCP Reset DataIn
Machine Connect State Thresh Reassigns Reassigns Conns
server2:0:0:tcp 2 IS 8 0 0 0
server1:0:0:tcp 0 IS 8 0 0 0
But if one backend server is disconnected, show real does not change (No OOS, or TESTING under STATE), and nothing is displayed in syslog?
ping server1
real_server_ip_1 NO response received -- 1000ms
real_server_ip_1 NO response received -- 1000ms
real_server_ip_1 NO response received -- 1000ms
show real
Real Machines:
No Answer TCP Reset DataIn
Machine Connect State Thresh Reassigns Reassigns Conns
server2:0:0:tcp 2 IS 8 0 0 0
server1:0:0:tcp 1 IS 8 0 0 0
Is this normal?
Minimal config, just for testing:
virtual virt_ip:0:0:tcp is
real real_server_ip_1:0:0:tcp is
real real_server_ip_2:0:0:tcp is
name real_server_ip_1 server1
name real_server_ip_2 server2
name virt_ip domain
bind virt_ip:0:0:tcp real_server_ip_1:0:0:tcp
bind virt_ip:0:0:tcp real_server_ip_2:0:0:tcp
Regards,
MB

Depending on your version, here is a good document how servers are failed and brought back on LD.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld33rns/ld334con/ld3_ch01.htm#xtocid275378
The reassign command controls how many times a connection synchronization (TCP SYN) packet from a requesting client is sent to a nonresponsive server before it is reassigned to another server. The default is three TCP SYN packets. After the third packet receives no response or a TCP RST from the server, the fourth packet is sent to another server.
Each reassign process increments the reassign tally by one. When the tally reaches the threshold value, the server is considered failed. With a default threshold value of 8, the reassign process will happen eight times before the server is considered failed. "
In other words, the LD doesn't ping and check the server if its up or down, it takes the client(end-user). Depending on your site, if you have a very slow active site... it could take that much more time for LD to fail the down server.
-jan

Similar Messages

ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP

Hi,
I have a very strange set up and need some help to get my config working
I have a ASA firewall with three VLANs
VLAN 1 = Internet
VLAN 2 = DMZ
VLAN 3 = Goes to ACE
On the ACE I have four VLANs
VLAN 3 = Goes to ASA
VALN 4 = Web Server Tier
VALN 5 = DB Tier
VALN 6 = VIPs
Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)
And they have told us that the cleints accessing the VIP will be Server A and Server B
I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.
I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT?
Could anyone guide me on this setup please?
Raj

Hi Raj,
First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).
When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).
In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.
Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic.

How to 'fail-over' CSS11503-AC when ALL 5 Reals Servers (Services) die

Hi all,
Could anyone out there possibly provide an idea/config, of how it is possible to'fail-over' a CSS11503 set-up in Active/Standby mode with "ASR" enabled when:-
- ALL your real servers(Services) for a particular VIP 'die'/OR nic is faulty.
- So NOT just 1 of the real servers, but when ALL 5 are not reachable, I need to 'failover'
My initial thought are to use the "critical reporter" or "critical service" to report back to the 'active' CSS.
Anyone who has done this scenario before , please advise..
thanks

