ACE 4710 failover problem in routed mode

Answered Question
Jan 14th, 2010
User Badges:

Hi People
We have the following configuration
FireWall1 --vlan70 SwitchA -- ACE1 --vlan31--SWA-SWC - Server (with two cards)
FireWall2 --vlan70 SwitchB -- ACE2 --vlan31 -SWB-SWD /

SWA and SWB are connected via trunk


When ACE1 fails, ACE2 becomes active, but FW1 cannot talk to ACE alias ip anymore


FW1 has as GW the alias ip of vlan 70
and Servers have as gw the alias ip of vlan 31


the state of ACE2 is hot standby
on ACE2 we also get a continous error in the logs, although we can ping the server and telnet to that port from ace2:
"Health probe failed for server X.X.X.X on port 7793, internal error: failed to setup a socket"


config is as follows:
interface vlan 31
ip address 10.55.250.12 255.255.255.240
ip options allow
alias 10.55.250.14 255.255.255.240
peer ip address 10.55.250.13 255.255.255.240
no normalization
no icmp-guard
access-group input permit_all
no shutdown
interface vlan 70
ip address 10.56.251.33 255.255.255.240
ip options allow
alias 10.56.251.34 255.255.255.240
peer ip address 10.56.251.35 255.255.255.240
no normalization
access-group input permit_all
service-policy input int70
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown


the config is successfully replicated on secondary

Correct Answer by Peter Koltl about 7 years 4 months ago

FT switchover occurs if 'Net priority' of the active ACE falls below that of the standby. For any decrement, you need to define an FT track: host or VLAN interface. For example:


ft track interface tr950 

  track-interface vlan 950 

  peer track-interface vlan 950 

  priority 30 

  peer priority 30


(30 is the decrement.) A VLAN interface goes down if the corresponding physical interface goes down or you disallow that VLAN from the trunk on the switch.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Peter Koltl Thu, 01/14/2010 - 02:12
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

Switch to ACE2 active. Check ARP tables on ACE1, ACE2, FW1. Check CAM tables in SwitchA, SwitchB. But probably, you have to repair ACE2 first. Please test ICMP and TCP (telnet, ssh etc.) between ACE2 and servers, ACE2 and FW1... Internal error might indicate some resource or TCP/IP stack problem. Reboot?

g.eleftheriou Thu, 01/14/2010 - 02:39
User Badges:

i just saw that the internal error was an old message and does not appear now.

I will have to retest the failover.

how many interfaces do they have to fail for switchover?

Correct Answer
Peter Koltl Thu, 01/14/2010 - 03:06
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

FT switchover occurs if 'Net priority' of the active ACE falls below that of the standby. For any decrement, you need to define an FT track: host or VLAN interface. For example:


ft track interface tr950 

  track-interface vlan 950 

  peer track-interface vlan 950 

  priority 30 

  peer priority 30


(30 is the decrement.) A VLAN interface goes down if the corresponding physical interface goes down or you disallow that VLAN from the trunk on the switch.

g.eleftheriou Thu, 01/14/2010 - 03:19
User Badges:

Peter thanks for that, I didn't know it.

What about the "query-interface vlan" under ft configuration?

For instance

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 104
query-interface vlan 1000


will the standby become active if vlan 1000 fails?

dario.didio Thu, 01/14/2010 - 05:20
User Badges:
  • Silver, 250 points or more

Hi,


the purpose of the query vlan command is to have a second check in case the FT vlan fails.

If both ACEs are up and running, but something happens to the FT vlan (cabling problem for instance) the ACE will ping the IP Address of the other ACE for the configured interface in the query vlan command.


If he receives a response, he knows something is wrong with the FT vlan but the other ACE is still alive. This prevents the secondary to become primary and causing both ACEs to become active.


HTH,

Dario

g.eleftheriou Thu, 01/14/2010 - 23:35
User Badges:

problem solved by adding ft track interface v

lan

thanks to all who responded.

Peter Koltl Thu, 01/14/2010 - 05:19
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

Forget it (unless your tests show it is useful). Mine didn't.


You can read about in in the documentation, but you'd better test it.


ACE's won't switch over if Query VLAN fails.

Actions

This Discussion

Related Content