02-16-2007 05:03 AM
We have 2*6504 with an ACE module on each chassis.
The ACE is devided into 1 Admin and 3 user context's.
I want to setup a fault tolerant configuration for all of the context's so i've created the configuration below.
However if i check the FT status it seems it can not find it's peer.
What am i doing wrong ?
ACE 01
ft interface vlan 2
ip address 192.168.150.10 255.255.255.0
peer ip address 192.168.150.20 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 200
heartbeat count 20
ft-interface vlan 2
query-interface vlan 20
ft group 10
peer 1
no preempt
peer priority 200
associate-context FRONTEND
inservice
ft group 20
peer 1
no preempt
peer priority 200
associate-context BACKEND
inservice
ft group 30
peer 1
no preempt
peer priority 200
associate-context BEHEER
inservice
ACE 02
ft interface vlan 2
ip address 192.168.150.20 255.255.255.0
peer ip address 192.168.150.10 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 200
heartbeat count 20
ft-interface vlan 2
query-interface vlan 20
ft group 10
peer 1
no preempt
priority 200
associate-context FRONTEND
inservice
ft group 20
peer 1
no preempt
priority 200
associate-context BACKEND
inservice
ft group 30
peer 1
no preempt
priority 200
associate-context BEHEER
inservice
Solved! Go to Solution.
02-16-2007 05:24 AM
obviously there is something wrong with your vlan 2.
Did you create the vlan on the switch and associate it to the ACE module ?
Can you ping the ft vlan 2 ip addresses from one ACE to the other ?
What ACE version do you run ?
Gilles.
02-26-2007 04:48 AM
Always use the "alias" for gateway. It works like HSRP and the standby address.
And after i checked you're config i can see u haven't configured an alias for the interfaces.
Ace 1 - IP A
Ace 2 - IP B
Ace 1&2 - IP C (Alias)
The active ACE module is in charge for the alias.
Example:
ACE 1
interface vlan 10
description beheer unsecure
ip address 192.168.130.1 255.255.255.0
peer ip address 192.168.130.2 255.255.255.0
alias 192.168.130.3 255.255.255.0
ACE 2
interface vlan 10
description beheer unsecure
ip address 192.168.130.2 255.255.255.0
peer ip address 192.168.130.1 255.255.255.0
alias 192.168.130.3 255.255.255.0
02-16-2007 05:24 AM
obviously there is something wrong with your vlan 2.
Did you create the vlan on the switch and associate it to the ACE module ?
Can you ping the ft vlan 2 ip addresses from one ACE to the other ?
What ACE version do you run ?
Gilles.
02-16-2007 05:36 AM
Thank you, i didn't had the vlan 2 assigned to the ACE's.
02-16-2007 06:13 AM
Now when i do a switchover with a persistent pin g between hosts, the ping fails and it seems like the failover mechanism doesn't transfer the ip addresses and sessions.
When Context C is active on ACE 1, i can ping the vlan interface addresses from the ACE and from the hosts.
When i do a switchover for Context C, it gets passive on ACE 1 and active on ACE 2. Then from the ACE 2 i can't ping the vlan interface addresses nor can i ping them from hosts.
When i do a sh ft group summ on ACE 2 i get this :
FT Group : 30
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 200
My Net Priority : 200
My Preempt : Disabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Disabled
Peer Id : 1
No. of Contexts : 1
What am i missing here ? The configs of both ACE context are in sync.
02-16-2007 07:06 AM
before testing failover you should verify that the ACE-2 can access all the devices.
Make sure the rserver are alive and that you can ping them from the ACE module.
If you can't, you need to do some normal connectivity troubleshooting.
Check arp entry.
Capture sniffer trace to see if packets are coming out of the ACE module and if the server respond back, ...
Check Layer 2 cam table.
Gilles.
02-16-2007 07:21 AM
Make sure that you trunk the vlans necessary for the contexts between the two cat 6k5 chassis.
Ace1<->FT VLAN<->Ace2 (VLAN 2)
Cat6K <-Trunk-> Cat6K (VLAN 2,10,20 etc.)
Edit:
Checking you're ft config. I think you should put only 1 Ace with "no preempt" and make sure that you have the priorities right also.
Anyhow i am curious why you choose to put Frontend and Backend in seperate contexts?
Example:
ACE A (Primary):
ft group 10
peer 1
priority 200
peer priority 100
associate-context FRONTEND
inservice
ACE B (Secondary):
ft group 10
peer 1
no preempt
priority 100
peer priority 200
associate-context FRONTEND
inservice
02-26-2007 03:47 AM
I have splitted the Front End and Back End in seperate context's as we wanted to split them because of security & administration levels.
I changed the config so only 1 context is in "preempt" and 1 is in "no preempt" configuration.
What ip address should i use as gateway for the hosts communicating through the ACE ?
I now use the primary ip address of the context's of ACE01. Maybe that's the problem ?
02-26-2007 04:48 AM
Always use the "alias" for gateway. It works like HSRP and the standby address.
And after i checked you're config i can see u haven't configured an alias for the interfaces.
Ace 1 - IP A
Ace 2 - IP B
Ace 1&2 - IP C (Alias)
The active ACE module is in charge for the alias.
Example:
ACE 1
interface vlan 10
description beheer unsecure
ip address 192.168.130.1 255.255.255.0
peer ip address 192.168.130.2 255.255.255.0
alias 192.168.130.3 255.255.255.0
ACE 2
interface vlan 10
description beheer unsecure
ip address 192.168.130.2 255.255.255.0
peer ip address 192.168.130.1 255.255.255.0
alias 192.168.130.3 255.255.255.0
02-26-2007 08:51 AM
you can't use a context for front-end and another one for back-end.
That's not the purpose of context.
Context is to separate different organisations, groups, companies, traffic from one another.
In your case you need traffic to go from 1 context to the other.
This is not possible.
So, you have to group front-end and backend into a single context.
Gilles.
02-27-2007 03:41 AM
Hi Gilles,
I understand what you are saying. But we've got servers with network cards in both context's. The traffic is flowing through the servers and not through the context's.
But the "gateway" problem has been solved. Thanks for the help
Sebastian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide