Cisco Application :: 3750 - FT Failover Not Working
May 1, 2012
We have 2 ACEs configured as Active/Standby. FT vlan is configured directly using a crossover cable , not using a switch for the FT vlan.ACE is setup in routed mode ,vlan 29 is client vlan and 28 is server vlan ,both are being trunked on ACE-- trunk 3750 switch.
When I shutdown the port on 3750 for the primary ACE , data connectivity wise ,primary ACE is down ,but the secondary is not taking over ,and also when I do sh ft group status on the secondary ACE,I see the status of STANDBY_HOT and the peer state: ACTIVE.
View 5 Replies
ADVERTISEMENT
Sep 15, 2011
I have a tcp socket server application. Some of my clients are asking if I can provide server redundancy for my tcp service for HA purpose. I know it can be done using Windows NLB but the cost of the Enterprise edition is beyond the budget of most of my clients. DNS failover is also out since it will involve fiddling with the DNS server. I'm would prefer to setup a simple solution in which I check the status of the primary server and then if the primary is down, change the ip address of the secondary to the primary so that the service remains available. This sounds simplistic, and besides different clients use different networks, e.g. AD, but I'm not a networking guy so I am at my wits' end.
View 2 Replies
View Related
Dec 3, 2011
I have HA configuration for two ACE4710. FT between Ace's is configured as L2 (V LAN). Active ACE is sending heartbeats, but switch shows lot of 'input errors' on ingress and this is a major problem. FT is logically not working (there is no connection between these two Ace's over V LAN). There is only L2 configuration, with speed and duplex auto, no other special configuration. When I connect Ace's directly, FT is working without problem.
I can see lot of errors on input direction (from ACE) to switch port, that means, L1, or L2 problem, but direct connection (using the same Ethernet cable) is working. I tried 'shut/no shut' on both sides, set duplex/speed,... without success.
ACA IOS version is A4(1.x).
View 4 Replies
View Related
Aug 7, 2012
I have 2 CSS, 1 as primary and 2nd as standby. I configured the standby CSS as my old standby CSS box and now wanted to test the faliover. I am not aware of how to test it in. ny how i have cr for that.
View 1 Replies
View Related
Oct 25, 2011
Have a client with one ACE20 and now he needs a second one for redundancy.Since ACE20 is EOL, can I use an ACE30 with an ACE20 as a failover pair?
View 1 Replies
View Related
Nov 14, 2012
We have an ACE 4710 that has two web servers in an active/passive scenario. The issue is that if node 1 fails and node 2 takes over connections to node 2 stay active even if node 1 becomes available again. Is there are way to ensure that node one is not placed back into service if it becomes available again.
how active/passive failover shoudl be configured, so I can make sure I have it set up correctly;
View 5 Replies
View Related
Jun 20, 2011
Since the ACE supports only static routing, when pointing a default route from the ACE what is your preferred method when using multiple 6500s with an ACE in each in a failover scenario to prevent just pointing at one 6500? Static route to an HSRP address? Multiple static routes on the ACE, etc?
View 2 Replies
View Related
Sep 27, 2012
I am planning to perform a failover drill between active and standy CSS loadbalancers which are configured in a cluster pair. I am looking for help to know what show commands I can run to validate that the failover occurred successfully from primary to secondary load balancer and that the VIP's have failed over successfuly as well.
View 1 Replies
View Related
Jul 27, 2010
IP SLA configuration fails over but cannot ping the 4.2.2.2 via Site B. Here is the output on Cisco 3750...
SW2#show runBuilding configuration...
Current configuration : 2901 bytes!version 12.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname SW2!boot-start-markerboot-end-marker!!!!no aaa
[Code].....
View 5 Replies
View Related
Jul 16, 2012
Our servers are hosted at the Main site, site office A access to the Main site for Internet and servers. We are thinking NextG to take over when the link between sites goes down.
To start with, what is the configuration for 3750 at Site A and the Main site:
1) Trunking for both switches
2) Routing
3) the automatic failover configuration for the switch at Site A.
View 1 Replies
View Related
Sep 6, 2011
When we had 8.2.2, we bought a Mobile license to make the iPads running AnyConnect happy. I applied it, but since we'd only purchased one license, it broke failover. 8.4 lets you share tracking licenses, and since we were planning on the upgrade to 8.4.x anyway, I figured no big deal, I'll get that straightened out when I do the upgrade.
Did the upgrade this weekend, and I still can't get things happy, the boxes don't see one-another:
Here's a show failover on the primary:
Failover OnFailover unit PrimaryFailover LAN Interface: failover GigabitEthernet0/3 (up)Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1Monitored Interfaces 6 of 160
[Code].....
