MAC-Miss Rate on ACE module
What exactly does the MAC-Miss rate mean on the ACE? And if we are running out of resources for it, should I worry?
We have only implemented 1 production policy on the ACE module so far and we are already running out of resources for the mac-miss rate. All other resources look good.
Is this OK? Or is something wrong here?
Attached is the resource usage counters.
Thanks,
Ben
When the ACE receives traffic for which it does not have an arp entry for either the source or destination, this is called a mac-miss and the fastpath agent needs to ask the slowpath agent to perform an arp request.
This communication is rate-limited.
With no mac entry for a src or dst, we drop the packet.
So, you should increase the resource.
Or review your design.
It's best to have the clients coming through a gateway (ie: the MSFC) instead of directly accessing the ACE.
This way only 1 mac entry is needed - the gateway.
You'll see a counter like this
switch/Admin# sho np 1 me-stats "-socm -v" | i mac
Drop [mac lookup fail]: 4 0
Gilles.
Similar Messages
-
Missing content on ACE module.
Hello
I'm working on a configuration and after a few tests I realized it does not bring the whole content of the site. Most of the times a picture of two are missing. The site is ebay-like with many pictures, banners and flash.
If I right-click âShow Pictureâ the image comes up right away.
For testing purposes and to be able to work along with the previous solution, NAT is set.
So far, I have tried:
I disabled sticky on every serverfarm. It was ON at the beginning.
I changed the predictor. From response app-req-to-resp samples 4 to leastconns slowstart 30.
I tried IE7 and Firefox clearing caches and so.
I set OUTOFSERVICE different servers and made combinations in an attempt to identify a rogue server.
The show serverfarm detail showed failures a couple of times but I later realized it was not related because further testing showed missing content and a steady counter.
No resources were ever denied.
The solution to be replaced by the ACE works fine.
The installed version is c6ace-t1k9-mz.A2_1_1a.bin.
Any advice?
Thanks a lot.
GuidoYou did a lot of things wihtout knowing what exactly is going in the network.
The first step in troubleshooting an issue with ACE is to capture a sniffer trace of the tengig interface.
See if the server is sending redirect, or if packets are dropped, ...
Once you have the trace, if you can't see the problem send it to us with the config.
Gilles. -
Cisco ACE module missing licence file - no connectivity
Hi,
We have 2 ACE modules that were delivered without any licenses.
There is no IP connectivity whatsoever to these modules and I'm guessing this is due to the fact there are no licenses installed.
Have tried asking Cisco to no avail - and am not sure if there is an actual problem with them or not.
The VLANs are assigned correctly and I can see inbound ICMP echo from the 6509 that its hosted in, but no outbound packets ever leave the ACE. I've applied a mgmt policy to enable ping/telnet/ssh etc.
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan4 vlan30-31 vlan160 vlan180-195 vlan360 vlan380-395 vlan560 vlan580-
595 vlan760 vlan780-795
switch/Admin# sh ip int bri
Interface IP-Address Status Protocol
vlan4 10.119.127.196 up up
vlan30 10.119.127.241 up up
vlan31 10.119.127.245 up up
interface vlan 4
description ACE Mgmt interface for Admin Context
ip address 10.119.127.196 255.255.255.224
service-policy input REMOTE_MGMT
no shutdown
vlan4 is up
Hardware type is VLAN
MAC address is 00:1f:ca:7b:6f:33
Mode : routed
IP address is 10.119.127.196 netmask is 255.255.255.224
FT status is non-redundant
Description:ACE Mgmt interface for Admin Context
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
Config download failures : 1
2980 unicast packets input, 16363862 bytes
240857 multicast, 3026 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
0 unicast packets output, 187712 bytes
0 multicast, 2933 broadcast
0 output errors, 0 ignored
switch/Admin# sh arp
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.119.127.193 00.00.00.00.00.00 vlan4 GATEWAY - * 3 req dn
10.119.127.196 00.1f.ca.7b.6f.33 vlan4 INTERFACE LOCAL _ up
10.119.127.245 00.1f.ca.7b.6f.33 vlan31 INTERFACE LOCAL _ up
10.119.127.241 00.1f.ca.7b.6f.33 vlan30 INTERFACE LOCAL _ up
================================================================================
Total arp entries 4
The ARP table for the adjacent switch SVI has a valid MAC upon reboot, but soon after resets to 00.00.00.00.00.00
Problem is that once Cisco eventually send me the license file I have no way of TFTP'ing it to the ACE module.
