01-29-2013 03:54 PM
Hi,
I have a problem with two ACE 4710 working in HA for a context called WAS-PP,
A few months ago i configured ssl on the active ACE but i forgot to copy the certs and key files on the standby ACE, so that was the first problem, right now both ACEs have the cert and key files, but there is no config sync, i have tried with the command "ft auto-sync running-config" and "startup-config",
the startup-config got sync, and although the configuration is the same on both ACE for the running-config, i got this error on the sh ft group status, on the running-config line.. (for the startup says sync).
>> peer in cold state. Error on standby device when applying configuration file replicated from active.
So searching for this error i found on the wiki that i must run the command "show ft config-error WAS-PP" from the admin context on the standby ACE, but when i ran it i got this message..
*** Context 1: Config can not been applied fully. Please try again ***
Error(s) while applying config
and that's it, do you know what could i do?,
I haven't reboot the standby ACE... maybe that could be an option..
both ACE runs on the A4(2.0) version.
hope somebody could help me,
regards,
Juan Pablo Hidalgo
01-29-2013 10:10 PM
HI,
try using text compare tool such as winmerge and apply the config which is not there on standby. It may be possible that the command may not work but it will throw the error message.
I am suspecting two possibilities:
The cert and keys are not properly imported.
The device file system is full because of following defect :
CSCtx03563ACE producing huge httpd logs over time when XML is extensively used | |
Symptom:ACE A4.2.1 may produce huge httpd logs over time when XML interface is used. This causes the file system to become full and messages might appear on the CLI like:write error: No space left on device If ACE is reloaded in this state, and user saves the config when prompted this will case ACE to wipe all config. Workaround:- Do not save the config on reload - Contact Cisco TAC to provide a workaround script |
regards,
Ajay Kumar
01-30-2013 06:44 AM
Hi Ajay,
thanks for your response,
I'll compare ACE configurations..
about your sugestions,
I have the same certs and key files on both ACE, the same names and sizes, there is only one difference the nonexportable option is set to NO on the active ACE and YES on the standby ACE... do you think that could be a problem?.. and how could i confirm that the certs are not properly imported??. i tried with the verify command and also on the active ACE the command gave me an error..
i have to tell you that the cert file imported on the standby ACE was really a .crt file, and when i imported i changed the extension to .pem, what do you think?.. (i don't remember how the cert file was imported on the active ACE, and if it was the same cert file).
About the space problem, i'll review if the standby ACE have free space i never saw the error msg that you posted..
thanks for your help,
regards,
Juan Pablo
01-30-2013 07:03 AM
Hi Juan,
Once you compare the config you will come to know what is missing and why it is missing.
If you see that the missing config is revolving around SSL config then you know for sure it is SSL certs or config.
Ideally if the cert key and server key are imported properly then you should get something like below:
ace-1/Admin# crypto verify cisco-sample-key cisco-sample-cert
Keypair in cisco-sample-key matches certificate in cisco-sample-cert.
----------------------------------
there is only one difference the nonexportable option is set to NO on the active ACE and YES on the standby ACE ..
I dont think this will cause any issues.
i have to tell you that the cert file imported on the standby ACE was really a .crt file, and when i imported i changed the extension to .pem, what do you think?.
PEM certificates usually have extentions such as .pem, .crt, .cer, and .key so ideally it should be pem format. Changing extension should not cause any issues.
When you open the cert using notepad you will notice.
-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----
regards,
Ajay Kumar
01-30-2013 07:31 AM
Thank Ajay,
the only diff between both configurations is
username xxx password xxxxx expire 2012-12-31 role Network-Admin domain default-domain
that is configured on the active ACE, maybe the expiration date is the problem and the ACE can't sync that.
the ssl configuration is the same on both ACE,, so i don't think the ssl files are the problem..
i will erase the user and tell you what happens..
regards
Juan Pablo Hidalgo
01-30-2013 07:54 AM
Hi Ajay,
Yes that was the problem...
Thanks for your help,
Regards,
Juan Pablo Hidalgo
01-30-2013 08:16 AM
Hi Juan,
Glad that the issue is resolved
have a good day ahead.
regards,
Ajay Kumar
01-30-2013 08:38 AM
Thanks Ajay,
the same to you,
regards,
Juan Pablo Hidalgo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide