Ping from standby ACE module
Hi,
Is the ping to another host from standby ACE module restricted ?
Ok. It is resolved.
I did not configure the BVI for redundant module via peer ip address command on the active module.
Similar Messages
-
Probe fail on Standby ACE in One-armed mode
Hi there
I'm Kilsoo.
I made One-armed mode using ACE.
Real servers are in away Vlan from ACE.
So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
And, the probe from active ACE works well.
But, the probe from standby ACE was fail.
At this point, my first question
Is it normal situation that the probe fail from standby ACE????
So, I made the route-map for PBR like below for temporary solution.
route-map deny PBR 5
match ip address Probe_ACL
route-map permit PBR 10
match ip address L4_ACL
set ip next-hop <Alias IP address>
ip access-list extended Probe_ACL
pemit ip any <Standby ACE's IP address>
ip access-list extended L4_ACL
permit tcp <Real server's IP address> eq 80 any
Second question...
Do you have any other good solutions???
ThanksHi Cesar
Thanks for your reply.
But I think I was confuse when I wrote the message.
I used both ace's vlan ip address for next-hop ip address like your advice.
Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
Backbone Router
|
|
|
Supervisor --------------------ACE(vserver: 172.19.100.100)
| (vlan 200)
|
|
|(vlan 110)
|
|
Real servers
(172.19.110.111) -
Good Day everyone,
I searched the site, and I could not find the answer I was looking for, so If anyone happens to know or point me to a link I would greatly appreciate it.
Topic:
Can ACE module sent different Traps (oid) to different management station? Split decision processing to send specific traffic to specific stations, based on the alert it has detected.
Scenario:
Our network equipments have a demarc point on what devices are managed via SNMP (Traps, syslog, EMS, etc...); Routers, Switches, ACE modules, and so forth.
However, we are not responsible for the App Servers assigned to various broadcast domains.
Customer would like to receive Notification from the ACE module when a Real Server is taken out of rotation , when specific probes have failed.
My team manages the ACE module, so any alerts from the ACE will be sent to the management station configured in our network.
Unfortunately I do not have a Test Lab to test my theory, so any help would be greatly appreciated before I submit my Production configs.
Design Requirements:
Customer would like the following traps generated and sent to their management station:
1) Real Server host name
2) TCP port
3) Real Server IP address
4) If capable, percentage threshold for each real server, based on the prediction configured for each Server Farm
5) Can a NetIQ agent be download on the ACE module to communicate with the NetIQ management station?
As always thank you for any help you can provide, and if you happen to be around Huntsville Alabama/USA.. you got a cold beer waiting for you!!!!
Cheers,
-ramanGilles,
Thank you for your prompt answer.
When you have time please look over the following question and let me know if it is possible to implement, if the Proxy server is not an option?
Can a Custom TCL script be executed to sent an notification via SMPT if a health probe fails?
The SMTP message will contain the server info (IP address, Host name, TCP port).
The script procedure will execute certain actions based on the returned result.
Thanks,
raman
P.S
Sorry about not being up to speed on TCL. I am reading up on the TCL capability, and trying to provide some options to my customer. -
Why do I see "FAILED" for probes on standby ACE?
Here there,
I am running a pair of ACE in redundancy mode for HA and have created multiple context.
here is my basic config for the serverfarm.
serverfarm host VPN_Farm
transparent
failaction purge
predictor leastconns
probe ICMP_Probe
rserver SVR_A
probe ICMP_Probe
inservice
rserver SVR_B
probe ICMP_Probe
inservice
So, on the active unit, I can see that the probes are running fine. However, if I do "show probe" on the standby unit, it appears that all my probes fail.
Result of "show probe" captured from Standby Unit.
probe : ICMP_Probe
type : ICMP
state : ACTIVE
port : 0 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
rserver : SVR_A
1.1.1.1 0 -- 109 109 0 FAILED
is it normal to see failed probe on the standby unit?