Any suggestions/advice?Thanks for the info - so I should at least be able to connect to a license-less ACE at least, but these modules seem to have a problem.
If the modules are reloaded (from the ACE) or reset (from the Supervisor) they initially have the ARP entry (however still cannot communicate to the attached Supervisor via SVI) which eventually resets.
Info as requested:
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 0 0 0
mgmt-connections 0 0 0 0 0
proxy-connections 0 0 0 0 0
xlates 0 0 0 0 0
bandwidth 0 76 0 125000000 296849008
throughput 0 76 0 0 296849008
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 2 0 0 15
ssl-connections rate 0 0 0 0 0
mac-miss rate 0 0 0 0 0
inspect-conn rate 0 0 0 0 0
acl-memory 0 6336 0 0 11
sticky 0 0 0 0 0
regexp 0 0 0 0 0
syslog buffer 0 0 0 0 0
syslog rate 0 0 0 0 24
Context: APPLICATION
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: BACK_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: FRONT_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: TEST_DEV
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
switch/Admin# sh cde health
CDE BRCM INTERFACE
======================
Packets received 3357
Packets transmitted 12
Broadcom interface CRC error count 0
BRCM VOQ status [empty] [not full]
BRCM pull status [pulling]
CDE HYPERION INTERFACE
======================
Packets received 7668407
Packets transmitted 967915
Short packets drop count 0
Fifo Full drop count 0
Protocol error drop count 0
FCS error drop count 0
CRC error drop count 0
Num times flow control triggered on hyp interface 0
Num self generated multicast packets filtered 967915
HYP IXP0 VOQ status [empty] [not full]
HYP IXP1 VOQ status [empty] [not full]
HYP SLOW VOQ status [empty] [not full]
HYP tx pull status [pulling]
CDE IXP0 INTERFACE
======================
Packets received 964680
Packets transmitted 6581196
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP0 Fast VOQ status [empty] [not full]
IXP0 BRCM VOQ status [empty] [not full]
IXP0 pull status [pulling]
IXP0 spi src status [healthy]
IXP0 spi snk status [healthy]
CDE1 SWITCH1 INTERFACE
======================
Packets received (hyp, ixp0) 3241
Packets received (bcm) 6
Packets received (daughter card 0) 0
Packets received (daughter card 1) 0
Packets Errors received (hyp, ixp0) 0
Packets Errors received (bcm) 0
Packets Errors received (daughter card 0) 0
Packets Errors received (daughter card 1) 0
Packets transmitted (ixp1) 122653
Packets transmitted (nitrox) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
CDE2 SWITCH2 INTERFACE
======================
Packets received (ixp1) 122653
Packets received (nitrox) 0
Packets Errors received (ixp1) 0
Packets Errors received (nitrox) 0
Packets transmitted (hyp, ixp0) 3241
Packets transmitted (broadcom) 6
Packets transmitted (daughter card 0) 0
Packets transmitted (daughter card 1) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
Packets Errors transmitted (daughter card 0) 0
Packets Errors transmitted (daughter card 1) 0
CDE IXP1 INTERFACE
======================
Packets received 3247
Packets transmitted 122653
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP1 Fast VOQ status [empty] [not full]
IXP1 BRCM VOQ status [empty] [not full]
IXP1 pull status [pulling]
IXP1 spi src status [healthy]
IXP1 spi snk status [healthy]
CDE NITROX INTERFACE
======================
Packets received 0
Packets transmitted 0
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
NTX Fast VOQ status [empty] [not full]
NTX BRCM VOQ status [empty] [not full]
NTX pull status [pulling]
NTX spi src status [healthy]
NTX spi snk status [healthy]
== Backplane ==
ITASCA_SYS_CNTL1 0x300 data 0x61f0000
ITASCA_SYS_CNTL2 0x304 data 0x80630000 -
Slow TCP performance for traffic routed by ACE module
Hi,
the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-( See:
server1: / #ftp server2
Connected to server2.cent.priv.
