Shifting rservers on the ACE module

Similar Messages

• A problem with ACL in the class-map on the ACE module

                    Hi all,
  I configured the following on the ACE module:
  object-group network test
    host 192.168.1.21
    host 192.168.1.22
    host 192.168.1.23
  object-group service port
    tcp eq www
    tcp eq 8080
  access-list T line 8 extended permit object-group port object-group test any
  I tried to configure a class-map for matching this ACL:
  ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
  ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
  Error: Cannot associate acl having object-group ACEs in class-map.
  So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
  Thank you
  Roman

  Hi Roman,
  I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
  Regards
  Daniel

• Ssh access into virtual context on the ACE module A(2.2)

  Hello,
  I tried to configure:
  Admin(conf)#context test
  Admin(conf-context)#ssh key rsa1 1024
  but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
  Thank you

  Here's a link on how to configure it.
  https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
  Hope that helps.

• Is the ACE Module support IPV6?

  dear all
  is the ACE module support IPV6?
  best regards

  The ACE does not currently support IPv6 but it is being looked at to be added to the feature set.

• Simple SLB with the ACE Module

  Hello,
  i have some problems with a ACE module i am currently tesing.
  I have a simple Serverfarm with two Servers.
  But there seems to be some Problems with the Loadbalancing i not understand:
  1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
  2) withz the show serverfarm statement the total connects do not increment.
  switch/slb-c1# show serverfarm webfarm
  serverfarm : webfarm, type: HOST
  total rservers : 2
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  rserver: web1
  10.0.33.201:0 8 OPERATIONAL 0 0
  rserver: web2
  10.0.33.200:0 8 OPERATIONAL 0 0
  switch/slb-c1# show service-policy L4_LB_VIP
  Status : ACTIVE
  Interface: vlan 300
  service-policy: L4_LB_VIP
  class: L4_VIP_CLASS
  loadbalance:
  L7 loadbalance policy: L7_SLB_POLICY
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED
  VIP State: INSERVICE
  curr conns : 0 , hit count : 15
  dropped conns : 0
  client pkt count : 10198 , client byte count: 420991
  server pkt count : 23367 , server byte count: 34915173
  I have attatched the Config.
  Any Idea what is going on?

  what version do you have ?
  I would recommend to run the very recent A1.4.
  This is something that really should work.
  Gilles.

• Is the ACE module is hot swapable?

  can anybody confirm the ACE service module is hot swapable and either it can be placed in slot 5 in 6509 switch.

  Hi,
  The 6500 series supports hot-swappable modules and you can hot-swap the ACE blade in theory but you should shut it down prior to removal to avoid loss of data.
  Slot 5 in a 6509 is reserved for the Sup720.
  See http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html
  for more information.
  HTH Cathy

• Can the ACE module or 4700 server up webpage.

  Hello.
  Is it possible for the ACE to serve up a web page to a VIP when the VIP is OUTOFSERVICE?
  Any capability for that at all?

  Hi,
  The ACE can redirect it to the server which hosts the web page stating content is unavailable , under maintenance etc but no option to do it on ACE itself. If you like to use the former, please look at the option of sorry server and serverfarm.
  Regards,
  Kanwal

• How the ACE handles rserver failures

  Hello
  I've got a question re: the ACE module.
  Lets say I have 2 web rservers and I have a probe interval for checking them from the ACE of 10 seconds.
  Lets say a probe just passed and it is 10 seconds before the next one. The ACE will think the rserver is ok. Then say the rserver httpd service is stopped at 3 seconds after the last successful probe, therefore leaving 7 seconds before the ACE is going to send another probe. The ACE will think it is still 'up' before the next probe is sent.
  Given the above, what happens to a) existing connections to the newly failed rserver and b) new connections if the failure occurs between probes?
  How does the ACE handle this situation?
  Are there any differences between how the ACE handles this between A1 and A2 versions of software?
  Thanks
  Cameron

  URL rewrite only comes into play when REAL Server (Rserver )sends a clear text redirect. Such as 302 for http://investor.nice360.com. If client recieves this 302 it will attempt the next request using HTTP.With Url rewrite feature we configure ACE to change these redirects from Http tp HTTPS.
  What you are looking for is a simple redirection of client request from port 80 to port 443. This can be achieved using redirect server farm and redirect rserver.
  You will need to create two sets of configs (class-maps, rserver, sfarm,policy map) for port 80 & port 443 traffic. Port 80 policy will simply redirect the port 80 request to port 443.
  Following example will give you some idea
  rserver redirect HTTP2HTTPS
  webhost-redirection https://%h%p 301
  inservice
  serverfarm redirect HTTP2HTTP-SF
  rserver HTTP2HTTPS
  inservice
  class-map match-all WEB-HTTP
  2 match virtual-address 172.25.250.245 tcp eq http
  class-map match-all WEB-HTTPS
  2 match virtual-address 172.25.250.245 tcp eq 443
  policy-map type loadbalance first-match HTTP2HTTPS-POLICY
  class class-default
  serverfarm HTTP2HTTPS-SF
  policy-map type loadbalance first-match L7-POLICY
  class class-default
  sticky-serverfarm STICKY_IP
  policy-map multi-match L4-POLICY
  class WEB-HTTP
  loadbalance vip inservice
  loadbalance policy HTTP2HTTPS-POLICY
  loadbalance vip icmp-reply
  class WEB-HTTPS
  loadbalance vip inservice
  loadbalance policy L7-POLICY
  loadbalance vip icmp-reply
  ssl-proxy server INVESTOR-CLIENT
  Syed