Thank you
Best RegardsHi Hyeon,
Some questions here.
Is this an ACE module or an ACE 4710? What version?
Are both ACEs peers connected to the same switch or how you got them setup? Can you describe a little bit your topology?
From the standby, Did you try to ping/telnet the servers?
Did you try to remove the probe and re-add it back? (get a #show tech-support before and after)
Is there any firewall or L3 device between the ACEs and the servers?
Do you use these servers for several contexts? Is the probe failing in all the contexts?
Jorge -
Hello,
My standby ACE has gone to unresponsive mode and shows something like this
peer state: FSM_FT_STATE_UNKNOWN
This is for all the contexts in the slot module. My question is how do we bring it back to HOT_STANDBY when all contexts are unresponsive
AND
How do we bring it to HOT_STANDBY when just one context is unresponsive
Thanks
SIDHI Sid,
It is very similar to the previous response of your query.
As I am seeing one error message here in your mail:
peer state: FSM_FT_STATE_UNKNOWN
Upon failure of the fault tolerant link between Services Chassis's the peer standby ACE begins to query the status of its peer active ACE. Six consecutive ping requests occur approximately every five seconds across the query interface VLAN while the fault tolerant link is down. The output from the show ft group detail command shown below indicates that the fault tolerant link is down; the primary peer state is unknown but the primary peer is still reachable. As a result, the standby peer remains in FSM_FT_STATE_STANDBY_COLD. When the fault tolerant link is recovered the query ping tests cease.
dca-ss2-ace/Admin# show ft group detail
FT Group : 1
No. of Contexts : 1
Context Name : Admin
Context Id : 0
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_COLD
My Config Priority : 50
My Net Priority : 50
My Preempt : Enabled
Peer State : FSM_FT_STATE_UNKNOWN
Peer Config Priority : Unknown
Peer Net Priority : Unknown
Peer Preempt : Unknown
Peer Id : 1
Last State Change time : Wed Jun 11 14:46:08 2008
Running cfg sync enabled : Disabled
Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Startup cfg sync enabled : Disabled
Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group : 2
No. of Contexts : 1
Context Name : dca-ace-one
Context Id : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_COLD
My Config Priority : 50
My Net Priority : 50
My Preempt : Enabled
Peer State : FSM_FT_STATE_UNKNOWN
Peer Config Priority : Unknown
Peer Net Priority : Unknown
Peer Preempt : Unknown
Peer Id : 1
Last State Change time : Wed Jun 11 14:46:08 2008
Running cfg sync enabled : Disabled
Running cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Startup cfg sync enabled : Disabled
Startup cfg sync status : FT Vlan Down or TL down. Peer may be reachable through
alternate interface
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
All fault tolerant groups will honor the results of the query tests and remain in a FSM_FT_STATE_STANDBY_COLD state on the standby peer ACE.