220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
Name (server2:root):
331 Password required for root.
Password:
230 User root logged in.
ftp> bin
200 Type set to I.
ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
200 PORT command successful.
150 Opening data connection for /dev/null.
5000+0 records in.
5000+0 records out.
226 Transfer complete.
163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
local: |dd if=/dev/zero bs=32k count=5000 remote: /dev/null
ftp>
The output from show resource usage doesn't show any drops:
conc-connections 0 0 800000 1600000 0
mgmt-connections 10 54 10000 20000 0
proxy-connections 0 0 104858 209716 0
xlates 0 0 104858 209716 0
bandwidth 0 46228 50000000 225000000 0
throughput 0 1155 50000000 100000000 0
mgmt-traffic rate 0 45073 0 125000000 0
connections rate 0 9 100000 200000 0
ssl-connections rate 0 0 500 1000 0
mac-miss rate 0 0 200 400 0
inspect-conn rate 0 0 600 1200 0
acl-memory 7064 7064 7082352 14168883 0
sticky 6 6 419430 0 0
regexp 47 47 104858 209715 0
syslog buffer 794624 794624 418816 431104 0
syslog rate 0 31 10000 20000 0
There is parameter map configured with rebalance persistant for cookie insertion in the context.
Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
RomanDefault inactivity timeouts used by ACE are
icmp 2sec
tcp 3600sec
udp 120sec
With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
other inactivity timeouts as they are now use following
parameter-map type connection GLOBAL-TCP
set timeout inactivity 600
parameter-map type connection GLOBAL-UDP
set timeout inactivity 120
parameter-map type connection GLOBAL-ICMP
set timeout inactivity 2
class-map match-all ALL-TCP
match port tcp any
class-map match-all ALL-UDP
match port tcp any
class-map match-all ALL-ICMP
match port tcp any
policy-map multi-match TIMEOUTS
class ALL-TCP
connection advanced GLOBAL-TCP
class ALL-UDP
connection advanced GLOBAL-UDP
class ALL-TCP
connection advanced GLOBAL-ICMP
and apply service-policy TIMEOUTS globally
Syed Iftekhar Ahmed -
Sticky resource not available - ACE Module
hi,
I am getting the below error on defining stickiness. Please assist.
switch/Admin(config)# sticky ip-netmask 255.255.255.255 address both ACE-CKH-STICKY
Error: sticky resource not available
Thanks.Note The syslog message statistics do not include the syslogs generated from the dataplane when you enable the logging of connection setup and teardown syslog messages through the logging fastpath command.
â¢regexp-Limits the amount of regular expression memory.
â¢sticky-Limits the number of entries in the sticky table. You must configure a minimum value for sticky to allocate resources for sticky entries, because the sticky software receives no resources under the unlimited setting.
â¢xlates-Limits the number of network and port address translations entries.
â¢minimum number-Specifies the lowest acceptable value. Enter an integer from 0.00 to 100.00 percent (two-decimal places of granularity). The number argument specifies a percentage value for all contexts that are members of the class. When used with the rate keyword, the number argument specifies a value per second.
â¢maximum {equal-to-min | unlimited}-Specifies the maximum resource value: either the same as the minimum value or no limit.
Note The limit that you set for individual resources when you use the limit-resource command overrides the limit that you set for all resources when you use the limit-resource all command.
If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no longer being used by the context.
