Transparent ACE - 2 VLAN's, 1 context, 2 VIPs

Similar Messages

• ACE FT Vlan Down

  I'm trying to configure Fault Tolerance on a pair of 4710s.  I followed the doc, and configured int gi1/4 as the fault tolerance interface, using vlan 12.  However the GUI is saying FT Vlan Down
  The troubleshooting wiki said check the physical connectivity, but everything there looks good.  Each ACE can ping it's own IP, but not the router on that VLAN, or the peer.   They're connected to a dedicated VLAN in a switch, and I even tried a crossover cable to directly connect the two.
  Here's our config:
  ace1/Admin# show running-config ft
  Generating configuration....
  ft interface vlan 12
    ip address 192.168.12.1 255.255.255.0
    peer ip address 192.168.12.2 255.255.255.0
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 12
    query-interface vlan 1000
  ft group 1
    peer 1
    peer priority 200
    associate-context Admin
    inservice
  interface gigabitEthernet 1/4
    description FT
    ft-port vlan 12
    no shutdown
  Everything looks good, the interface is up/up, but I can't ping the peer.  Gui shows FT Vlan Down. Here's a show ft peer...
  ace1/Admin# show ft peer 1 detail
  Peer Id                      : 1
  State                        : FSM_PEER_STATE_DOWN
  Maintenance mode             : MAINT_MODE_OFF
  FT Vlan                      : 12
  FT Vlan IF State             : UP
  My IP Addr                   : 192.168.12.1
  Peer IP Addr                 : 192.168.12.2
  Query Vlan                   : 1000
  Query Vlan IF State          : UP, Manual validation - please ping peer
  Peer Query IP Addr           : 0.0.0.0
  Heartbeat Interval           : 300
  Heartbeat Count              : 20
  Tx Packets                   : 0
  Tx Bytes                     : 0
  Rx Packets                   : 0
  Rx Bytes                     : 0
  Rx Error Bytes               : 0
  Tx Keepalive Packets         : 0
  Rx Keepalive Packets         : 0
  TL_CLOSE count               : 0
  FT_VLAN_DOWN count           : 0
  PEER_DOWN count              : 2
  SRG Compatibility            : INIT
  License Compatibility        : INIT
  FT Groups                    : 1
  Any other ideas on what to check?
  Thanks
  Tom

  Hi Tom,
  It looks the vlan and the physical interface are up. You can anyway check the following to confirm:
  sh interface gi 1/4
  sh interface vlan 12
  In "sh interface gi 1/4 counters", do you see the "RX packets" counter increasing?
  You should be able to ping 192.168.12.2 from 192.168.12.1 and vice versa. Which ip did you assign to the other peer. Should be:
  ft interface vlan 12
    peer ip address 192.168.12.2 255.255.255.0
    ip address 192.168.12.1 255.255.255.0
    no shutdown
  You can check as well "sh ft stats" and see if the heartbeats counter are increasing.
  Regarding to other interfaces, you mention that you can't ping devices on the ACE adjacent vlans. Are you allowing icmp traffic? For instance:
  policy-map type management first-match management
    class management
      permit
  class-map type management match-any management
    match protocol icmp any
  service-policy input management
  Finally, did you check whether you are able to resolve mac addresses?
  I hope it helps,
  Olivier

• CSM to ACE - vserver vlan

  Greetings,
  Can someone please help converting the following CSM config to ACE config. Need to understand how vlans under vservers would be included for ACE. Also how is the nat client natpool configured on ACE? Thanks.
  CSM#
  vlan 10 client
  ip address 192.168.18.3 255.255.255.0 alt 192.168.18.4 255.255.255.0
  vlan 11 server
  ip address 192.168.18.3 255.255.255.0 alt 192.168.18.4 255.255.255.0
  natpool POOL_FEtoLOC 111.1.0.1 111.1.0.200 netmask 255.255.255.0
  serverfarm FARM
  nat server
  no nat client
  real name R1 8090
  inservice
  real name R2 8090
  inservice
  serverfarm FARM_N
  nat server
  nat client POOL_FEtoLOC
  real name R1 8090
  inservice
  real name R2 8090
  inservice
  vserver VIP
  virtual 192.168.10.6 tcp www
  vlan 10
  serverfarm FARM
  replicate csrp connection
  persistent rebalance
  inservice
  vserver VIP_N
  virtual 192.168.11.6 tcp www
  vlan 11
  serverfarm FARM_N
  replicate csrp connection
  persistent rebalance
  inservice

  with ace the policy [vserver] is configured globally or on the interface vlan.
  So, if in your CSM config there is a vlan specified under the vserver, it means you apply the policy to a specific vlan only.
  So, in ACE you would have
  interface vlan 11
  service-policy input VIP_N
  interface vlan 10
  service-policy input VIP
  The client nat function in ace works differently than the CSM.
  It's not per serverfarm but per interface/policy.
  So, first define the client pool on the outbound interface [interface towards server]
  interface vlan x
  natpool 1 x.x.x.x ....
  Then on your policy, select the natpool
  policy-map multimatch VIP_N
  class ...
  nat dynamic 1 vlan x
  But, do you know that ACE comes with a CSM -> ACE config converter onboard ?
  Easier than having to figure this out if you don't have time.
  Gilles.

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• Transparent ACE Design

  Hi,
  I am designing a data centre with VSS, FWSM & ACE. I am using the design guide below as a start point, using the red service chain.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html
  my topology will be routed access with transparent contexts, so;
  client -> MSFC -> Trans FWSM -> Trans ACE -> VRF - > Rservers subnets A & B.
  I will be using RHI to advertise the VIPs to the MSFC. The VRF and MSFC will use OSPF to propagate reach-ability.
  my questions are:
  1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
  2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
  3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
  4) likewise for LB traffic that hits the VIP, how is it forwarded?
  5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
  Thanks in advance!
  Lee.

  Hi Lee,
  Let me reply you in line:
  1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
  Yes, you can use any subnet, of course you must have a route to reach the rservers.
  2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
  It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.
  3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
  either static routes or a gateway.
  4) likewise for LB traffic that hits the VIP, how is it forwarded?
  normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.
  5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
  yes it is.
  Hope this helps,
  /dom

• Cisco ACE default vlan

  Hello everybody,
  I am installing a ACE 4700 in a customer but when i started to work and saw their topology, then i realized that i had a problem. The problem is that i cannot create the interface vlan 1 and assign an ip address to it. I saw some documments is cisco.com site that the ACE hide this vlan.
  Follows my topology:
  Servers vlan are the vlan 1
  Clients vlans are 5
  Management vlan is 8
  As i undertood, the ACE has to have at least one interface in the servers vlan, but i cant create the VLAN 1. So my problem is, how do i unhide the vlan 1 in the ACE so i can configure an ip address on it.
  Leandro

  If you can't have the customer migrate the servers into a different VLAN, you need to trick a bit, as VLAN1 is not usable on the ACE.
  Pick a VLAN number that you will use inside the ACE for the outer VLAN1. Say, VLAN101.
  If you have an access port connecting to the server segment, just set it to 101:
       switchport access vlan 101
  If you connect via a trunk, set your native VLAN to 101:
       switchport trunk native vlan 101

• ACE - Query VLAN Interfaces Status

  Hi,
  I am wondering what the status of the query vlan interface means in the command 'show ft peer detail':
  Query Vlan IF State          : UP, Manual validation - please ping peer
  I am pretty sure that I did not see this status when I configured query vlan last time. Current version is A2(2.3).
  Unfortunately this status does not seem to be documented anywhere on CCO.
  I appreciate any help!
  Thanks,
  Daniel

  Hi Daniel,
  The FT Query VLAN interface is an optional, yet very good, feature to be used when using redundant ACE modules or appliances. Without it, if the FT VLAN was to go down, the standby ACE will no longer receive FT heartbeats from the active ACE and therefore take the active role.  However, if the active ACE is still running fine in the active role, then you don't want the standby ACE to take over as active because that will put them into an active/active scenario, which may lead to connectivity issues.
  This is where the FT Query VLAN interface comes in.  If the FT VLAN goes down, the standby ACE will notice this, but before taking the active role, it will ping it's peer IP address configured on the interface that is designated as the FT Query VLAN.  If the ping is successful, then it will stay in the standby role, thereby saving you some headaches.
  The status that you are seeing is the ACE's way of telling you that the interface is UP, but if you want to know if it can successfully ping the peer IP address, then you would have to manually ping the peer IP address from the CLI.  The ACE does not periodically check the ping connectivity through any automatic mechanism.  The automatic mechanism is only triggered by the FT VLAN going down.
  Does this help?
  Sean

• ACE system stability with multi-context

  Question... if the ACE module is configured with multiple contexts, and one of the contexts hits its max resource limitations for a given resource thereby resulting in dropping excess resources, will this cost the entire ACE system, or is it limited only to the one context?
  For example, if a context configured for a max of 3000 connections/second receives 300000000 connections/second due to a virus outbreak/DoS attack, will this attack affect other contexts, or will the dropping of the excess connections be seamless to other contexts? Also, does the ACE drop the excess traffic in hardware, or must it be examined by a cpu?
  Thanks!!
  -Lee

