Solved: HA - ACE20-MOD-K9 - FT Group Config Will Not Synch (SSL)

Dominic Wilkinson · ‎07-19-2012

Hi,

We have a pair of ACE20-MOD-K9 in Fault Tolerant mode. They are running multiple contexts and we have a problem with one particular context which is running SSL off-loading. Despite the config being identical on both (accept for the peer addresses obviously) and both having the same SSL Key and Cert files loaded on both, the configuration will not sync between them.

Here is the outputs from both:

XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group brief

FT Group ID: 8 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_COLD

Context Name: XXXXX-CISCO-QUAD-SERVICES Context Id: 2 Running Cfg Sync Status: Successful

XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group brief

FT Group ID: 8 My State:FSM_FT_STATE_STANDBY_COLD Peer State:FSM_FT_STATE_ACTIVE

Context Name: XXXXX-CISCO-QUAD-SERVICES Context Id: 11 Running Cfg Sync Status: Successful

XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group stat

FT Group : 8

Configured Status : in-service

Maintenance mode : MAINT_MODE_OFF

My State : FSM_FT_STATE_ACTIVE

Peer State : FSM_FT_STATE_STANDBY_COLD

Peer Id : 1

No. of Contexts : 1

Running cfg sync status : Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist

Startup cfg sync status : Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist

XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group stat

FT Group : 8

Configured Status : in-service

Maintenance mode : MAINT_MODE_OFF

My State : FSM_FT_STATE_STANDBY_COLD

Peer State : FSM_FT_STATE_ACTIVE

Peer Id : 1

No. of Contexts : 1

Running cfg sync status : Incremental Sync Failure: SSL Keyfile does not exist

Startup cfg sync status : Incremental Sync Failure: SSL Keyfile does not exist

XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh crypto file

Filename File File Expor Key/

Size Type table Cert

-----------------------------------------------------------------------

fn42604_cert.pem 1850 PEM Yes CERT

fn42604_privatekey.pem 1679 PEM Yes KEY

quad2.pem 1675 PEM Yes KEY

quad2_cer.pem 2582 PEM Yes CERT

quad_prod_abbrv 1675 PEM Yes KEY

quad_prod_abbrv_cer.pem 2556 PEM Yes CERT

quad_prod_fqdn 1675 PEM Yes KEY

quad_prod_fqdn_cer.pem 2578 PEM Yes CERT

XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh crypto file

Filename File File Expor Key/

Size Type table Cert

-----------------------------------------------------------------------

fn42604_cert.pem 1850 PEM Yes CERT

fn42604_privatekey.pem 1679 PEM Yes KEY

quad2.pem 1675 PEM Yes KEY

quad2_cer.pem 2582 PEM Yes CERT

quad_prod_abbrv 1675 PEM Yes KEY

quad_prod_abbrv_cer.pem 2556 PEM Yes CERT

quad_prod_fqdn 1675 PEM Yes KEY

quad_prod_fqdn_cer.pem 2578 PEM Yes CERT

All the Crypto files are identical as I copied them from one ACE to the other.

Can anyone shed any light on why this context is not syncing its configuration?

Thanks,

Dom Wilkinson

sivaksiv · ‎07-19-2012

Hi,

Can you restart autosync and see if it fixes the issue,

no ft auto-sync startup-config
no ft auto-sync running-config

ft auto-sync startup-config
ft auto-sync running-config

Regards,
Siva

View solution in original post

sivaksiv · ‎07-19-2012

Hi,

Can you restart autosync and see if it fixes the issue,

no ft auto-sync startup-config
no ft auto-sync running-config

ft auto-sync startup-config
ft auto-sync running-config

Regards,
Siva

Dominic Wilkinson · ‎07-19-2012

Hi Siva,

Thanks for that! That fixed the problem.

I'll remember that one in future!

Cheers,

Dom.