Thanks very much Syed fo rthis.I was thiking that no-one could answer this query.
After a little tsting, I set the following config in the lab and it works but is different to yours. I cannot seem to configure the servive as "type local". When I input 'type ?; I get options such as nci-direct-return, nci-info-only, proxy-cache, redirect etc...etc..NO 'local'...!!
Please advise..Thanks in advance
************************* INTERFACE ************************* interface 1/1 bridge vlan 800 phy 1Gbits-FD-no-pause
nterface 1/2
phy 1Gbits-FD-no-pause
bridge vlan 20
nterface Ethernet-Mgmt
description "Management Interface"
nterface 2/1
description "1st ASR Link"
isc-port-one
nterface 2/3
description "2nd ASR Link"
isc-port-two
************************** CIRCUIT ************************** circuit VLAN800
description "FE_CORE"
ip address 192.168.83.249 255.255.255.0
ip virtual-router 1 priority 110
ip redundant-vip 1 192.168.83.148
ip redundant-vip 1 192.168.83.158
ip critical-service 1 DTSFE01
ip critical-service 1 DTSFE02
ip critical-service 1 DTSFE03
ip critical-service 1 DTSFE04
ip critical-service 1 DTSFE05
ip critical-reporter 1 Physical_if_DWN
ip critical-reporter 1 r1
ircuit VLAN20
description "LBAL"
ip address 192.168.20.1 255.255.255.0
ip virtual-router 2 priority 110
ip redundant-interface 2 192.168.20.3
ip critical-service 2 DTSFE01
ip critical-service 2 DTSFE02
ip critical-service 2 DTSFE03
ip critical-service 2 DTSFE04
ip critical-service 2 DTSFE05
ip critical-reporter 2 Physical_if_DWN
ip critical-reporter 2 r1
************************** REPORTER **************************
reporter Physical_if_DWN
type critical-phy-all-up
phy 1/1
phy 1/2
active
reporter r1
type vrid-peering
vrid 192.168.83.249 1
vrid 192.168.20.1 2
active
************************** SERVICE **************************
service FE01
ip address 192.168.20.183
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 4
service FE02
ip address 192.168.20.184
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 5
service FE03
ip address 192.168.20.185
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 6
service FE04
ip address 192.168.20.186
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 7
service NWFE02
ip address 192.168.20.204
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 10
active
!*************************** OWNER *************************** owner SERVICES
content DTS_192.168.83.148_443
add service DTSFE01
add service DTSFE02
add service DTSFE03
add service DTSFE04
add service DTSFE05
vip address 192.168.83.148
port 443
protocol tcp
advanced-balance sticky-srcip
redundant-index 1
sticky-inact-timeout 5
owner NW_SERVICES
content NWCS_192.168.83.158_443
add service NWCSFE01
add service NWCSFE02
vip address 192.168.83.158
protocol tcp
port 443
sticky-inact-timeout 5
redundant-index 2
advanced-balance sticky-srcip
active

CSS 11501 7.40 Monitoring the services on real servers?

Hi,
Just want to ask some basic questions, How can i monitor the services (ie 80 and 443) of the real servers. So that when the CSS11501 detects that one of the services of one of the real servers is down, it will not forward the traffic to that server. Or is the CSS is configured to monitor the services by default?
Because we are planning to upgrade one of the webservers (web01) while web02 is running, if we shutdown the service 80 and 443, does it affect the end-user, will CSS automatically redirect it to web02?
Regards,
Marlon