For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter:
(config-resource)# limit-resource all minimum 20% maximum equal-to-min
System Resource Maximum Values
Resource Maximum Value
Application Acceleration Connections
10000 connections
ACL Memory
34123184 bytes
Buffer Memory (Syslog)
1048576 bytes
Concurrent Connections
1,000,000 connections (Layer 4),
100,000 connections (SSL)
HTTP Compression
100 megabits per second (Mbps). You can upgrade the ACE maximum HTTP compression rate to 1 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Management Connections
5000 connections
Proxy Connections (Layer 7)
256,000 connections
Rate
Bandwidth
1 gigabits per second (Gbps). You can upgrade the ACE maximum bandwidth to 2 Gbps by purchasing a separate license from Cisco Systems. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
Connections (any kind)
120,000 connections per second (Layer 4), 40, 000 connections per second (Layer 7)
MAC miss
2000 packets per second
Management traffic
125,000,000 bits per second
SSL connections
1000 transactions per second (TPS). You can upgrade the SSL bandwidth to a maximum of 7500 TPS with a separate license. For more information, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.
syslog
For traffic going to the ACE (control plane), 3000 messages per second
For traffic going through the ACE (data plane), 120,000 messages per second
Regular Expression Memory
1,048,576 bytes
Sticky Entries
800,000 table entries
Xlates (network and port address translation entries)
64,000 Xlates (network entries),
1,000,000 Xlates (port address translation entries)
Kind Regards,
Sachin Garg
Senior Specialist Security
HCL Comnet Ltd.
http://www.hclcomnet.co.in
A-10, Sector 3, Noida- 201301
INDIA
Mob: +91-9911757733
Email: [email protected] -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
Hi,
I am trying to configure FT on ACE modules, with the following commands
ft interface vlan 20
ip address 172.16.20.1 255.255.255.252
peer ip address 172.16.20.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 20
ft group 1
peer 1
priority 150
associate-context Admin
inservice
The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?Hi have the following config which seems to be working fine for me... check your vlan20 interface is up
ft interface vlan 212
ip address 172.31.1.221 255.255.255.252
peer ip address 172.31.1.222 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 212
ft group 2
peer 1
priority 50
peer priority 150
associate-context Admin
inservice
HQ-ACE1/Admin# sh int
vlan212 is up, administratively up
Hardware type is VLAN
MAC address is 00:23:5e:25:72:f1
Mode : routed
IP address is 172.31.1.221 netmask is 255.255.255.252
FT status is standby
Description:not set
MTU: 1500 bytes
Last cleared: never
Last Changed: Tue Sep 6 12:46:06 2011
No of transitions: 1
Alias IP address not set
Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
Assigned from the Supervisor, up on Supervisor
8654909 unicast packets input, 735611030 bytes
1151150 multicast, 161 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
13020418 unicast packets output, 1672055521 bytes
0 multicast, 163 broadcast
0 output errors, 0 ignored -
ACE MODULE IN BRIDGE MODE NOT LOADBALANCING
Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
AttachCheck my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles. -
Certificates vanished - ACE Module. Strange!
ACE modules are configured in Active/Standby context mode on two distinct Cat6500's. The feature license is 10,000 SSL tps, 8Gbps throughput.
We ran the application performance tests with 1000 users with https transactions and I noticed that the all the root certificates under the chaingroup disappeared. Only the website certificate remained. When I accessed the website, it gave 'error with the security certificate' i.e. the root was not identifiable due to missing certificates. Eventually, the CPU went 100% on Cat6500 and the ACE module was shutdown by the chassis. It got reenabled automatically in 5 minutes.
I re-added the root certs, removed/added the service policy and after sometime I noticed the root certs disappeared again. STRANGE !
show version output is
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 12.2[121]
system: Version 3.0(0)A1(6.3a) [build 3.0(0)A1(6.3a) adbuild_02:16:25-2008/02/02_/auto/adbu-rel3/ws/rel_3_0_0_a1_6.3-thr
ottle/REL_3_0_0_A]
system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_6_3a.bin
installed license: ACE-08G-LIC ACE-VIRT-020 ACE-SSL-10K-K9
Hardware
Cisco ACE (slot: 2)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
memory info:
total: 957640 kB, free: 347924 kB
shared: 0 kB, buffers: 1588 kB, cached 0 kB
cf info:
filesystem: /dev/cf
total: 1014624 kB, used: 360960 kB, available: 653664 kB
last boot reason: NP 0 Failed : NP ME Hung
configuration register: 0x1
Could you please advise whether there is any bug in the above software version i.e. it removes the root certs due to heavy transaction load.
Thanks.I wanted to look for more details regarding this bug id. But I got the below message in Bug Toolkit. Please advise...
