cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3595
Views
0
Helpful
7
Replies

ACE active/standby configuration sync error

Hi,

I have a problem with two ACE 4710 working in HA for a context called WAS-PP,

A few months ago i configured ssl on the active ACE but i forgot to copy the certs and key files on the standby ACE, so that was the first problem, right now both ACEs have the cert and key files, but there is no config sync, i have tried with the command "ft auto-sync running-config" and "startup-config", 

the startup-config got sync, and although the configuration is the same on both ACE for the running-config, i got this error on the sh ft group status, on the running-config line.. (for the startup says sync).

>> peer in cold state. Error on standby  device when applying configuration file replicated from active.

So searching for this error i found on the wiki that i must run the command "show ft config-error WAS-PP" from the admin context on the standby ACE, but when i ran it i got this message..

*** Context 1: Config can not been applied fully. Please try again ***

Error(s) while applying config

and that's it, do you know what could i do?,

I haven't reboot the standby ACE... maybe that could be an option..

both ACE runs on the A4(2.0) version.

hope somebody could help me,

regards,

Juan Pablo Hidalgo

7 Replies 7

ajayku2
Cisco Employee
Cisco Employee

HI,

try using text compare tool such as winmerge and apply the config which is not there on standby. It may be possible that the command may not work but it will throw the error message.

I am suspecting two possibilities:

The cert and keys are not properly imported.

The device file system is full because of following defect :

CSCtx03563

ACE producing huge httpd logs over time when XML is extensively used

Symptom:

ACE A4.2.1 may produce huge httpd logs over  time when XML interface is used. This causes the file system to become  full and messages might appear on the CLI like:

write error: No space left on device

If ACE is reloaded in this state, and user saves the config when prompted this will case ACE to wipe all config.

Workaround:

- Do not save the config on reload

- Contact Cisco TAC to provide a workaround script

regards,

Ajay Kumar

Hi Ajay,

thanks for your response,

I'll compare ACE configurations..

about your sugestions,

I have the same certs and key files on both ACE, the same names and sizes, there is only one difference the nonexportable option is set to NO on the active ACE and YES on the standby ACE... do you think that could be a problem?.. and how could i confirm that the certs are not properly imported??. i tried with the verify command and also on the active ACE the command gave me an error..

i have to tell you that the cert file imported on the standby ACE was really a .crt file, and when i imported i changed the extension to .pem, what do you think?.. (i don't remember how the cert file was imported on the active ACE, and if it was the same cert file).

About the space problem, i'll review if the standby ACE have free space i never saw the error msg that you posted..

thanks for your help,

regards,

Juan Pablo

Hi Juan,

Once you compare the config you will come to know what is missing and why it is missing.

If you see that the missing config is revolving around SSL config then you know for sure it is SSL certs or config.

Ideally if the cert key and server key are imported properly then you should get something like below:

ace-1/Admin# crypto verify cisco-sample-key cisco-sample-cert

Keypair in cisco-sample-key matches certificate in cisco-sample-cert.


----------------------------------

there is only one difference the nonexportable option is set to NO on the active ACE and YES on the standby ACE ..

I dont think this will cause any issues.

i have to tell you that the cert file imported on the standby ACE was  really a .crt file, and when i imported i changed the extension to .pem,  what do you think?.

PEM certificates usually have extentions such as .pem, .crt, .cer, and .key so ideally it should be pem format. Changing extension should not cause any issues.

When you open the cert using notepad you will notice.

-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----

regards,

Ajay Kumar

Thank Ajay,

the only diff between both configurations is

username xxx password xxxxx expire 2012-12-31 role Network-Admin domain default-domain

that is configured on the active ACE, maybe the expiration date is the problem and the ACE can't sync that.

the ssl configuration is the same on both ACE,, so i don't think the ssl files are the problem..

i will erase the user and tell you what happens..

regards

Juan Pablo Hidalgo

Hi Ajay,

Yes that was the problem...

Thanks for your help,

Regards,

Juan Pablo Hidalgo

Hi Juan,

Glad that the issue is resolved

have a good day ahead.

regards,

Ajay Kumar

Thanks Ajay,

the same to you,

regards,

Juan Pablo Hidalgo

Review Cisco Networking for a $25 gift card