There are multiple VIPs, 192.168.0.252 (HTTP/HTTPS) and 192.168.0.248 (FTP/SFTP) that work.
A new VIP, 192.168.0.250 does not properly work for HTTP/HTTPS. Behind this VIP there are two servers: 192.168.0.25 and 192.168.0.27.
In the load balancer GUI, under Web Content Services, the 192.168.0.25 service bfqwww2_https shows as alive while the remaining show as down. While testing 192.168.0.25 and 192.168.0.27 both respond to HTTP/HTTPS requests on their real addresses.
The default route is currently set to 192.168.0.253.
I found that the keepalive http / ssl was failing on the new HTTP/ HTTPS services for these servers. By changing it to keepalive type tcp, it now works but this obviously is not a solution as it would create a service black hole if the HTTP/HTTPS services malfunction on the server.
This ended up being related to a bug, an upgrade to 8.10 resolved the issue:
Class A keepalives get stuck into a DOWN state The CSS services are transitioning for the ports used for class A keepalives are getting stuck in the wrong state, and therefore the CSS is leaking ports.
The CSS is processing a FIN received from the server at the same time as the connection is being closed for a class A keepalive. There is a race condition possible in this scenario that could cause the port to become stuck in the wrong state if the connection is closed before the FIN is finished being processed. We now make sure that the FIN state transition is processed before the connection is cleared.
A workaround for this issue would be to have the server configured to not send a FIN back to the CSS for class A keepalives.
CSS keepalive fails service incorrectly
CSS may mark a service as dying or down if an HTTP keepalive is used and the HTTP response from the service spans more than one packet.
The keepalive was failing because the first packet ended with an 0x0d0a which the CSS was incorrectly interpreting as the end of the response header, and therefore, since it did not receive sufficient data from the server, the keepalive would fail
Why do you need native HA: The native HA feature allows two Cisco DCNM
appliances to run as active and standby applications, with their
embedded databases synchronized in real time. Therefore, when the active
DCNM is not functioning, the standby DCNM will...
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...