Here is my sample configuration
!************************** SERVICE **************************
service WEB01-79-HTTP
ip address 172.20.13.4
keepalive type tcp
keepalive port 80
active
service WEB01-79-HTTPS
ip address 172.20.13.4
keepalive type tcp
keepalive port 443
active
service WEB01-80-HTTP
ip address 172.20.13.5
keepalive type tcp
keepalive port 80
active
service WEB01-80-HTTPS
ip address 172.20.13.5
keepalive type tcp
keepalive port 443
active
service WEB01-82-HTTP
ip address 172.20.13.6
keepalive type tcp
keepalive port 80
active
service WEB01-82-HTTPS
ip address 172.20.13.6
keepalive type tcp
keepalive port 443
active
service WEB01-83-HTTP
ip address 172.20.13.7
keepalive type tcp
keepalive port 80
active
service WEB01-83-HTTPS
ip address 172.20.13.7
keepalive type tcp
keepalive port 443
active
service WEB01-79
ip address 172.20.13.4
active
service WEB01-80
ip address 172.20.13.5
active
service WEB02-82
ip address 172.20.13.6
active
service WEB02-83
ip address 172.20.13.7
active
!*************************** OWNER ***************************
owner VRL
content VIP
redundancy-l4-stateless
content WEB-HTTP1
vip address 172.20.10.85
protocol tcp
port 80
advanced-balance sticky-srcip
add service WEB01-79-HTTP
add service WEB01-82-HTTP
redundancy-l4-stateless
active
content WEB-HTTP2
vip address 172.20.10.86
port 80
protocol tcp
advanced-balance sticky-srcip
add service WEB01-80-HTTP
add service WEB01-83-HTTP
redundancy-l4-stateless
active
content WEB-HTTPS1
advanced-balance sticky-srcip
vip address 172.20.10.85
protocol tcp
port 443
add service WEB01-79-HTTPS
add service WEB01-82-HTTPS
redundancy-l4-stateless
application ssl
sticky-inact-timeout 20
active
content WEB-HTTPS2
advanced-balance sticky-srcip
vip address 172.20.10.86
protocol tcp
port 443
add service WEB01-80-HTTPS
add service WEB01-83-HTTPS
redundancy-l4-stateless
application ssl
sticky-inact-timeout 20
active
content WEB01-79
add service WEB01-79
vip address 172.20.10.79
redundancy-l4-stateless
active
content WEB01-80
add service WEB01-80
vip address 172.20.10.80
redundancy-l4-stateless
active
content WEB02-82
add service WEB02-82
vip address 172.20.10.82
redundancy-l4-stateless
active
content WEB02-83
add service WEB02-83
vip address 172.20.10.83
redundancy-l4-stateless
active
!*************************** GROUP ***************************
group WEB01-79
add service WEB01-79
vip address 172.20.10.79
redundancy-l4-stateless
active
group WEB01-80
add service WEB01-80
vip address 172.20.10.80
redundancy-l4-stateless
active
group WEB02-82
add service WEB02-82
vip address 172.20.10.82
redundancy-l4-stateless
active
group WEB02-83
add service WEB02-83
vip address 172.20.10.83
redundancy-l4-stateless
active

NIC not failing Over in Cluster

Hi there...I have configured 2 Node cluster with SoFS role...for VM Cluster and HA using Windows Server 2012 Data Center. Current set up is Host Server has 3 NICS (2 with Default Gateway setup (192.x.x.x), 3 NIC is for heartbeat 10.X.X.X). Configured CSV
(can also see the shortcut in the C:\). Planning to setup few VMs pointing to the disk in the 2 separate storage servers (1 NIC in 192.x.x.x) and also have 2 NIC in 10.x.x.x network. I am able to install VM and point the disk to the share in the cluster volume
1.
I have created 2 VM Switch for 2 separate Host server (using Hyper-V manager). When I test the functionality by taking Node 2, I can see the Disk Owner node is changing to Node 1, but the VM NIC 2 is not failing over automatically to VM NIC 1 (but I can
see the VM NIC 1 is showing up un-selected in the VM Settings). when I go to the VM Settings > Network Adapter, I get error -
An Error occurred for resource VM "VM Name". select the "information details" action to view events for this resource. The network adapter is configures to a switch which no longer exists or a resource
pool that has been deleted or renamed (with configuration error in "Virtual Switch" drop down menu).
Can you please let me know any resolution to fix this issue...Hoping to hear from you.
VT

Hi,
From your description “My another thing I would like to test is...I also would like to bring a disk down (right now, I have 2 disk - CSV and one Quorum disk) for that 2 node
cluster. I was testing by bringing a csv disk down, the VM didnt failover” Are you trying to test the failover cluster now? If so, please refer the following related KB:
Test the Failover of a Clustered Service or Application
http://technet.microsoft.com/en-us/library/cc754577.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Maximum number of Real Servers and Server Farms in ACE30 Module

Hi All,
Need help for below queries.
What are the maximum number of real servers, server farms and virtual servers i can configure on ACE30 module?
Is there any documentation available on cisco site where i can check this?
Does it depend on the hardware or does it depend on the software version?
Quick response would be really appreciated.
Regards,
Rachit.