View 3 Replies
View Related
Mar 24, 2011
Below is the config has done on my 881g but the dual NAT failover is not working.I have a easy vpn over NAT (easy vpn firewall: 10.10.10.2 behind the router).
1. After completed the config, I shut down the FastEthernet4, cleared the nat translations, found that nat translations are happening on to Cellular0 with error ( Incomplete ESP translations: 0 esp_conn=0x85A91FF0, hanging off nat entry 0x85A7D1D0)But still the easy vpn is not up as I am not able to ping the remote devices.
2. If I reboot the router then the nat translations are happening with no above error and easy vpn is up and I am able to ping the remote servers. Below is the config, what needs to be done to achieve the NAT failover and easy VPN up.
interface FastEthernet4 bandwidth 2048 ip address 206.206.206.2 255.255.255.240 ip flow ingress ip nat outside ip virtual-reassembly duplex auto speed auto interface Cellular0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer string gsm dialer-group 1 async mode interactive ppp chap hostname. [code]
View 5 Replies
View Related
Jul 11, 2012
If we switch from primary to secondary firewall the interfaces on the secondary go to state waitung than to failed. after awhile the secondary gives the control to the primary.
it seem that traffic passes the secondary firewall during this short failover time . we have several context created on the firewall, Switch Ports checked , cabeling check everythink checked
blackhole Interface inside (10.255.102.134): Normal (Waiting)
blackhole Interface shared (10.255.102.134): Normal (Waiting)
blackhole Interface inside (10.255.102.133): Failed (Waiting)
blackhole Interface shared (10.255.102.133): Normal
blackhole Interface inside (10.255.102.133): Normal (Waiting)
blackhole Interface shared (10.255.102.133): Normal
View 5 Replies
View Related
Jun 23, 2011
I have ASA 5510 connected as shown in attached diagram.Ideally when ASA 1 is active and if I boot Switch-1, ASA-2 shood take over. But that is not happening.When I boot SW1 , ASA-2 shows "Failover LAN Interface: failover Ethernet0/0 (Failed - No Switchover)" and remains standby.Fail over works properly If ASA-1 boots.
View 7 Replies
View Related
Nov 8, 2011
I am running 4.2.1a and my topology is one subnet only so using one-arm thereby management svi, VIP, ft interface, and host server are all on same subnet.
With above scenario, is the ACE 4710 HA support on 3750 stack?
On 3750, I use port channel 10. Likwise channel 10 is config on both ACE and HA WILL NOT WORK
On 3750, I then use port channel 10 and 11. Thereby, channel 10 is on primary ACE and channel 11 on standby ACE and it works but with following observation:
- standby ACE is configured channel 11 and it syncs up but replace 11 with channel 10 then shutdown 10 and all interface has "channel-mode 11" removed. I have to put "channel-mode 10" on each interface instead of 11 and then unshut the "inter port-channel 10" - then add "ft-port vlan xxx" to get it to work
- standby ACE has "switch/admin" default hostname but I expect after sync that it would have the hostname I defined "ACE-COLO/Admin" instead
Looking for other discrepency as this is my lab environment before I implement into production as to decrease downtime.
View 3 Replies
View Related
Feb 12, 2012
Turned up a new colo service last week using some PIX 515E firewalls and two Cat 2950 series switches. I have attached a diagram of the layout which I have used elsewhere with good success. Basically I have two switches connected together via port channel (2 ports). The colo facility gives me two HSRP enabled links, of which I plug one into switch A and the other in switch B. The PIxes are a failover pair with the primary plugged into the same switch A as the primary HSRP link.The backup PIX is plugged into the backup switch where the backup HSRP link is. When I unplug the primary HSRP link the PIX can ping the HSRP gateway still, but nothing beyond that. Nothing gets it to work until I plug the link back in.
The only thing I could see that might cause an issue is the 'ip verify reverse-path' command on the PIXes. But even the switches cannot ping out beyond the HSRP gateway. Just seems like all inbound routing stops. I am not sure what the colo facility has going on their side but it seems like they are using just some Cisco 6509s and doing HSRP between them. Seems pretty simple but so far this is proving un-usable as is.
The PIX BTW just uses a default route to the HSRP gateway.
View 3 Replies
View Related
Mar 12, 2012
clients ---asa--3750--cisco ace--- servers behind vip
|
visa card transaction servers
I am able to setup a vip on ace using routing mode on ACE,as the servers need to see the client ip ,so we are not performing SNAT,this part is working fine.
when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly.
