Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3597
Views
0
Helpful
7
Replies

ACE active/standby configuration sync error

Juan Pablo Hidalgo Villacres
Level 1
Level 1

‎01-29-2013 03:54 PM

Hi,

I have a problem with two ACE 4710 working in HA for a context called WAS-PP,

A few months ago i configured ssl on the active ACE but i forgot to copy the certs and key files on the standby ACE, so that was the first problem, right now both ACEs have the cert and key files, but there is no config sync, i have tried with the command "ft auto-sync running-config" and "startup-config", 

the startup-config got sync, and although the configuration is the same on both ACE for the running-config, i got this error on the sh ft group status, on the running-config line.. (for the startup says sync).

>> peer in cold state. Error on standby  device when applying configuration file replicated from active.

So searching for this error i found on the wiki that i must run the command "show ft config-error WAS-PP" from the admin context on the standby ACE, but when i ran it i got this message..

*** Context 1: Config can not been applied fully. Please try again ***

Error(s) while applying config

and that's it, do you know what could i do?,

I haven't reboot the standby ACE... maybe that could be an option..

both ACE runs on the A4(2.0) version.

hope somebody could help me,

regards,

Juan Pablo Hidalgo

Labels:
0 Helpful
7 Replies 7

ajayku2
Cisco Employee
Cisco Employee

‎01-29-2013 10:10 PM

HI,

try using text compare tool such as winmerge and apply the config which is not there on standby. It may be possible that the command may not work but it will throw the error message.

I am suspecting two possibilities:

The cert and keys are not properly imported.

The device file system is full because of following defect :

CSCtx03563

ACE producing huge httpd logs over time when XML is extensively used

Symptom:

ACE A4.2.1 may produce huge httpd logs over  time when XML interface is used. This causes the file system to become  full and messages might appear on the CLI like:

write error: No space left on device

If ACE is reloaded in this state, and user saves the config when prompted this will case ACE to wipe all config.

Workaround:

- Do not save the config on reload

- Contact Cisco TAC to provide a workaround script

regards,

Ajay Kumar

0 Helpful

Juan Pablo Hidalgo Villacres
Level 1
Level 1
In response to ajayku2

‎01-30-2013 06:44 AM

Hi Ajay,

thanks for your response,

I'll compare ACE configurations..

about your sugestions,

I have the same certs and key files on both ACE, the same names and sizes, there is only one difference the nonexportable option is set to NO on the active ACE and YES on the standby ACE... do you think that could be a problem?.. and how could i confirm that the certs are not properly imported??. i tried with the verify command and also on the active ACE the command gave me an error..

i have to tell you that the cert file imported on the standby ACE was really a .crt file, and when i imported i changed the extension to .pem, what do you think?.. (i don't remember how the cert file was imported on the active ACE, and if it was the same cert file).

About the space problem, i'll review if the standby ACE have free space i never saw the error msg that you posted..

thanks for your help,

regards,

Juan Pablo

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to Juan Pablo Hidalgo Villacres

‎01-30-2013 07:03 AM

Hi Juan,

Once you compare the config you will come to know what is missing and why it is missing.

If you see that the missing config is revolving around SSL config then you know for sure it is SSL certs or config.

Ideally if the cert key and server key are imported properly then you should get something like below:

ace-1/Admin# crypto verify cisco-sample-key cisco-sample-cert

Keypair in cisco-sample-key matches certificate in cisco-sample-cert.


----------------------------------

there is only one difference the nonexportable option is set to NO on the active ACE and YES on the standby ACE ..

I dont think this will cause any issues.

i have to tell you that the cert file imported on the standby ACE was  really a .crt file, and when i imported i changed the extension to .pem,  what do you think?.

PEM certificates usually have extentions such as .pem, .crt, .cer, and .key so ideally it should be pem format. Changing extension should not cause any issues.

When you open the cert using notepad you will notice.

-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----

regards,

Ajay Kumar

0 Helpful

Juan Pablo Hidalgo Villacres
Level 1
Level 1
In response to ajayku2

‎01-30-2013 07:31 AM

Thank Ajay,

the only diff between both configurations is

username xxx password xxxxx expire 2012-12-31 role Network-Admin domain default-domain

that is configured on the active ACE, maybe the expiration date is the problem and the ACE can't sync that.

the ssl configuration is the same on both ACE,, so i don't think the ssl files are the problem..

i will erase the user and tell you what happens..

regards

Juan Pablo Hidalgo

0 Helpful

Juan Pablo Hidalgo Villacres
Level 1
Level 1
In response to Juan Pablo Hidalgo Villacres

‎01-30-2013 07:54 AM

Hi Ajay,

Yes that was the problem...

Thanks for your help,

Regards,

Juan Pablo Hidalgo

0 Helpful

ajayku2
Cisco Employee
Cisco Employee
In response to Juan Pablo Hidalgo Villacres

‎01-30-2013 08:16 AM

Hi Juan,

Glad that the issue is resolved

have a good day ahead.

regards,

Ajay Kumar

0 Helpful

Juan Pablo Hidalgo Villacres
Level 1
Level 1
In response to ajayku2

‎01-30-2013 08:38 AM

Thanks Ajay,

the same to you,

regards,

Juan Pablo Hidalgo

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card