Hello Rachit,
On the ACE module 30 you can have a maximum of: 16,383 rservers and 16,384 serverfarms
This is not the same exact version which you have but here you have some addtional details:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/rsfarms.html#wp1014522
The ACE supports a system-wide maximum of 8192 class maps, here you have the reference about it:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/classmap.html
Jorge

VIP is not failed over to surviving nodes in oracle 11.2.0.2 grid infra

Hi ,
It is a 8 node 11.2.0.2 grid infra.
While pulling both cables from public nic the VIP is not failed over to surviving nodes in 2 nodes but remainng nodes VIP is failed over to surviving node in the same cluster. Please help me on this.
If we will remove the power from these servers VIP is failed over to surviving nodes
Public nic's are in bonding.
grdoradr105:/apps/grid/grdhome/sh:+ASM5> ./crsstat.sh |grep -i vip |grep -i 101
ora.grdoradr101.vip ONLINE OFFLINE
grdoradr101:/apps/grid/grdhome:+ASM1> cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.4.0-1 (October 7, 2008)
Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: eth0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0
Slave Interface: eth0
MII Status: up
Speed: 100 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 84:2b:2b:51:3f:1e
Slave Interface: eth1
MII Status: up
Speed: 100 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 84:2b:2b:51:3f:20
Thanks
Bala

Please check below MOS note for this issue.
1276737.1
HTH
Edited by: krishan on Jul 28, 2011 2:49 AM

[ACE] Real servers and VIP in the same VLAN

Hello.
I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
Thanks a lot,
Miquel

Hi Miquel,
Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
     ==========================================================================
     One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
     ==========================================================================
login timeout 0
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
    inservice
rserver SERVER_02
    inservice
rserver SERVER_03
    inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 451
interface vlan 451
description Servers vlan
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Let me know if you have any question.
Regards,
Kanwal

ACE 4710 same real servers, different ports.

Hi! I have the following question based on a new site requirement. The following sites use the same back end servers. Names changed to protect the innocent and my finger fumbling with pretty names for my actual config.
I have two real servers being load balanced: 10.0.0.1 and 10.0.0.2
They have:
Site A URL= www.testsite.com:80
Site B URL= www.newstuff.com:81
I want Site B answering on port 81 for anything referencing the URL match for either port :80, and :81, then redirect to :81 anything that is on :80.
I want Site A answering on port 80 for anything not referencing the Site B URL.
How do I split the traffic coming in while also redirecting if only needed for the one site?
Also, one further question, how do I handle monitoring the ports up for each as validation for the VIP? If either port goes down is that going to take both of them offline?

Hi,
Since they are two different URL's, they would be resolving to two different VIPs. You can create two serverfarms with same servers but listening on ports 81 and 80 and create a class-map for different IP's or even same IP, listening on port 81 and 80. Any client coming with port 80 as destination would be loadbalanced to serverfarm_80 and any client coming on port 81 as destination would be loadbalanced to serverfarm_81.
class-map match-all Test_80
2 match virtual-address 10.1.1.1 tcp eq www
class-map match-all Test_81
3 match virtual-address 10.1.1.2 tcp eq 81
rserver r1
ip address 10.0.0.1
inservice
rserver r2
ip address 10.0.0.2
inservice
serverfarm_80
rserver r1 80
inservice
rserver r2 80
inservice
serverfarm_81
rserver r1 81
inservice
rserver r2 81
inservice
policy-map type loadbalance http first-match http
class class-default
    serverfarm serverfarm_80
policy-map type loadbalance http first-match http_81
class class-default
    serverfarm serverfarm_81
policy-map multi-match Test
class Test_80
    loadbalance vip inservice
    loadbalance policy http
    loadbalance vip icmp-reply active
   class Test_81
    loadbalance vip inservice
    loadbalance policy http_81
    loadbalance vip icmp-reply active
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

How to reach real servers direcly behind CSS?

Hi,
I have a webserver in DMZ behind Application firewall and CSS.Now I need to reach real server behind CSS directly. Basicaly this is required for developers and also real server to comminicate to APP and DB servers within our network.
Kinsly suggest.
Regards
KP

KP,
This all depends on how you have this setup. As long as the real servers have routeable
addresses you should be able to directly access the reals. The most common reason
for this failing is simply due to routing (i.e. using private ip addresses).
If the reals are using private addresses then you could also create content rules
with public virtual ip addresses and perform a one-to-one load balancing setup
to be able to directly access the servers.
-Chip
If this answers your question please mark this as Answered.