View 2 Replies
View Related
Feb 28, 2012
I am trying to setup ACE in bridge mode. Network topology is as follows:
1. ACE Gi 1/2 (client-side vlan) is connected to 3750 (vlan 40)
2. ACE Gi 1/3 (server-side vlan) is connected to 3750 (vlan 50)
3. Two real servers are connected to 3750 (vlan 50)
4. One client device (linux box) is connected to 3750 (vlan 40)
I am not using admin context. I have created a new one for user. I am unable to ping VIP (10.10.50.15) either from client linux box or from within ACE.
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http PROBE_CGNMS_WEB
port 80
interval 15
passdetect interval 60
[code]....
View 6 Replies
View Related
Apr 20, 2011
I have Cisco ACS 4.2 since few days users can not change their password, what could be the issue? Even after resetting the password I got error.
View 3 Replies
View Related
May 17, 2011
My setup is :
Source--- Router 1 ( ip 1.1.1.1) --ACE---router---cloud---customer---router--destination( ip 99.99.99.99).
Traceroute from client to destination shows the following:
traceroute 99.99.99.99
traceroute to 99.99.99.99 (99.99.99.99), 30 hops max, 40 byte packets
1 1.1.1.1 (1.1.1.1) 1.10 ms 1.78 ms
2 99.99.99.99 (99.99.99.99) 1.01 ms 1.97 ms 2.511 ms
3 99.99.99.99 (99.99.99.99) 2.01 ms * 99.99.99.99 (99.99.99.99) 2.330 ms
[code]....
So on this, the destination is 99.99.99.99.The first hop is the default gateway, which is 1.1.1.1.After that, the next step is the Cisco ACE.After that there are several hops to the destination.Looks like for some reason the Cisco ACE is not recording his ip.( For any destination traceroute result is the saame.ICMP is allowed in the access list and also ther is ICMP inspect in my config. access-list ICMP line 10 extended permit icmp any
class-map type management match-any abc
201 match protocol ssh source-address X.X.0.0 x.x.0.0
class-map match-all ICMP_allow
2 match access-list ICMP
[code]....
Version running on ACE is Version A2(3.3)
View 1 Replies
View Related
Jul 1, 2011
I configured cisco ace 4710 with ssl-proxy and it is not working,url..When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage". [code]
View 2 Replies
View Related
Jun 1, 2011
We have Cisco ACE 4710 in our network.system image file: (hd0,1)/c4710ace-mz.A3_2_0.bin Device Manager version 1.1 (0) 20080805:0415
We are not able to connect to the device through HTTPS (GUI) , it used to work before. When we try access the GUI, it asks for user name and password.After that it shows blank screen.
View 2 Replies
View Related
Jun 16, 2011
I have ACE 4710 in context mode. I am doing internet browsing (Port 80) redirection to two proxy servers (Transparent Proxy) as well as I am using this ACE box for multiple other servers load balancing.
I have multiple policies applied on my LAN interface (VLAN 300) where all the users and servers are connected.
Now I am facing problem with one application (PLATTS) which is oil company related application. This application is working fine while directly connected with Internet (extrenal internet connection) or by giving explicit proxy in the user browser.
But In transparent proxy This application is not working and my company policy only allow the transparent proxy not explicit proxy.
Now if on my interface vlan 300 i will remove the service-policy input PM_MAIN_BCPROXY my application will start working but i cant redirect the port 80 traffic to my proxy servers which is also my requirement.
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
[Code]....
This application use multiple destinations for connectivity and I have even tried by passing the destination IP addresses by making bypass policy but still no luck.
I want this application to work as well as redirection of port 80. I even try re-ordering the policy sequence but no luck. this application to work as well as redirectino of port 80 for Internet.
View 4 Replies
View Related
Mar 31, 2013
implementation of the cisco CSS 11501 boxes available as spare on our site into production for an application evry thing worked as expected. i was able to telnet the active/master box and was able to console both master and backup box from the console port.however a week post the activity im faced with this weird problem where im not able to take console or the telnet access of my primary/active box.The boxes are working in BOX-to-BOX redundancy and now im not able to telnet or console my active/master box. The telnet and console window prompts me for username and password and after entering the credentials nothing happens. no prompt or no error message is displayed.
The telnet primary authentication is via tacacs and secondary is via local. however for console im not using any method for primay authentication and local for secondary authentication. however i can successfully console my backup box. below are my obsrvations 1. the left and right status LED on the active CSS box is OFF.- it means my CSS 11501 failed and has no power. 2. upon firing the rcmd command with show line command on backup box i see that the telnet sessions and console session is established with the master box3. the redundancy state of the active box says it is master and has not changed state since my last activity, no application issue reported, all the services are active on the active box and also i can ping the active box ip address from my backup box over which box to box redundancy is established. This confirms the active box is functioning well 4. i initially thought the telnet sessions are not getting cleared, however the show line cmd with the rcmd cmd on the backup box confirms this is not happening. now im stuck as the active box cannot be accessed at all via console or telnet. i was thinking of below steps to be carried out.1. to failover the boxes and make the backup as master2. then try to take the faulty box off the network and troubleshoot (are there any other commands that i should use to troubleshoot)3. if nothing works try rebooting the box and check
NOTE: the software running is version 7.20.30.3 with standard feature set. we are not using cvdm or the CSS GUI. we could access the css initially on CSS gui and that is also not working now.
