ACE 4710 HA not working

akhil.abrol · ‎08-04-2009

Dear Experts,

We have 4 ACE 4710 appliances. 2 are primary and 2 are secondary for them. Few days back we had a migration and i wanted to check the FT of both the ACEs and plugged out the power cable of Primary ACE. But, nothing happened.! All the VIPs stopped pinging. The secondary didn't come up as primary. show ft stats stopped updating the counter.

Please help. Config attached.

Gilles Dufour · ‎08-04-2009

the config is correct.

Did you get a 'show tech' on the standby ?

Do you have a 'show ft group summary' before and after pulling the cable ?

Failover could have happened but something else prevented the vip to be accessible.

G.

akhil.abrol · ‎08-04-2009

No..! Dont have the show tech before pulling the cable. I will post the 'sh ft summ' when i'll connect my VPN. Right now i'm at home.

But one thing is, when i disconnected both the ACEs from one place; i plugged only secondary and tried pinging but none of the VIP was pinging. Then when i connected the primary, everything started working.

Any ideas?

Regards,

Akhil

akhil.abrol · ‎08-10-2009

Hi,

Here is the 'sh ft group summary' of both the ACEs.

APP-ACE/Admin# sh ft group summary

FT Group : 1

Configured Status : in-service

Maintenance mode : MAINT_MODE_OFF

My State : FSM_FT_STATE_ACTIVE

My Config Priority : 150

My Net Priority : 150

My Preempt : Enabled

Peer State : FSM_FT_STATE_STANDBY_HOT

Peer Config Priority : 100

Peer Net Priority : 100

Peer Preempt : Enabled

Peer Id : 1

No. of Contexts : 1

switch/Admin# sh ft group summary

FT Group : 1

Configured Status : in-service

Maintenance mode : MAINT_MODE_OFF

My State : FSM_FT_STATE_STANDBY_HOT

My Config Priority : 100

My Net Priority : 100

My Preempt : Enabled

Peer State : FSM_FT_STATE_ACTIVE

Peer Config Priority : 150

Peer Net Priority : 150

Peer Preempt : Enabled

Peer Id : 1

No. of Contexts : 1

Please help...

akhil.abrol · ‎08-11-2009

Please help me with this. Its really urgent. :-(

Please let me know if any other info is required.

Regards,

Akhil

Gilles Dufour · ‎08-11-2009

We need more troubleshooting to be done when the issue is happening.

Show tech.

Show arp.

Can you ping interfaces.

Sniffer trace.

Can't assist with just symptoms.

Gilles.

akhil.abrol · ‎08-11-2009

Hhmm.. Ok, I am going to take the downtime cuz the network is live now. Will do all the testings and troubleshooting and get back to you with the results.

Thanks for your support..

Regards,

Akhil

akhil.abrol · ‎08-17-2009

Hi,

After a couple of testings i have some information to share with you.

As per the config i pasted above, my primary Ace's priority is 150 and secondary's default 100. As per Ace help when the active member of a fault-tolerant group becomes unresponsive, its priority is reduced by 10. Since my active's priority was 150 the secondary was not taking place of active. I changed the priority to 105 and atleast switchover started happening.

Now the problem is, when the secondary is acting as primary, there is nothing in its arp table and cuz of that, nothing is pinging. In the vlan config, the ip address is still as "peer ip address". i added an ip address in the same vlan of same subnet and it started pinging. but when the primary came up, the config was again to the previous one. the ip address command was deleted. Here is the config of vlans.

interface vlan 32

description *** client vlan ***

ip address 172.18.120.39 255.255.255.240

access-group input ALL

no shutdown

interface vlan 33

ip address 172.18.126.132 255.255.255.128

access-group input ALL

no shutdown

interface vlan 111

description *** server vlan ***

ip address 172.18.111.4 255.255.255.0

service-policy input permit_icmp_policy

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 121

description *** Management Vlan ***

ip address 172.18.121.14 255.255.255.0

peer ip address 172.18.121.15 255.255.255.0

access-group input ALL

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 32

description *** client vlan ***

peer ip address 172.18.120.39 255.255.255.240

access-group input ALL

no shutdown

interface vlan 33

peer ip address 172.18.126.132 255.255.255.128

access-group input ALL

no shutdown

interface vlan 111

description *** server vlan ***

peer ip address 172.18.111.4 255.255.255.0

service-policy input permit_icmp_policy

service-policy input remote_mgmt_allow_policy

no shutdown

interface vlan 121

description *** Management Vlan ***

ip address 172.18.121.15 255.255.255.0

peer ip address 172.18.121.14 255.255.255.0

access-group input ALL

service-policy input remote_mgmt_allow_policy

no shutdown

Now, how will these Vlan interfaces will shift to secondary ace?

Thanks and Regards

Akhil

akhil.abrol · ‎08-19-2009

Anybody there to help?

Thanks in advance..

litrenta · ‎08-19-2009

The problem is that you do not have bith ip's configured. You need to congure 2 ip's (ip and peer ip on interface)

when you are in the naormal mystate active and peer state standby hot, on the active ace you need to configure (on example you need to do this on all)(assume standby will have 131

interface vlan 33

ip address 172.18.126.132 255.255.255.128

peer ip address 172.18.126.131 255.255.255.128

255.255.255.128

access-group input ALL

no shutdown

this will then get sync'd to standby and you will see these addresses reversed on standby config.

currently with only ip assigned on active it gets written as peer ip to standby so when you switch the standby has no ip address.

akhil.abrol · ‎08-21-2009

I got it. But then if the failover will happen, the IPs will get changed and the servers with the default route towards ACE will stop working. For that do i have to assign Alias IP in the Vlan interface? Which will float to secondary after the failover? And the gateway of servers will remain alive.

Thanks

Akhil