The Admin context allows the network administrator to assemble virtual contexts into failover groups. A failover group is a container, which permits a pair of ACE modules to define several failover characteristics and apply them to all virtual context assigned to the container, including the Admin context. These defining features include:
â¢The associated peer ACE
â¢The priority or preference value for each ACE module in the redundant pairing
â¢Preemption (enabled by default)
â¢The virtual context(s) coupled to the group
Sachin Garg -
Hi,
I am trying to configure FT on ACE modules, with the following commands
ft interface vlan 20
ip address 172.16.20.1 255.255.255.252
peer ip address 172.16.20.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 20
ft group 1
peer 1
priority 150
associate-context Admin
inservice
The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?Hi have the following config which seems to be working fine for me... check your vlan20 interface is up
ft interface vlan 212
ip address 172.31.1.221 255.255.255.252
peer ip address 172.31.1.222 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 212
ft group 2
peer 1
priority 50
peer priority 150
associate-context Admin
inservice
HQ-ACE1/Admin# sh int
vlan212 is up, administratively up
Hardware type is VLAN
MAC address is 00:23:5e:25:72:f1
Mode : routed
IP address is 172.31.1.221 netmask is 255.255.255.252
FT status is standby
Description:not set
MTU: 1500 bytes
Last cleared: never
Last Changed: Tue Sep 6 12:46:06 2011
No of transitions: 1
Alias IP address not set
Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
Assigned from the Supervisor, up on Supervisor
8654909 unicast packets input, 735611030 bytes
1151150 multicast, 161 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
13020418 unicast packets output, 1672055521 bytes
0 multicast, 163 broadcast
0 output errors, 0 ignored -
Configuring ACE Module for Redundancy
Hi Sir,
I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
ft group 1
peer 1
priority 110
peer priority 105
associate-context Admin
inservice
ft group 2
peer 1
priority 110
peer priority 105
associate-context ace-context1
inservice
ft group 3
peer 1
priority 105
peer priority 110
associate-context ace-context2
inservice
ft group 4
peer 1
priority 105
peer priority 110
associate-context ace-context3
inservice
Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
Thank you.
B.Rgds,
Lim TSHi Gilles,
I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
I noticed a few things:
(1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
(2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
(3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
One issue I encountered in one of the user contexts is as follows:
ace1/ace-context-1# sh run int
Generating configuration....
interface vlan 950
description *** Client-Facing VLAN ***
ip address 10.1.35.5 255.255.255.0
alias 10.1.35.4 255.255.255.0
peer ip address 10.1.35.6 255.255.255.0
access-group input ACL_VL950_IN
service-policy input REMOTE_MGMT
service-policy input MY_LB
no shutdown
interface vlan 951
description *** Connection to Real Servers ***
ip address 10.1.36.2 255.255.255.0
alias 10.1.36.1 255.255.255.0
peer ip address 10.1.36.3 255.255.255.0
access-group input ACL_VL951_IN
service-policy input NAT_REAL
no shutdown
This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
Please advise.
Thank you.
B.Rgds,
Lim TS -
ACE module hung and required hard reset !!Plz help
ACE module had bit flip and it was hunged after that.I was not able to run any command(i.e For ex if i run show ft status nothing was displayed).I was not able to run any command on the standby ACE as well is this could be both the ACE module ACTIVE?
Manuaaly reboot from the ACE did not work. I had to forced hardare reset from cat 6500.
Is this a bug or strange behaviour?
I am running ACE A2(2.3) version on the module.
Thanks
ALEXUsually in the case of the bit flip the ace will reset itself, which clears the problem. In order to understand what is happining to your ACE, you would have to open a TAC case, and provide show tech information, as well as any files that were generated in the "core:" directory. You can view these using the command "dir core:"
It seems odd that the standby ACE also wouldn't respond to any command input. Did you have to reset it as well? If you had to reset it as well, then it may have encountered the same conditions that caused the hang on the primary.
Was there any syslog messages generated on the 6500 switch during the time? -
Cisco ACE module missing licence file - no connectivity
Hi,
We have 2 ACE modules that were delivered without any licenses.
There is no IP connectivity whatsoever to these modules and I'm guessing this is due to the fact there are no licenses installed.
Have tried asking Cisco to no avail - and am not sure if there is an actual problem with them or not.
The VLANs are assigned correctly and I can see inbound ICMP echo from the 6509 that its hosted in, but no outbound packets ever leave the ACE. I've applied a mgmt policy to enable ping/telnet/ssh etc.
