we have an ACE20 and have set it up to balance 4 Containers on a Oracle Application Server. Every time we stop all Containers at the same time for longer than an hour it takes forever (hours) until the Load Balancer starts balancing the Containers again. I can see that the ACE Module is checking the Containers in the Apache Logfiles on the Application Server and gets a 200, but still we can't access the Application for a few hours. If I connect direct to the Container it also works fine... just the ACE does not work. Like it has a timeout and is waiting.
Any idea how to give it a kick?
While accessing the Application I can see that it connects, but nothing happens...
sh conn detail
total current connections : 2
conn-id np dir proto vlan source destination state ----------+--+---+-----+----+---------------------+---------------------+------+ 68155 2 in TCP 191 10.200.101.73:35777 10.200.101.64:80 ESTAB [ idle time : 00:00:18, byte count : 888 ] [ elapsed time: 00:00:18, packet count: 3 ] 68156 2 out TCP 195 10.200.105.33:80 10.200.101.73:35777 INIT [ conn in reuse pool : FALSE] [ idle time : 00:00:18, byte count : 0 ] [ elapsed time: 00:00:18, packet count: 0 ]
I haven't sniffered it yet because the server responds if I don't go over the ace. I will check it though.
I was thinking it could have a problem with the firewall. It's wierd that if I leave it over night it normally works in the morning. Just don't understand why. if it would never work, it would make it easier to find the problem.
So I got a chance to trace everything with etherreal, on both the Servers.
It looks like the frontend server (mato) sends the request to the ACE, the ACE forwards the request to the application server (mapp) the package the application server is getting states that it comes from the frontend server (mato). The application server (mapp) tries to answer back to the frontend server (mato) instead of to the ACE Loadbalancer and gets droped by the firewall.
Any idea why the application server answers to the frontend server and not to the ace server? Or am I reading it wrong?
I'm still having problems with the ACE Laodbalancer. At the moment it doesn't seem to recover after having restarted the Application the last time.
Can someone look at the Config and tell me if they see a mistake in it?
I have three instances accesst, accesst2 and accesst3. Each instance has 4 Oracle Application Server Containers Deployed on 2 different Apllication Servers. The Site is split between 2 DMZ which are seperated by a Firewall. The Cisco Ace has one leg in each vlan (191 and 195). We always had a problem after taking the Applcation Servers down Updates that it takes forever untill the ACE Server starts blancing agian. For the last 4 Days it hasn't started reblancing yet. As far as I know nothing has changed in the Configuration of the Server or of the ACE. The Firewall Admin said he tried t find a problem, but didn't change anything.
Do I maybe have a mistake in the ACE Config? Am I missing something here?
class-map type http inspect match-any HTTP-INS-VIP 2 match header Host header-value "accesst.my-site.de" class-map type http inspect match-any HTTP-INS-VIP-1 2 match header Host header-value "accesst2.my-site.de" class-map type http inspect match-any HTTP-INS-VIP-2 2 match header Host header-value "accesst3.my-site.de" class-map match-all HTTP-VIP 2 match virtual-address 10.200.101.64 tcp eq www class-map match-all HTTP-VIP-1 2 match virtual-address 10.200.101.68 tcp eq www class-map match-all HTTP-VIP-2 2 match virtual-address 10.200.101.69 tcp eq www
policy-map type loadbalance first-match HTTP-SF class class-default sticky-serverfarm group1 action LOCATION-RW-VIP policy-map type loadbalance first-match HTTP-SF-1 class class-default sticky-serverfarm group2 action LOCATION-RW-VIP-1 policy-map type loadbalance first-match HTTP-SF-2 class class-default sticky-serverfarm group3 action LOCATION-RW-VIP-2
policy-map type inspect http all-match INS-PM-VIP class HTTP-INS-VIP permit policy-map type inspect http all-match INS-PM-VIP-1 class HTTP-INS-VIP-1 permit policy-map type inspect http all-match INS-PM-VIP-2 class HTTP-INS-VIP-2 permit
policy-map multi-match SLB-logic class HTTP-VIP loadbalance vip inservice loadbalance policy HTTP-SF loadbalance vip icmp-reply active loadbalance vip advertise active appl-parameter http advanced-options PERSIST-REBALANCE class HTTP-VIP-1 loadbalance vip inservice loadbalance policy HTTP-SF-1 loadbalance vip icmp-reply active loadbalance vip advertise active appl-parameter http advanced-options PERSIST-REBALANCE class HTTP-VIP-2 loadbalance vip inservice loadbalance policy HTTP-SF-2 loadbalance vip icmp-reply active loadbalance vip advertise active appl-parameter http advanced-options PERSIST-REBALANCE
interface vlan 191 ip address 10.200.101.65 255.255.255.0 alias 10.200.101.67 255.255.255.0 peer ip address 10.200.101.66 255.255.255.0 access-group input anyone service-policy input SLB-logic no shutdown interface vlan 195 ip address 10.200.105.65 255.255.255.0 alias 10.200.105.63 255.255.255.0 peer ip address 10.200.105.66 255.255.255.0 access-group input anyone no shutdown
Why do you need native HA: The native HA feature allows two Cisco DCNM
appliances to run as active and standby applications, with their
embedded databases synchronized in real time. Therefore, when the active
DCNM is not functioning, the standby DCNM will...
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...