View 1 Replies
View Related
Feb 1, 2012
I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
serverfarm host INHOUSE-EXCHANGE-OWA-vFARM
predictor response app-req-to-resp samples 4
probe 443
probe HTTP-PROBE
rserver INHOUSE-TEST-CAS01-SVR
inservice(code)
View 12 Replies
View Related
Jan 20, 2012
I have a CSS 11503 with a basic content rule for TCP 10000 going to a few backend servers. I was looking into the default timeout values for flows and when testing using telnet the flow didn't terminate as expected?
For example, i have no 'timeout multiplier' specified in the config and when i look at the output of 'show flow-timeout default' it tells me the default 16 seconds timeout is in effect for *. With that in mind, i telnet to the content rule vip on TCP 10000 and on the backend server using wireshark i can see the TCP threeway handshake. With no data passing i'd expect the CSS to terminate this flow after 16 seconds.. yet it takes exactly 128 seconds before wireshark shows the RST and the flow is terminated. 128 being 8 times the default 16 second flow timeout.
If i try to force the connection to close early by specifiying 'flow-timeout-multiplier 2' in the content rule, or even a multiplier of 40, it still waits 128 seconds to close the telnet connection.
View 1 Replies
View Related
Jun 2, 2011
In change network topology, we are going to assign PC's Gateway as Switch (3750X) IP Address rather than server IP Address. Currently we have configured all Sytems's Gateway is Internet Server IP Address which we are going to replace with Switch IP as Gateway.Issue is while connecting specific application like team viewer in which application tried to send keepalive message to the live server and in case of switch/router IP as gateway. Connection doesn't established. However it is working fine when Internet Server IP treated as gateway.
View 1 Replies
View Related
Jun 29, 2011
Belkin Setup / Router monitor application has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.
View 1 Replies
View Related
Aug 15, 2011
I am into creating a new VLAN, what I have missed in the setup / configuration. I have multiple Cisco switches, the VLAN is configured on a 3750. My attempt was to place the VLAN on one port (as concept) and work from there - - so it is on 2-02 of my main Cisco stack. The new VLAN is 220 - Printer. My present IP scope is 192.168.200.x - running out of addresses - trying to add 192.168.220.x. on VLAN 220 to relieve some pressure - -- Most I can do is ping the VLAN IP - 192.168.220.1 and that resolves - - but if I attach a networked device with a 192.168.220.x address - - cannot get there..
Here is the switch info...
version 12.2
parser config cache interface
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
[code]....
View 6 Replies
View Related
Nov 12, 2012
In change network topology, we are going to assign PC's Gateway as Switch (3750X) IP Address rather than server IP Address. Currently we have configured all Sytems's Gateway is Internet Server IP Address which we are going to replace with Switch IP as Gateway. [code]
Issue is while connecting specific application like team viewer in which application tried to send keep alive message to the live server and in case of switch/router IP as gateway. Connection doesn't established. However it is working fine when Internet Server IP treated as gateway.
View 33 Replies
View Related
Sep 11, 2012
We have a pair of CSS 11503 installed in our DC. Stickiness is configured for one of the application since long back and was working pretty fine till last couple of months. Since last two months, we observed that CSS is not distributing sessions the way it suppose to be. Mostly, it forwards the session to same server even though request is coming from different sources. Once we refresh the sessions manually, it starts working fine. We have to do this exercise manually every alternate day.
View 1 Replies
View Related
May 2, 2012
I want to police the traffic coming from host 10.0.0.10 that is connected to another switch via port-channel interface the port-channel have interfaces G2/049 and G2/0/50 , i have applied below config to the SVI 112 but this is not working, as the host is still able to go beyond the policed rate also in the "sh policy-map interface vlan 112" command everything is showing 0(zero).
class-map match-all CM_FTP_PORT_49
match input-interface GigabitEthernet2/0/49
class-map match-all CM_FTP_PORT_50
[Code]......
View 4 Replies
View Related
May 17, 2011
i have a stack of 3750 (WS-C3750G-24TS-1U with IOS 12.2(53)SE2).
This is the conf I have:
!
class-map match-all DC_SC-to-DC_UW
match access-group 100
[Code].....
View 4 Replies
View Related
