Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3758
Views
0
Helpful
20
Replies

ACE same old thing cant ping VIP

dlance
Level 1
Level 1

‎08-17-2012 11:11 AM

here is config

we are trying to load balance non standard ports

rservers and vserver all show as up

but vip can not be pinged and no connections flow

logging enable

logging timestamp

logging buffered 3

resource-class RC1

  limit-resource all minimum 0.00 maximum unlimited

  limit-resource sticky minimum 10.00 maximum unlimited

boot system image:c4710ace-t1k9-mz.A5_1_2.bin

login timeout 60

interface gigabitEthernet 1/1

  switchport access vlan 1000

  no shutdown

interface gigabitEthernet 1/2

  switchport access vlan 1001

  no shutdown

interface gigabitEthernet 1/3

  ft-port vlan 100

  no shutdown

interface gigabitEthernet 1/4

  shutdown

clock timezone standard EST

clock summer-time standard EDT

context Admin

  member RC1

ntp server 208.44.49.1

access-list ALL line 8 extended permit ip any any

access-list ALL line 9 extended permit icmp any any

probe http ghh-http

  port 8888

  interval 5

  passdetect interval 5

  request method head url /ProbeTrigger/probetrigger.htm

  expect status 200 200

  connection term forced

probe icmp ghh-icmp

  interval 5

  passdetect interval 5

rserver host ghh-1

  ip address 172.16.2.137

  conn-limit max 4000000 min 4000000

  inservice

rserver host ghh-2

  ip address 172.16.2.138

  conn-limit max 4000000 min 4000000

  inservice

rserver host ghh-3

  ip address 172.16.2.139

rserver host ghh-4

  ip address 172.16.2.140

rserver host ghh-5

  ip address 172.16.2.142

rserver host ghh-6

  ip address 172.16.2.143

rserver host ghh-7

  ip address 172.16.2.144

rserver host ghh-8

  ip address 172.16.2.145

serverfarm host ghh

  predictor leastconns

  probe ghh-icmp

  rserver ghh-1 30037

    inservice

  rserver ghh-2 30038

    inservice

  rserver ghh-3 30039

  rserver ghh-4 30040

  rserver ghh-5 30042

  rserver ghh-6 30043

  rserver ghh-7 30044

  rserver ghh-8 30045

parameter-map type http CASE_PARAM

  case-insensitive

  persistence-rebalance

parameter-map type generic case_generic

  case-insensitive

class-map type management match-any TO-CP-POLICY

  2 match protocol icmp any

  3 match protocol telnet any

  4 match protocol snmp any

  5 match protocol ssh any

class-map match-all ghh_CLASS

  2 match virtual-address 172.16.2.225 any

class-map type generic match-any ghh_generic

class-map type http loadbalance match-any ghh_http

  2 match http url [.]*

class-map type management match-any remote_access

  2 match protocol xml-https any

  3 match protocol icmp any

  4 match protocol telnet any

  5 match protocol ssh any

  6 match protocol http any

  7 match protocol https any

  8 match protocol snmp any

policy-map type management first-match TO-CP-POLICY

  class TO-CP-POLICY

    permit

policy-map type management first-match remote_mgmt_allow_policy

  class remote_access

    permit

policy-map type loadbalance generic first-match ghh_POLICY

  class class-default

    serverfarm ghh

policy-map multi-match ghhpolicy

  class ghh_CLASS

    loadbalance vip inservice

    loadbalance policy ghh_POLICY

    loadbalance vip icmp-reply

    appl-parameter generic advanced-options case_generic

service-policy input TO-CP-POLICY

interface vlan 1000

  bridge-group 15

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  service-policy input ghhpolicy

  no shutdown

interface vlan 1001

  bridge-group 15

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  service-policy input ghhpolicy