CSCsl96203 Bug Details
Information contained within bug ID CSCsl96203 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem. By choosing to save this bug, you may be notified when the decision to make this bug available to you has been made. Note: Some product enhancement requests and documentation error bugs may not be available in Bug Toolkit. -
ACE Module and Limiting Connections
We currently use the ACE module to Load-balancing IPSEC connection into SPA's. Since the SPA's only support 60 new connections per second. I was looking for a way to limit the amount of connecitons from the ACE to the SPA's.
Hello,
Have a look at the Configuring Real Server Rate Limiting section of the ACE documentation. I think this will meet your needs.
Hope this helps,
Sean -
Clear resource usage counter on ACE module
Hi
Does anybody know how to clear the resource usage counter on an ACE module?
We use an ACE20-MOD-K2 with version A2(3.5).
Here you can see that after issuing 'clear stats resource-usage' the counters are still the same.
uzhlbsrv1/Admin# sh resource usage resource rate bandwidth
Allocation
Resource Current Peak Min Max Denied
Context: Admin
bandwidth 1966 3971 7487500 625000028 0
Context: NOZONE
bandwidth 0 4450 0 617512528 0
Context: ZONE1
bandwidth 14021827 549340375 0 617512528 192084322
Context: ZONE2
bandwidth 197520 69634789 0 617512528 29385
Context: ZONE3
bandwidth 38756 78911285 0 617512528 6471653
Context: ZONE4
bandwidth 0 3052 0 617512528 0
uzhlbsrv1/Admin# clear stats resource-usage
uzhlbsrv1/Admin# sh resource usage resource rate bandwidth
Allocation
Resource Current Peak Min Max Denied
Context: Admin
bandwidth 396 841 7487500 625000028 0
Context: NOZONE
bandwidth 0 4450 0 617512528 0
Context: ZONE1
bandwidth 9350189 549340375 0 617512528 192084322
Context: ZONE2
bandwidth 128087 69634789 0 617512528 29385
Context: ZONE3
bandwidth 133229 78911285 0 617512528 6471653
Context: ZONE4
bandwidth 0 3052 0 617512528 0
Or is it a bug eventually?
Thanks
PatrikHi Patrik,
What could one of the issue here is, if this box is in production and is being used, as soon as you clear the coutners, the new traffic is still flowing in, so ace will populate the new stats. if you take this box out of production then you should be able to see all the traffic gone.
Also to reinforce my previous argument, if you happen to see the stats second time, they are reduced , which will only point that the system is actively receiving and before you do a second show resource, it would have received some traffic and it will also take into account the existing traffic flow across the box.
Most likely not a Bug.
Regards
Abijith -
Hello,
Does anyone know if it is possible to apply a 6500 QoS service-policy to a ACE module interface? I would like to leverage CBQOS to apply policing to traffic entering/leaving the ACE module.
Thanks!
LeeHI Collin,
You can use this by Configuring Control Plane Policing (CoPP).
CoPP uses a dedicated control plane configuration through the modular QoS CLI (MQC) to provide filtering and rate-limiting capabilities for the control plane packets.
CoPP is disabled by default.
CoPP is only supported on ingress (service-policy output CoPP cannot be applied to the control plane interface). Neither egress CoPP nor silent mode is supported.
Just follow the CoPP Configuration Guidelines and Restrictions .
CoPP uses MQC to define traffic classification criteria and to specify the configurable policy actions for the classified traffic. You must first identify the traffic to be classified by defining a class map. The class map defines packets for a particular traffic class. After you have classified the traffic, you can create policy maps to enforce policy actions for the identified traffic. The control-plane global configuration command allows the CoPP service policies to be directly attached to the control plane.
Use the below mentioned URL for Defining Traffic Classification
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/copp.html#wp1141968
the commonly required traffic is identified with these ACLs:
â¢ACL 120-Critical traffic
â¢ACL 121-Important traffic
â¢ACL 122-Normal traffic
â¢ACL 123-Explicitly denies unwanted traffic
â¢ACL 124-All other traffic
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/copp.html
Use the control plane commands as follows:
control-plane
To enter control-plane configuration mode, which allows users to associate or modify attributes or parameters (such as a service policy) that are associated with the control plane of the device, use the control-plane command in global configuration mode. To remove an existing control-plane configuration from the router, use the no form of this command.
