Desperately looking for some help here and thanks in advance for reading.
I have been migrating a lot of serverfarms from the CSM to an ACE environment successfully so far and now I am at the last step where I am migrating a serverfarm from a CSM enviroment to an ACE environment to a dedicated context.
The real servers RSERVER1 and RSERVER2 are behind the routers R1 and R2 respectively.
During the migration we move Fa1/0 from both R1 to the VSS as shown by the dotted lines in the diagram.
We killed server vlan 32 and client vlan 33 on both CSM and SW1, SW2( redundany CSM and ACE not shown on diagram)
Activete vlan 32 and 33 on ACE and SW3 etc...
The show serverfarm detail shows operational and then changed to probe-failed intermittently. Ping towards the Rservers works fine from ACE.
I changed the probe from telnet to icmp and same results ( operatonal then failed probe then operational etc...)
The ARP cache from R1 and R2 point to the ACE.
Note that there is also PBR on R1 and R2 to ensure that traffice flows back to ACE.
the probe disconnect error is
"Server reply timeout"
But how come on CSM it works fine. IS there something that needs to be added on the ACE config?
Here is an edited config and drawing
access-list ACL1 line 10 extended permit ip any any
access-list ACL1 line 15 extended permit icmp any any
probe telnet TN3270
passdetect interval 30
parameter-map type http REBALANCE
parameter-map type connection TCP_IDLE_8H
set timeout inactivity 28800
rserver host TN3270_3RDPARTY-SERVER1
ip address 10.10.20.11
rserver host TN3270_3RDPARTY-SERVER2
ip address 10.10.24.11
serverfarm host TN3270_3RDPARTY
class-map type management match-any L4_REMOTE-MGT_CLASS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
7 match protocol snmp any
8 match protocol https any
class-map match-all TN3270_3RDPARTY
2 match virtual-address 10.20.128.111 tcp any
policy-map type management first-match L4_REMOTE-MGT_POLICY
policy-map type loadbalance first-match TN3270_3RDPARTY-POLICY
Its possible that the telnet probe operates slightly differently between ace and csm in terms of how it checks the welcome message. However, if that was an issue, then I would expect it never to work on the ace. You are really going to have to span vlan 32 across sw3 or sw4 and see what happens when it fails.
This may be a long shot but do you have these vlans configured in any other contexts of the ACE? If so can you run the command "show np 1 interface iflookup" on both the active and standby in the Admin context.
pay note to the "Hostid: X" value. If both ACE show the same value for X then this is the classic shared vlan problem where both ACE are using the same MAC for the physical interface. Keep in mind that this is only an issue if you have the same vlan in more than one context.
If this is the case you can look at the link below for more details. You would then need to hard set the mac addresses with the commands "shared-vlan-hostid x" peer shared-vlans-hostid y" values between 1-16.
ode ftvlan remove-eth-pad no-of-lifsMR0317-6500-2-ACE-8/Admin# show np 1 interface iflookup First burnt-in MAC: 00:30:f2:75:79:fb Last burnt-in MAC: 00:30:f2:75:79:ff No of burnt-in MACs: 7 Hostid: 0 Shared vlan macs currently in use (offset from 0): 0-15 Vlan-vmac indexes currently in use: 0-4 Flags: Valid shared bridged ftstatus ssl-test normalization icmp-guard switch-m ode ftvlan remove-eth-pad no-of-lifs
hostid is 8 on primary and 4 on secondary. VLAN 32 and 33 have been shutdown on the ACE though as everything has been moved back to the CSM.
I also noticed that interface vlan 32 is in the admin context with no ip address an is admin down( this is probably something someone forgot to remove). Another context also has vlan 32 allocated but not defined in the context ( that is no interface vlan 32 and ip address etcc).
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...