Solved: Re: ACE 4710 failover problem in routed mode

g.eleftheriou · ‎01-14-2010

Hi People
We have the following configuration
FireWall1 --vlan70 SwitchA -- ACE1 --vlan31--SWA-SWC - Server (with two cards)
FireWall2 --vlan70 SwitchB -- ACE2 --vlan31 -SWB-SWD /

SWA and SWB are connected via trunk

When ACE1 fails, ACE2 becomes active, but FW1 cannot talk to ACE alias ip anymore

FW1 has as GW the alias ip of vlan 70
and Servers have as gw the alias ip of vlan 31

the state of ACE2 is hot standby
on ACE2 we also get a continous error in the logs, although we can ping the server and telnet to that port from ace2:
"Health probe failed for server X.X.X.X on port 7793, internal error: failed to setup a socket"

config is as follows:
interface vlan 31
ip address 10.55.250.12 255.255.255.240
ip options allow
alias 10.55.250.14 255.255.255.240
peer ip address 10.55.250.13 255.255.255.240
no normalization
no icmp-guard
access-group input permit_all
no shutdown
interface vlan 70
ip address 10.56.251.33 255.255.255.240
ip options allow
alias 10.56.251.34 255.255.255.240
peer ip address 10.56.251.35 255.255.255.240
no normalization
access-group input permit_all
service-policy input int70
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown

the config is successfully replicated on secondary

Peter Koltl · ‎01-14-2010

FT switchover occurs if 'Net priority' of the active ACE falls below that of the standby. For any decrement, you need to define an FT track: host or VLAN interface. For example:

ft track interface tr950

track-interface vlan 950

peer track-interface vlan 950

priority 30

peer priority 30

(30 is the decrement.) A VLAN interface goes down if the corresponding physical interface goes down or you disallow that VLAN from the trunk on the switch.

View solution in original post

Peter Koltl · ‎01-14-2010

Switch to ACE2 active. Check ARP tables on ACE1, ACE2, FW1. Check CAM tables in SwitchA, SwitchB. But probably, you have to repair ACE2 first. Please test ICMP and TCP (telnet, ssh etc.) between ACE2 and servers, ACE2 and FW1... Internal error might indicate some resource or TCP/IP stack problem. Reboot?

g.eleftheriou · ‎01-14-2010

i just saw that the internal error was an old message and does not appear now.

I will have to retest the failover.

how many interfaces do they have to fail for switchover?

Peter Koltl · ‎01-14-2010

FT switchover occurs if 'Net priority' of the active ACE falls below that of the standby. For any decrement, you need to define an FT track: host or VLAN interface. For example:

ft track interface tr950

track-interface vlan 950

peer track-interface vlan 950

priority 30

peer priority 30

(30 is the decrement.) A VLAN interface goes down if the corresponding physical interface goes down or you disallow that VLAN from the trunk on the switch.

g.eleftheriou · ‎01-14-2010

Peter thanks for that, I didn't know it.

What about the "query-interface vlan" under ft configuration?

For instance

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 104
query-interface vlan 1000

will the standby become active if vlan 1000 fails?

Peter Koltl · ‎01-14-2010

Forget it (unless your tests show it is useful). Mine didn't.

You can read about in in the documentation, but you'd better test it.

ACE's won't switch over if Query VLAN fails.

dario.didio · ‎01-14-2010

Hi,

the purpose of the query vlan command is to have a second check in case the FT vlan fails.

If both ACEs are up and running, but something happens to the FT vlan (cabling problem for instance) the ACE will ping the IP Address of the other ACE for the configured interface in the query vlan command.

If he receives a response, he knows something is wrong with the FT vlan but the other ACE is still alive. This prevents the secondary to become primary and causing both ACEs to become active.

HTH,

Dario

g.eleftheriou · ‎01-14-2010

problem solved by adding ft track interface v

lan

thanks to all who responded.