Syntax for T Releases
control-plane [host | transit | cef-exception]
no control-plane [host | transit | cef-exception]
Syntax for 12.0S Releases
control-plane [slot slot-number] [host | transit | cef-exception]
no control-plane [slot slot-number] [host | transit | cef-exception]
Syntax for 12.2S Releases for Cisco 7600 Series Routers
control-plane
no control-plane
Syntax for ASR 1000 Series Routers
control-plane [host]
no control-plane [host]
The below link can be of huge information and config examples for control plane configuration:
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_a1.html#wp1047593
Get back to me if you find this information relevant and useful to you.
Sachin garg -
Hi,
We have migrated CSM to ACE Module recentlym all the applications are working fine. But one of our real server , Hosting team did NIC Teaming (Active-Active) which was working fine but not with ACE Module (Briding Mode).
My assumtion is because of ACE in Bridge mode all the non-loadbalancing traffic has to go through ACE Module, So we couldnt access the server directly. If ACE is in One-armed mode i think it should be fine.
But with bridge mode do we have any option to make it working.there is a restriction regarding NIC teaming in active/active mode.
The ACE uses an hardcoded mac-to-IP mapping with ARP. As with active active nic teaming you'll have 2 different mac addresses, the one which is not present in the ARP cache of the ACE is considered as a security violation. -
Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.
ACE1/10.0.0.0_Network# sho run
Generating configuration....
access-list ALL line 8 extended permit ip any any
rserver host CE-565-1
ip address 10.0.2.83
inservice
serverfarm host Content_Engine_SF
rserver CE-565-1
inservice
class-map match-all Content_Engine_VIP
2 match virtual-address 10.0.18.101 any
class-map type management match-any Remote_Management
2 match protocol http any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
policy-map type management first-match rmt_mgt_policy
class Remote_Management
permit
policy-map type loadbalance first-match Content_Engine_VIP-l7slb
class class-default
serverfarm Content_Engine_SF
policy-map multi-match int18
class Content_Engine_VIP
loadbalance vip inservice
loadbalance policy Content_Engine_VIP-l7slb
loadbalance vip icmp-reply active
access-group input ALL
interface vlan 3
description Server_Side
ip address 10.0.3.240 255.255.254.0
mac-sticky enable
no shutdown
interface vlan 18
description Client Side Network
ip address 10.0.18.251 255.255.255.0
mac-sticky enable
service-policy input int18
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.18.1
if I telnet to the vip from my machine 172.16.6.222 it works fine. If I telnet from 10.0.18.30 it works fine. However when I telnet from a machine on the vlan 3 10.0.2.188 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:
1. Use NAT to ensure the return traffice makes it back to ACE.
2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/netwcsm.html#wp1065827
Maybe you are looking for
-
Purchased show points to a different show
I have purchased 2 episodes of 2 different shows. For some reason only one appears in my library. I looked in my iTunes media folder and both were downloaded, but even when I add the file manually it still thinks show 1 is show 2, so only show 2 appe
-
XML parsing failed - Works in Oracle Developer fails in SQLplus
Hello, I am trying to figure out what could possibly be causing my XML parsing to fail from sqlplus. Basically the exact same sql script fails with the following error when run from sqlplus but works fine in Oracle Developer. Now I have read a number
-
What should I do I can't download itunes
I am trying to download any one of the itunes software or whatever it's called and it takes me to the thank you for downloading screen but nothig downloads what should i do to fix this?????
-
Making a narrative Slide show like the MS Photo Story
Just wondering is there any feature in Aperture 3, where I can easily to create a slide show With background music Narrating each photo, where I don't have to speak from the beginning to end without having the chance to pause (Where Microsoft Photo s
-
Hi Gurus, I am working on Oracle 7.3.4 on Unix. I am having around 500 tables in my database and all of them are having different date formats i.e differnt column name as date format. I want to grab only the date column from the tables. Is ther any s