ACE keep probing real servers using "https get 302"

Hi all,
I got one problem with cisco ACE in my company. Currently, two ACE appliances are working as HA redundancy. Previously I enabled some https and http probing using get 302 for some servers and services. But then I was told to remove all https or http probing, and instead use tcp port 443 and 80. After that, one of the serverfarm (server groups) is receiving https get 302 and I already checked in the monitoring and see whether there's any https probing regarding the respected real servers. But I could not find any. Even I disable all probing to that serverfarm, all the server members still receiving https get 302. Is this behavior a bug?
The ACE version is A3(2.1). And the HA status is on standby cold. Can standby cold cause this kind of trouble?

Hi Daniel,
I just corrected the cert problem and made the state peer into standby hot. But still it still keep probing the get 302. And then I tried to restart both ACEs. The first step is to restart the second ACE (standby) and then switched over all context to the second one. The problem is that when I made the second one to be active, some services were not working, especially the ones with ssl terminated in ACE. I'm pretty sure that both ACEs were in sync.
Any idea what is the problem?

ACE module client and real servers on same subnet

I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
Configuration
test context
real server vlan 233
real server subnet - 167.6.233.x
VIP vlan - 539
VIP subnet - 167.6.238.128/25
production context
real server vlan 232
real server subnet - 167.6.232.x
VIP vlan - 538
VIP subnet - 167.6.238.0/25
Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
Here are the scenarios and questions
1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539) - this is not working
5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
Can we implement the scenarios 4 and 5?

Hi Suresh,
I see it's a bit complex and we do not have the config at hand.
However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Testing an ISA Server Rule, the recursive query to other DNS Servers test fails

Hello,
I am trying to configure the following infrastructure with ISA Server 2006 and two W2003 servers (called "Server1" and "Server2") . "Server1" is a domain controller, and in
"Server2" is the ISA Server installed, which also has
attached two network Ethernet cards, one called "Internal Ethernet Card", and the other one called
"External Ethernet Card".
The infrastructure would be: "Internal Ethernet Card"---- ISA Server ----"External Ethernet Card"---"Router"----"Internet"
"Internal Ethernet Card" manages the internal package traffic of the infrastructure, the network segment which belongs is isolated from what we could called the Outbound traffic, which is linked to a router. "Internal Ethernet Card" it`s
a virtual network.
"Internal Ethernet Card" feature configuration is the following:
- IP address: 192.168.3.3
- Subnet Mask: 255.255.255.0
- DHCP Enabled: No
- DNS Server: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
- Default Gateway: None (because doesnt point to outside)
- Primary WINS Server: 192.168.3.1
The "External Ethernet Card" provides, the outbound connection, and this card is connected to the physical router.
It`s feature configuration is the following:
- IP address: 192.168.1.50
- Subnet Mask: 255.255.255.0
- DHCP Enabled: No
- Default Gateway: 192.168.1.1
- DNS Servers: 192.168.3.1 (Must point to the DC "Server1" which has the DNS Service installed)
After configuring the network cards, I create the following rule in the ISA Server to allow the traffic towards outside from the server and the clients which have joined to the domain:
Action: Allow. Protocol: DNS. From:"Server2". To : External. Condition: All Users
After applying the changes to update the configuration, I enter in the Dns Server of "Server1" and in the "Monitoring" tab, I run a "recursive query to other DNS Servers" but fails.
Only works the "simple query against this DNS Server".
I don`t know why fails, but I`m stucked on this issue, because in the "Server1" DNS Server, in the "domain forward IP address list", I have added two DNS addresses which work OK.
I would appreciate some help to solve this issue.
Thanks
Regards