  Generally, the individual contexts operate independently from one another. So if one context reaches it's upper defined limit, that affects only that context.
  The ACE has hardware-based support for many of it's operations, and to the best of my knowledge, connection processing is handled by one of its 16 ME's (MicroEngine). I've never seen a benchmark test that shows how e.g a DoS-attacks affects the entire module, nor have I tried it myself, but maybe someone else here at the forum can provide you with some information on that.
  BTW, try and check out theese to links. The first one describes the ACE hardware architecture, including the ME's and how they're used for processing traffic. The other one is a test conducted by Miercom on the ACE module, maybe this can provide you with some information on how the ACE handles a sudden increase in traffic during an attack.
  http://www.cisco.com/en/US/customer/prod/collateral/modules/ps2706/ps6906/White_Paper_Connection_Handling_within_the_Cisco_Application_Control_Engine_Module_Hardware.html
  http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_brochure0900aecd806d1c90.pdf
  hth
  /Ulrich

• ASA-SM: same mgmt VLAN in all context

                     Hi
  I have ASA-SM failover pair in two Catalyst 6500 switches.
  I send from switch to ASA-SM management VLAN 1234 to admin context for management purposes.
  I have another 3 contexts on ASA-SM.
  Can I have same managemenet VLAN1234 on each ASA-SM context? Can it work?
  I need it for sending syslog messages form contexts to syslog server via management interface.
  Peter

  Hi Bro
  Just assign VLAN 1234 to the admin context. As for the other contexts, ensure those vlans assigned to those context are routable to VLAN 1234, and are you're able to poll SNMP, SYSLOG etc. messages.
  Yes, you can assign VLAN 1234 to multiple context, but this is not practical. This is because each contect will require 2 IP Address for VLAN 1234, since it's running in failover mode. If you were to run 250 contexts (maximum), this approach will not work. You'll run out of VLAN 1234 IP Address in no time.
  This is surely not the best design. You could refer to http://www.ciscopress.com/articles/article.asp?p=426641 for more details on this.
  P/S: If you think this comment is useful, please do rate them nicely :-)

• ACE 20 | When connection to one serverfarm/VIP cross 1000 all other serverfarms and VIP of that context are facing very very slowness

  Dear Community
  Hi !!
  We are  Facng a typical issue and scraching Head since sometime Now and Now seek help and sugesstions
  I have a ACE with 10 Context. Now There is a Particular Context  which have 6 server farms and all have under different VIP.
  Have raised Multiple TAC cases and Captured Millions of Packets but no reason. The ACE resource and CPU Usage is Normal and no increase noticed.
  Issues Happening is that when connection to one serverfarm cross 1000, all other serverfarms and VIP  of that context  are facing very very slowness ,and  they have no relation with each other both Physically and Fictionally
  If any of you have heard of similar issue can you refer me a solution if the issue is with ACE 

  Hi Shirshendu,
  Replied to you on other thread.
  Regards,
  Kanwal

• ACE ; server vlan

  Hi,
  do we always have to layer-3 interface of the server vlan on the ACE so as to setup a load balancing?
  i.e. support i have server 1 (10.10.1.1) and server 10.10.1.2).
  do I always have to define server vlan for these servers (that's default gateway of the server vlan) on the ACE? or I can default it any where on our network (i.e. define it on the switch)?
  if I can define it on any switch than how would ACE send client traffic to these server?
  Thanks in advance...

  Hello Gavin,
  Here you have some links and details of each type of design, you can take a look of that and find out which one matches with your design.
  Routed Mode:
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Routed_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Bridge Mode
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  One Arm Mode
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Hope this helps
  Jorge

• ACE 4710 eHealth monitoring of context

  Hi,
  Our eHeath people tell me they cannot stat anything in any of the contexts (excluding Admin) on the ACE, i can snmpwalk the various contexts using the '@context' suffix.
  e.g. snmpwalk -c community@context2 10.1.1.1 .1.3.6.1.4.1.9.9.161
  eHealth can only route to the Admin context.
  Does anybody know if eHealth can access the ACE contexts in this fashion?
  Thanks
  Chris

  Hi,
  Here is the expected operation for each of those cases:
  A real server.
  If the server is not associated with any serverfarm, the status will not be probed (the rserver will be marked as INACTIVE)
  A real server and then associate the real server with a  server farm. You can associate a single probe or multiple probes with  real servers within a server farm.
  The probe will only be applied to that specific server
  A server farm. All servers in the server farm receive probes of the associated probe types.
  The probe will be applied to all the servers in the serverfarm.
  Another thing to take into account is that (by default) if more than one probe is associated to a server (either directly or through a serverfarm), all the probes need to succeed to consider the server operational. You can also add the command "fail on all" to a serverfarm or rserver to change this behavior and only consider the server as down when all the probe fail
  I hope this answers your question
  Regards
  Daniel

• Transparent firewall with failover with multiple contexts

                     I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
  Failover On
  Last Failover at: 11:54:39 GMT/IST Feb 23 2012
          This context: Standby Ready
                  Active time: 175394 (sec)
                    Interface ctxb-inside (x.x.x.165): Normal (Waiting)
                    Interface ctxb-outside (x.x.x.165): Normal (Monitored)
          Peer context: Active
                  Active time: 11390663 (sec)
                    Interface ctxb-inside (x.x.x.164): Normal (Monitored)
                    Interface ctxb-outside (x.x.x.164): Normal (Waiting)
  Why are the interfaces in (waiting)?

  Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
  Here is the reference guide FYI:
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709

• ACE- From one real server to another VIP

  Hi,
  I have a problem with ACE;
  We have multiple serverfarms configured in the ACE module based on the application and different VIPs related to it. We are running the ACE in bridging mode. Now the requirement is from one serverfarm real server wants communicate to the VIP of the second serverfarm...Is this possible..???? Wil some NATing help in this situation. Below is the configuration.
  ======================
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  access-list LAN_Traffic remark For all IP Traffic
  access-list LAN_Traffic line 10 extended permit ip any any
  access-list LAN_Traffic line 20 extended permit icmp any any
  probe http PORTAL_HTTP
    passdetect interval 20
    passdetect count 2
    request method get url http://portal
    expect status 0 600
  probe http RMS_HTTP
    request method get url /_wmcs
    expect status 0 600
  rserver host PORTAL1
    ip address 172.22.11.241
    inservice
  rserver host PORTAL2
    ip address 172.22.11.243
  rserver host QGLRSPW1
    inservice
  rserver host RMS01
    ip address 172.22.10.12
    inservice
  rserver host RMS02
    ip address 172.22.10.8
    inservice
  serverfarm host PORTAL
    failaction purge
    probe PORTAL_HTTP
    rserver PORTAL1
      inservice
    rserver PORTAL2
      inservice
  serverfarm host RMS
    failaction purge
    probe RMS_HTTP
    rserver RMS01
      inservice
    rserver RMS02
      inservice
  class-map match-any PORTAL
    2 match virtual-address 172.22.10.166 tcp any
  class-map match-any RMS
    2 match virtual-address 172.22.10.52 tcp eq www
    3 match virtual-address 172.22.10.52 tcp eq https
  policy-map type loadbalance first-match RMS-POLICY
    class class-default
      serverfarm RMS
  policy-map type loadbalance first-match PORTAL-POLICY
    class class-default
      serverfarm PORTAL
  policy-map multi-match SFARM-LB-POLICY
    class RMS
      loadbalance vip inservice
      loadbalance policy RMS-POLICY
      loadbalance vip icmp-reply active
  class PORTAL
      loadbalance vip inservice
      loadbalance policy PORTAL-POLICY
      loadbalance vip icmp-reply active
  interface vlan 800
    description ACE Client Interface
    bridge-group 1
    mac-sticky enable
    service-policy input SFARM-LB-POLICY
    no shutdown
  interface vlan 898
    description ACE Server Interface
    bridge-group 1
    mac-sticky enable
    no shutdown
  interface bvi 1
    ip address 172.22.11.151 255.255.252.0
    alias 172.22.11.153 255.255.252.0
    peer ip address 172.22.11.152 255.255.252.0
    description Bridge Group for 800 and 898 Interfaces
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.22.8.17
  ===================================
  Pleae help..Thanks in advance

  Hello!
  Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE.

• Cisco ACE can rserver use it's own VIP address ?

  we've configured a serverfarm with a real server and a VIP.
  The serverfarm can be reached and is functioning well.
  Now we want the rserver to be able to reach it's own VIP address.
  This is needed because the rserver has multiple websites which need each other
  and we want to have load balancing.
  Is this a supported configuration ?
  regards,
  Sebastian

  you can simply add a new policy to match the servers ip addresses and then configure nat.
  ie:
  class-map match-all servers
  2 match source-address 192.168.30.48 255.255.255.255
  policy-map multi-match client-nat
  class servers
  nat dynamic 1 vlan 30
  interface vlan 20
  ip address 192.168.20.121 255.255.255.0
  alias 192.168.20.124 255.255.255.0
  peer ip address 192.168.20.123 255.255.255.0
  no normalization
  mac-sticky enable
  access-group input PERMIT-ANY
  service-policy input ALLOW-ALL
  service-policy input client-nat
  service-policy input SLB1
  no shutdown
  interface vlan 30
  bridge-group 30
  no normalization
  mac-sticky enable
  access-group input PERMIT-ANY
  nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0
  In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.
  You could also use a free ip from the same server subnet and no static route would be required.
  Also if ACE is already the default gateway for the servers, no specific static route is required.
  Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.
  Gilles.