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan4 vlan30-31 vlan160 vlan180-195 vlan360 vlan380-395 vlan560 vlan580-
595 vlan760 vlan780-795
switch/Admin# sh ip int bri
Interface IP-Address Status Protocol
vlan4 10.119.127.196 up up
vlan30 10.119.127.241 up up
vlan31 10.119.127.245 up up
interface vlan 4
description ACE Mgmt interface for Admin Context
ip address 10.119.127.196 255.255.255.224
service-policy input REMOTE_MGMT
no shutdown
vlan4 is up
Hardware type is VLAN
MAC address is 00:1f:ca:7b:6f:33
Mode : routed
IP address is 10.119.127.196 netmask is 255.255.255.224
FT status is non-redundant
Description:ACE Mgmt interface for Admin Context
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
Config download failures : 1
2980 unicast packets input, 16363862 bytes
240857 multicast, 3026 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
0 unicast packets output, 187712 bytes
0 multicast, 2933 broadcast
0 output errors, 0 ignored
switch/Admin# sh arp
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.119.127.193 00.00.00.00.00.00 vlan4 GATEWAY - * 3 req dn
10.119.127.196 00.1f.ca.7b.6f.33 vlan4 INTERFACE LOCAL _ up
10.119.127.245 00.1f.ca.7b.6f.33 vlan31 INTERFACE LOCAL _ up
10.119.127.241 00.1f.ca.7b.6f.33 vlan30 INTERFACE LOCAL _ up
================================================================================
Total arp entries 4
The ARP table for the adjacent switch SVI has a valid MAC upon reboot, but soon after resets to 00.00.00.00.00.00
Problem is that once Cisco eventually send me the license file I have no way of TFTP'ing it to the ACE module.
Any suggestions/advice?Thanks for the info - so I should at least be able to connect to a license-less ACE at least, but these modules seem to have a problem.
If the modules are reloaded (from the ACE) or reset (from the Supervisor) they initially have the ARP entry (however still cannot communicate to the attached Supervisor via SVI) which eventually resets.
Info as requested:
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 0 0 0
mgmt-connections 0 0 0 0 0
proxy-connections 0 0 0 0 0
xlates 0 0 0 0 0
bandwidth 0 76 0 125000000 296849008
throughput 0 76 0 0 296849008
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 2 0 0 15
ssl-connections rate 0 0 0 0 0
mac-miss rate 0 0 0 0 0
inspect-conn rate 0 0 0 0 0
acl-memory 0 6336 0 0 11
sticky 0 0 0 0 0
regexp 0 0 0 0 0
syslog buffer 0 0 0 0 0
syslog rate 0 0 0 0 24
Context: APPLICATION
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: BACK_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: FRONT_END
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
Context: TEST_DEV
conc-connections 0 0 2000000 0 0
mgmt-connections 0 0 25000 0 0
proxy-connections 0 0 262144 0 0
xlates 0 0 262144 0 0
bandwidth 0 0 125000000 125000000 0
throughput 0 0 125000000 0 0
mgmt-traffic rate 0 0 0 125000000 0
connection rate 0 0 250000 0 0
ssl-connections rate 0 0 250 0 0
mac-miss rate 0 0 500 0 0
inspect-conn rate 0 0 1500 0 0
acl-memory 0 0 19650480 0 0
sticky 0 0 419430 0 0
regexp 0 0 262144 0 0
syslog buffer 0 0 1048576 0 0
syslog rate 0 0 25000 0 0
switch/Admin# sh cde health
CDE BRCM INTERFACE
======================
Packets received 3357
Packets transmitted 12
Broadcom interface CRC error count 0
BRCM VOQ status [empty] [not full]
BRCM pull status [pulling]
CDE HYPERION INTERFACE
======================
Packets received 7668407
Packets transmitted 967915
Short packets drop count 0
Fifo Full drop count 0
Protocol error drop count 0
FCS error drop count 0
CRC error drop count 0
Num times flow control triggered on hyp interface 0
Num self generated multicast packets filtered 967915
HYP IXP0 VOQ status [empty] [not full]
HYP IXP1 VOQ status [empty] [not full]
HYP SLOW VOQ status [empty] [not full]
HYP tx pull status [pulling]
CDE IXP0 INTERFACE
======================
Packets received 964680
Packets transmitted 6581196
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP0 Fast VOQ status [empty] [not full]