• ACE module not load balancing across two servers

  We are seeing an issue in a context on one of our load balancers where an application doesn't appear to be load balancing correctly across the two real servers.  At various times the application team is seeing active connections on only one real server.  They see no connection attempts on the other server.  The ACE sees both servers as up and active within the serverfarm.  However, a show serverfarm confirms that the load balancer sees current connections only going to one of the servers.  The issue is fixed by restarting the application on the server that is not receiving any connections.  However, it reappears again.  And which server experiences the issue moves back and forth between the two real servers, so it is not limited to just one of the servers.
  The application vendor wants to know why the load balancer is periodically not sending traffic to one of the servers.  I'm kind of curious myself.  Does anyone have some tips on where we can look next to isolate the cause?
  We're running A2(3.3).  The ACE module was upgraded to that version of code on a Friday, and this issue started the following Monday.  The ACE has 28 contexts configured, and this one context is the only one reporting any issues since the upgrade.
  Here are the show serverfarm statistics as of today:
  ACE# show serverfarm farma-8000
  serverfarm     : farma-8000, type: HOST
  total rservers : 2
                                                  ----------connections-----------
         real                  weight state        current    total      failures
     ---+---------------------+------+------------+----------+----------+---------
     rserver: server#1
         x.x.x.20:8000      8      OPERATIONAL  0          186617     3839
     rserver: server#2
         x.x.x.21:8000      8      OPERATIONAL  67         83513      1754

  Are you enabling sticky feature? What kind of predictor are you using?
  If sticky feature is enabled and one rserver goes down, traffic will leans to one side.
  Even after the rserver retuns to up, traffic may continue to lean due to sticky feature.
  The behavior seems to depend on the configuration.
  So, please let me know a part of configuration?
  Regards,
  Yuji

• Want to know about ACE module in 6509 : load-balancing concept

  Hi,
  I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
  In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
  I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
  I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
  1) what is difference between CSM or any other product load-balancer and ACE module :
  Gone through site as well , but not getting proper answer or comparison.
  1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
  2) If suppose i go for configuring different IP address with all server IP :
  How do i achieve it ?
  3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
  4) will the load-balancing happens based on destination based or session based ?
  Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?

  Hello,
  1) what is  difference between CSM or any other product load-balancer and ACE  module :
  There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
  One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
  ACE serise has specific hardware chip for supporting SSL termination but some others do not.
  For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
  The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
  Let me try clarifying your other questions.
  3)  what is Virtual IP concept in ACE because i do not have and other ACE  module then why do i need virtual IP ?
  4) will the load-balancing happens  based on destination based or session based ?
  I think I'd better to put 3) and 4) first.
  Virtual ip  address (VIP) is the address to which client accesses.
  VIP is tied with a  serverfarm or serverfarms, in a serverfarm one or multiple rservers can  be configured.
  "serverfarm" is a group of "rservers".
  "rserver" means  real-server that has an ip address and processes transactions.
  When a client  accesses to the VIP, ACE picks up a rserver according to algorithm.
  If you configure a  VIP that is tied with a serverfarm where only one rsever is  configured, client accesses to the virtual ip address are
  all forwarded to  the rserver.
  If you configure a  VIP that is tied with a serverfarm where multiple rsevers are  configured,  client accesses to the virtual ip address are
  balanced among  those rservers.
  If you configure  multiple VIPs, client accesses to those VIPs are forwareded to  corresponding rservers according to configuration.
  1)  I have some of the server configured with clustering and getting one  virtual IP, In this case , will ACE work ?
  ACE load-balances connections to configured rservers.
  If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
  sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
  2) If suppose i go for  configuring different IP address with all server IP :
  How do i  achieve it ?
  You can configure those ip addresses as rserver ip address.
  Multiple rservers are tied into a group, "serverfarm".
  I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
  Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
  This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
  Above is just an overveiw. ACE gives you granular control not mentioned above.
  I can provide more specific information if you tell me details of what you are trying to archive with ACE.
  Regards,
  Kimihito.

• A few questions on the ACE

  I am getting up to speed on the ACE and was wondering if someone could please clarify a couple of things for me as the docs I am using are pretty confusing.
  We have the ACE module in a Cisco 65XX switch, along with FWSM.
  1) Do I need to create a Layer 3 int on the switch for the Vlan's that I have assigned to the ACE?
  2) I have created a Layer 3 Client side and a Server side Vlans on the ACE. Do I need to create a default gateway for each of these Vlan's or create just one DG and point it to the switch?
  3)Do I need to create a class map, a policy map and a service policy for the Client and Server Vlan L3 interfaces on the ACE?
  Thanks much.