  no shutdown

interface bvi 15

  ip address 172.16.1.202 255.255.0.0

  peer ip address 172.16.1.203 255.255.0.0

  no shutdown

ft interface vlan 100

  ip address 192.168.10.11 255.255.255.0

  peer ip address 192.168.10.12 255.255.255.0

  no shutdown

ft peer 1

  heartbeat interval 300

  heartbeat count 20

  ft-interface vlan 100

ft group 1

  peer 1

  priority 200

  associate-context Admin

  inservice

ft track interface track_vlan1000

  track-interface vlan 1000

  peer track-interface vlan 1000

  priority 200

  peer priority 100

ip route 0.0.0.0 0.0.0.0 172.16.1.2

Labels:
0 Helpful
20 Replies 20

dlance
Level 1
Level 1
In response to sivaksiv

‎08-22-2012 08:19 AM

More information and the question of what was changed in 5.x software from 3.x software

first is new lb with 5.x software

note it thinks it trunking to another vlan which doesnt exist in our network

vlan1010 is up, VLAN up on the physical port

  Hardware type is VLAN

  MAC address is e8:9a:8f:b2:94:b3

  Virtual MAC address is 00:0b:fc:fe:1b:01

  Mode : transparent

  Bridge group number: 20

  FT status is active

  Description:not set

  MTU: 1500 bytes

  Last cleared: never

  Last Changed: Tue Aug 21 08:03:57 2012

  No of transitions: 3

  Alias IP address not set

  Peer IP address not set

  Assigned on the physical port, up on the physical port

  Previous State: Tue Aug 21 08:03:18 2012, VLAN not up on the physical port

  Previous State: Tue Aug 21 07:48:36 2012, BVI up

this is from our other ACE with 3.x software

vlan1000 is up, BVI configured

  Hardware type is VLAN

  MAC address is 00:1b:24:3d:b3:66

  Virtual MAC address is 00:0b:fc:fe:1b:01

  Mode : transparent

  Bridge group number: 15

  FT status is active

  Description:not set

  MTU: 1500 bytes

  Last cleared: never

  Last Changed: Sun Jun 17 03:30:02 2012

  No of transitions: 1

  Alias IP address not set

  Peer IP address not set

  Assigned on the physical port, up on the physical port

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to dlance

‎08-22-2012 06:54 PM

Hi,

You got configuration seems to be have redundancy, then I assume that your design is indeed like this, correct?

FIREWALL (gateway)

     |

SWITCH

     |

ACE1/ACE2

     |

SWITCH with web servers

     |

(ACE3/ACE4)

     |

SWITCH with search servers

I assume you are working on ACE1/ACE2, right?

You may consider to apply these changes:

-------------------------------------------

interface gigabitEthernet 1/1

   switchport trunk allowed vlan 1010,1011

  no shutdown

interface gigabitEthernet 1/2

  switchport trunk allowed vlan 1010,1011

  no shutdown

interface bvi 20

  description Client and server bridge group 20

  ip address 172.16.1.202 255.255.0.0

  peer ip address 172.16.1.203 255.255.0.0

  no shutdown

interface vlan 1010

  mac-sticky enable

  mac-address autogenerate

  bridge-group 20

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

interface vlan 1011

  mac-sticky enable

  mac-address autogenerate

  bridge-group 20

  access-group input ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.1.X

0 Helpful

dlance
Level 1
Level 1
In response to Jorge Bejarano

‎08-23-2012 05:14 AM

Yes its a FT group. and the FT group seems to work fine.

I have opened a TAC case.

Dave

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to dlance

‎08-29-2012 05:50 AM

Hello Dave,

In general when you have a topology like with 2 groups of ACEs not related, it is recommended to try to have different ft group number for each one.

FIREWALL (gateway)

     |

SWITCH

     |

ACE1/ACE2

     |

SWITCH with web servers

     |

(ACE3/ACE4)

     |

SWITCH with search servers

I am happy the issue is fixed now

Jorge

0 Helpful

dlance
Level 1
Level 1
In response to Jorge Bejarano

‎08-29-2012 06:00 AM

Yes changing the group ID fixed the problem

Dave

0 Helpful

Jorge Bejarano
Level 4
Level 4
In response to dlance

‎08-29-2012 07:26 PM

Yep

0 Helpful
Customers Also Viewed These Support Documents