IXP0 BRCM VOQ status [empty] [not full]
IXP0 pull status [pulling]
IXP0 spi src status [healthy]
IXP0 spi snk status [healthy]
CDE1 SWITCH1 INTERFACE
======================
Packets received (hyp, ixp0) 3241
Packets received (bcm) 6
Packets received (daughter card 0) 0
Packets received (daughter card 1) 0
Packets Errors received (hyp, ixp0) 0
Packets Errors received (bcm) 0
Packets Errors received (daughter card 0) 0
Packets Errors received (daughter card 1) 0
Packets transmitted (ixp1) 122653
Packets transmitted (nitrox) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
CDE2 SWITCH2 INTERFACE
======================
Packets received (ixp1) 122653
Packets received (nitrox) 0
Packets Errors received (ixp1) 0
Packets Errors received (nitrox) 0
Packets transmitted (hyp, ixp0) 3241
Packets transmitted (broadcom) 6
Packets transmitted (daughter card 0) 0
Packets transmitted (daughter card 1) 0
Packets Errors transmitted (ixp1) 0
Packets Errors transmitted (nitrox) 0
Packets Errors transmitted (daughter card 0) 0
Packets Errors transmitted (daughter card 1) 0
CDE IXP1 INTERFACE
======================
Packets received 3247
Packets transmitted 122653
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
IXP1 Fast VOQ status [empty] [not full]
IXP1 BRCM VOQ status [empty] [not full]
IXP1 pull status [pulling]
IXP1 spi src status [healthy]
IXP1 spi snk status [healthy]
CDE NITROX INTERFACE
======================
Packets received 0
Packets transmitted 0
Num bad pkts recvd on fast spi channel0 0
Num bad pkts recvd on slow spi channel8 0
Num bad pkts recvd on fast spi channel2 0
Num bad pkts recvd on slow spi channel4 0
NTX Fast VOQ status [empty] [not full]
NTX BRCM VOQ status [empty] [not full]
NTX pull status [pulling]
NTX spi src status [healthy]
NTX spi snk status [healthy]
== Backplane ==
ITASCA_SYS_CNTL1 0x300 data 0x61f0000
ITASCA_SYS_CNTL2 0x304 data 0x80630000 -
Unable to ping from mz to virtual interface of asa
Dear All,
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.
plese help me
srinivasIs your device seeing the mac-address of the ASA in order to send the packets? What do the logs show on the firewall itself? Can you see the ARP entry on the ASA firewall for that host?
Mike -
hi,
Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
Regards.You can have 1 context active on one ACE and the other context active on the other ACE.
If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
Easier to implement and troubleshoot.
Gilles. -
ACE module - Qos - set ip tos #
All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 207147888661
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 2663386
IP packets with COS changed by policing: 4889352
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas??? -
[UDP fast age support for ACE Module]
Hello,
I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
(I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
Thanks in advance!
c.Hi Carlos,
Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
The "show version" for V2 is slightly better -
system: Version A2(1.2) [build 3.0(0)A2(1.2)
Cathy -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins
Maybe you are looking for
-
Passing column headers in cl_gui_frontend_services= gui_download
How to pass the coulumn headers in in the internal table while down loading it to a excel file by using method cl_gui_frontend_services=>gui_download
-
How can i get track of my stolen ipod touch 4?
por favor necesito ayuda me robaron mi ipod y quisiera saber donde esta... si alguien me puede ayudar por favor!!!
-
My iPod 4th gen won't activate
my ipod wont activate
-
Setting up my router without a CD
My buddy received a BEFW11S4 ver 4 Linksys router from his girlfriends mom but no installation key. I'm having a hard time getting to find the download so I can initial manually on this website. Help?
-
How do you add little icons (smilie faces etc) to a text message?
How do you add little pictures (smilie faces etc) to a text message?