  Have you had a chance to read through the config guide?
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/rtbrgdgd.html
  In general,
  1) yes for client-side vlans
  no for server-side vlans
  2) just one default route to an SVI on MSFC
  3) yes

• ACE module - Qos - set ip tos #

  All,
  Trying to mark traffic to/from L4 rules in the ACE.
  Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.
  Enable qos globally on the 6500 host, but don't see the traffic being marked.
  sh mls qos says that packets are being modified by module 5 (ACE)
  But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
  sh mls qos:
  QoS is enabled globally
    Policy marking depends on port_trust
    QoS ip packet dscp rewrite enabled globally
    Input mode for GRE Tunnel is Pipe mode
    Input mode for MPLS is Pipe mode
  QoS Trust state is CoS on the following interface:
  Te3/1
  QoS Trust state is DSCP on the following interface:
  Gi2/3
    Vlan or Portchannel(Multi-Earl) policies supported: Yes
    Egress policies supported: Yes
  ----- Module [5] -----
    QoS global counters:
      Total packets: 207147888661
      IP shortcut packets: 0
      Packets dropped by policing: 0
      IP packets with TOS changed by policing: 2663386
      IP packets with COS changed by policing: 4889352
      Non-IP packets with COS changed by policing: 0
      MPLS packets with EXP changed by policing: 0
  Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

  Well... hopefully someone knows how to classify traffic coming from the ACE.
  I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.
  However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.
  You'll have a bunch of little conversations like this with no tos value full of push-acks:
  10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
  10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
  10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
  10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
  10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
  10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
  10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
  10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
  10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
  10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
  10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
  But then you'll see another conversation pop up with the correct markings
  10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
  10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
  I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
  I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
  So.... PLEASE... Anyone???  Ideas???

• [UDP fast age support for ACE Module]

  Hello,
  I'm testing 2 ACE modules running A3.0.0 for DNS load balancing (UDP). We're testing this by using a DNS query generator that (always) seems to use the same UDP source port when originating these queries. At the moment, the ACE module is hardly doing any load-balancing.
  It looks to me like, that because of this, the ACE believes it's the same session (connection) and doesn't really load-balance, so I started looking for a solution and found the fast-age udp feature. But, it seems this is not supported on my ACE modules. Can any one offer another solution and/or look at my config and see if there is another way to achieve load balancing in a testing environment when using a tool like the one I described?
  (I put it that way because i believe in real life since queries come from different IP addresses and randomized udp ports, the ACE module will be just fine).
  Thanks in advance!
  c.

  Hi Carlos,
  Correct. The 3.0(0) is really misleading. You need to start with the "A" - so you really have 1.6.3a installed.
  The "show version" for V2 is slightly better -
  system: Version A2(1.2) [build 3.0(0)A2(1.2)
  Cathy

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• Certificates vanished - ACE Module. Strange!

  ACE modules are configured in Active/Standby context mode on two distinct Cat6500's. The feature license is 10,000 SSL tps, 8Gbps throughput.
  We ran the application performance tests with 1000 users with https transactions and I noticed that the all the root certificates under the chaingroup disappeared. Only the website certificate remained. When I accessed the website, it gave 'error with the security certificate' i.e. the root was not identifiable due to missing certificates. Eventually, the CPU went 100% on Cat6500 and the ACE module was shutdown by the chassis. It got reenabled automatically in 5 minutes.
  I re-added the root certs, removed/added the service policy and after sometime I noticed the root certs disappeared again. STRANGE !
  show version output is
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
  loader: Version 12.2[121]
  system: Version 3.0(0)A1(6.3a) [build 3.0(0)A1(6.3a) adbuild_02:16:25-2008/02/02_/auto/adbu-rel3/ws/rel_3_0_0_a1_6.3-thr
  ottle/REL_3_0_0_A]
  system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_6_3a.bin
  installed license: ACE-08G-LIC ACE-VIRT-020 ACE-SSL-10K-K9
  Hardware
  Cisco ACE (slot: 2)
  cpu info:
  number of cpu(s): 2
  cpu type: SiByte
  cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
  cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
  memory info:
  total: 957640 kB, free: 347924 kB
  shared: 0 kB, buffers: 1588 kB, cached 0 kB
  cf info:
  filesystem: /dev/cf
  total: 1014624 kB, used: 360960 kB, available: 653664 kB
  last boot reason: NP 0 Failed : NP ME Hung
  configuration register: 0x1
  Could you please advise whether there is any bug in the above software version i.e. it removes the root certs due to heavy transaction load.
  Thanks.

  I wanted to look for more details regarding this bug id. But I got the below message in Bug Toolkit. Please advise...
  CSCsl96203 Bug Details
  Information contained within bug ID CSCsl96203 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem. By choosing to save this bug, you may be notified when the decision to make this bug available to you has been made. Note: Some product enhancement requests and documentation error bugs may not be available in Bug Toolkit.