Hello Ms. Long,
Yes, you are right. In the Server1 is configured the DNS server, to use forwarders whose are set in the field "Selected domain`s forwarder IP address list", two DNS address numbers obtained from "Open DNS", which work well.
There is no DNS Server linked to the External NIC.
The Server1 belongs to a private network configured as "VMnet3", which it is set as follows:
IP address: 192.168.3.1
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.3.3
DNS Server: 192.168.3.1
I have tried to test your suggested idea:
> set d2
> google.com
Server: srv-dcfs-01.dominio.local
Address: 192.168.3.1
SendRequest(), len 42
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
google.com.dominio.local, type = A, class = IN
Got answer (113 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
google.com.dominio.local, type = A, class = IN
AUTHORITY RECORDS:
-> dominio.local
type = SOA, class = IN, dlen = 46
ttl = 3600 (1 hour)
primary name server = srv-dcfs-01.dominio.local
responsible mail addr = hostmaster
serial = 41
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
SendRequest(), len 28
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
google.com, type = A, class = IN
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
SendRequest failed
*** Request to srv-dcfs-01.dominio.local timed-out
As you can see highlighted in bold, the problem remains in the "recursive query to other DNS Servers" check.
Maybe is better to put the issue on the "Windows Server General Forum" , because the issue has not nothing in common with the ISA Server, dont you?
Thanks
Best regards

Do Apache servers not like DocumentBuilderFactory ?

An exciting problem for all java geeks !
Here is a very simple "Hello World" applet initializing a dumy instance of the DocumentBuilderFactory class: (XML DOM parser)
// DBFBugApt.java
import java.applet.Applet ;
import java.awt.* ;
import javax.xml.parsers.*;
public class DBFBugApt extends Applet {
 public void init() {
 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); // May fail on some servers !
 public void paint (Graphics g) {
 g.drawString("Hello world !", 25, 75);
}Here is the listing of the DBFBugApt.html file displaying this applet:
<html>
<head>
<title>DocumentBuilderFactory bug ?</title>
</head>
<body>
DBFBugApt says: (may fail when hosted on some servers !)

<applet code="DBFBugApt.class" width="250" height="100">
</applet>

</body>
</html>This applet has been compiled with JDK 1.5.0_01 and deployed here: http://www.culand.ch/dev/DBFBugApt.html
As you can see, it works fine displaying "Hello World !" as expected...
The same DBFBugApt.class and DBFBugApt.html files have then been installed here: http://www.freewebs.com/softquipeut/DBFBugApt.html
And surprise: this alternate deployment fail to initialise ! The applet throws a NoClassDefFoundError error during its initialisation on the following statement: DocumentBuilderFactory.newInstance();Find hereafter the java console log:
java.lang.NoClassDefFoundError: IllegalName: <HTML><title>FreeWebs - Page Not Found</title>
 at java.lang.ClassLoader.preDefineClass(Unknown Source)
 at java.lang.ClassLoader.defineClass(Unknown Source)
 at java.security.SecureClassLoader.defineClass(Unknown Source)
 at sun.applet.AppletClassLoader.findClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at sun.applet.AppletClassLoader.loadClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at javax.xml.parsers.FactoryFinder.newInstance(Unknown Source)
 at javax.xml.parsers.FactoryFinder.findJarServiceProvider(Unknown Source)
 at javax.xml.parsers.FactoryFinder.find(Unknown Source)
 at javax.xml.parsers.DocumentBuilderFactory.newInstance(Unknown Source)
 at DBFBugApt.init(DBFBugApt.java:13)
 at sun.applet.AppletPanel.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
The question I'm trying to answer for one week without getting any logical explanation is WHY ???
The most remarkable difference between this two hosting web servers is the following:
My personal web site http://www.culand.ch is hosted on a Cobalt web server while www.freewebs.com sites are hosted on Apache servers.
For different reasons, I suspect all Apache web servers not to support hosting applets performing such DocumentBuilderFactory.newInstance() statement.
Or said differently: JRE 1.5.0_01 implementation of the DocumentBuilderFactory class does not support to be invoked by an applet hosted on an Apache server !!!
Is that a bug of the JRE 1.5.0_01 or a misconfiguration of the www.freewebs.com Apache web servers ?
If you have an available Apache Web server, you can help me to decide this by installing this applet on your server and letting me know if it works or not.
DBFBugApt.class, DBFBugApt.html (and the source file DBGBugApt.java too) can all be downloaded from each of the two given web servers.
If this is confirmed to be related to the Apache web servers only, and no misconfiguration of the web server can be found, I will report this as a JRE bug to Sun !
Thank you to help me solving this !
And I'm offering 10 Dollar Duke reward for a solution because I'm tired of this *@!$%! problem...
Thanks again to all of you who will answer to this thread.
P.F. Culand

The issue is not with the type of server, but with
the specific configuration of the freewebs server.
The DBF tries to load a file
"META-INF/services/javax.xml.parsers.DocumentBuilderFa
ctory" from the classpath, which, in this case, is
the directory on your server. The freewebs server
does not return a HTTP 404 error for a non-existing
resource like a proper little webserver, but instead
returns a HTTP 200 and a (human-readable) error page,
which the DBF tries to parse, resulting in the error.
Note that this is NOT Apache default behaviour, any
server can be configured thus, although it violates
the HTTP protocol.
2 possible solutions:
- configure the freewebs server properly
- pack your app into a jar fileSince the first solution is not in my hand I opted for the 2nd one:
It seems not to work, but I may have done something wrong in packing my applet into a jar file... (not very experimented in that).
So here is what I did:
I made the jar file by executing the following batch file:
set JavaDir=C:\Program Files\Java\Jdk1.5.0_01\
set ClassPath=.;%JavaDir%lib\classes.zip;%JavaDir%lib\
"%JavaDir%bin\jar" cvf DBFBugApt.jar DBFBugApt.classI modified the DBFBugApt.html file by adding an archive attribute to the applet tag that way:
<html>
<head>
<title>DocumentBuilderFactory bug ?</title>
</head>
<body>
DBFBugApt says: (may fail when hosted on some servers !)

<applet archive="DBFBugApt.jar" code="DBFBugApt.class" width="250" height="100">
</applet>

</body>
</html>I deleted the old DBFBugApt.class
I first tried to display the new html file from my local directory with the MSIE browser... It worked.
I uploaded the new jar and html files on the working Cobalt server on my personal web site: http://www.culand.ch/dev/DBFBugApt.html and deleted the old class file. Then I tested it... It worked.
Finally I uploaded them the same way on the freewebs server (http://www.freewebs.com/softquipeut/DBFBugApt.html) and deleted the old class file too. Then I tested it... DOES NOT WORK !
The loading of the applet is much slower than before and in hangs notinited like before... The console log is the following: (exactly the same than before)
java.lang.NoClassDefFoundError: IllegalName: <HTML><title>FreeWebs - Page Not Found</title>
 at java.lang.ClassLoader.preDefineClass(Unknown Source)
 at java.lang.ClassLoader.defineClass(Unknown Source)
 at java.security.SecureClassLoader.defineClass(Unknown Source)
 at sun.applet.AppletClassLoader.findClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at sun.applet.AppletClassLoader.loadClass(Unknown Source)
 at java.lang.ClassLoader.loadClass(Unknown Source)
 at javax.xml.parsers.FactoryFinder.newInstance(Unknown Source)
 at javax.xml.parsers.FactoryFinder.findJarServiceProvider(Unknown Source)
 at javax.xml.parsers.FactoryFinder.find(Unknown Source)
 at javax.xml.parsers.DocumentBuilderFactory.newInstance(Unknown Source)
 at DBFBugApt.init(DBFBugApt.java:13)
 at sun.applet.AppletPanel.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)Did I make something wrong ?
Why do you thing that packing the applet into a jar file would solve the problem ?
Any suggestion ?
It is driving me to despear...!
Thanks for your help, the thread stays open.
P.F. Culand

Localdir 416 real servers not failing..

Similar Messages

Maybe you are looking for