Re: ACE applicationControl Engine Appliance (get the system mes

xingjun · ‎05-04-2011

HI:

It is work normally when have finish ACE config .But the ACE has show some error message:(May 5 2011 11:05:44 : %ACE-4-400000: IDS:1000 IP Option Bad Option List from 192.168.2.198 to 224.0.0.22 on interface vlan51 May 5 2011) recently,so the clients can not get respons form servers vip ip address 192.168.2.72;

I have shutdown the IDS machine and this message still shows;

How i do can resolve this problem and let clients get respons server vip normaly?

---------------------------The follow is my config on ACE!------------------------------

logging enable
logging timestamp
logging history 5
logging buffered 5

peer hostname TJHQCB01DLB02
hostname TJHQCB01DLB01
boot system image:c6ace-t1k9-mz.A2_2_3.bin

resource-class all
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited

clock timezone BJT 8 0
context Admin
member all

access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any

rserver host 115-116-s1
ip address 192.168.2.115
inservice
rserver host 115-116-s2
ip address 192.168.2.116
inservice
rserver host 204-205-s1
ip address 192.168.2.204
inservice
rserver host 204-205-s2
ip address 192.168.2.205
inservice
rserver host 68-69-s1
ip address 192.168.2.68
inservice
rserver host 68-69-s2
ip address 192.168.2.69
inservice

serverfarm host 115-116_pool
rserver 115-116-s1
    inservice
rserver 115-116-s2
    inservice
serverfarm host 204-205_pool
rserver 204-205-s1
    inservice
rserver 204-205-s2
    inservice
serverfarm host 68-69_pool
rserver 68-69-s1
    inservice
rserver 68-69-s2
    inservice

class-map match-any 115-116-vip
2 match virtual-address 192.168.2.117 any
class-map match-any 204-205-vip
2 match virtual-address 192.168.2.207 any
class-map match-any 68-69-vip
2 match virtual-address 192.168.2.72 any
class-map type management match-any admin
2 match protocol https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol snmp any
6 match protocol ssh any
7 match protocol http any

policy-map type management first-match admin
class admin
permit

policy-map type loadbalance first-match 115-116-policy
class class-default
    serverfarm 115-116_pool
policy-map type loadbalance first-match 204-205-policy
class class-default
    serverfarm 204-205_pool
policy-map type loadbalance first-match 68-69-policy
class class-default
    serverfarm 68-69_pool

policy-map multi-match tiens-vip
class 68-69-vip
    loadbalance vip inservice
    loadbalance policy 68-69-policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 51
class 204-205-vip
    loadbalance vip inservice
    loadbalance policy 204-205-policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 51
class 115-116-vip
    loadbalance vip inservice
    loadbalance policy 115-116-policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 51

service-policy input admin
service-policy input tiens-vip

interface vlan 51
ip address 192.168.2.250 255.255.255.0
alias 192.168.2.253 255.255.255.0
peer ip address 192.168.2.251 255.255.255.0
access-group input anyone
access-group output anyone
nat-pool 1 192.168.2.252 192.168.2.252 netmask 255.255.255.255 pat
no shutdown

ft interface vlan 999
ip address 10.1.69.125 255.255.255.252
peer ip address 10.1.69.126 255.255.255.252
no shutdown

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 2
peer 1
priority 110
associate-context Admin
inservice

ip route 0.0.0.0 0.0.0.0 192.168.2.254
----------------------------------------------------------------------------------------------------------

xingjun · ‎05-04-2011

hi:

everyone ,the up of config have changed.i have update the config about ACE,and about the ids:1000 still shows on it;

the fllow is my ace config:

------------------------------------

logging enable
logging standby
logging timestamp
logging history 5
logging buffered 5

peer hostname TJHQCB01DLB02
hostname TJHQCB01DLB01
boot system image:c6ace-t1k9-mz.A2_2_3.bin

resource-class all
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited

clock timezone BJT 8 0
context Admin
member all

access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any

probe tcp 68-69_pool-tcp-http
interval 2
faildetect 2
passdetect interval 5
passdetect count 2

rserver host 115-116-s1
ip address 192.168.2.115
inservice
rserver host 115-116-s2
ip address 192.168.2.116
inservice
rserver host 204-205-s1
ip address 192.168.2.204
inservice
rserver host 204-205-s2
ip address 192.168.2.205
inservice
rserver host 68-69-s1
ip address 192.168.2.68
inservice
rserver host 68-69-s2
ip address 192.168.2.69
inservice

serverfarm host 115-116_pool
rserver 115-116-s1
    inservice
rserver 115-116-s2
    inservice
serverfarm host 204-205_pool
rserver 204-205-s1
    inservice
rserver 204-205-s2
    inservice
serverfarm host 68-69_pool
probe 68-69_pool-tcp-http
rserver 68-69-s1
    inservice
rserver 68-69-s2
    inservice

sticky ip-netmask 255.255.255.255 address source 68-69_pool
timeout 720
timeout activeconns
replicate sticky
serverfarm 68-69_pool

class-map match-any 115-116-vip
2 match virtual-address 192.168.2.117 any
class-map match-any 204-205-vip
2 match virtual-address 192.168.2.207 any
class-map match-any 68-69-vip
2 match virtual-address 192.168.2.72 any
class-map type management match-any admin
2 match protocol https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol snmp any
6 match protocol ssh any
7 match protocol http any

policy-map type management first-match admin
class admin
permit

policy-map type loadbalance first-match 115-116-policy
class class-default
    serverfarm 115-116_pool
policy-map type loadbalance first-match 204-205-policy
class class-default
    serverfarm 204-205_pool
policy-map type loadbalance first-match 68-69-policy
class class-default
    sticky-serverfarm 68-69_pool

policy-map multi-match tiens-vip
class 68-69-vip
    loadbalance vip inservice
    loadbalance policy 68-69-policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 51
class 204-205-vip
    loadbalance vip inservice
    loadbalance policy 204-205-policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 51
class 115-116-vip
    loadbalance vip inservice
    loadbalance policy 115-116-policy
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    nat dynamic 1 vlan 51

service-policy input admin
service-policy input tiens-vip

interface vlan 51
ip address 192.168.2.250 255.255.255.0
alias 192.168.2.253 255.255.255.0
peer ip address 192.168.2.251 255.255.255.0
access-group input anyone
access-group output anyone
nat-pool 1 192.168.2.252 192.168.2.252 netmask 255.255.255.255 pat
no shutdown

ft interface vlan 999
ip address 10.1.69.125 255.255.255.252
peer ip address 10.1.69.126 255.255.255.252
no shutdown

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 2
peer 1
priority 110
associate-context Admin
inservice

ip route 0.0.0.0 0.0.0.0 192.168.2.254

username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain
username www password 5 * role Admin domain default-domain

------------------------------------------------------------------------

ACE applicationControl Engine Appliance (get the system message:%ACE-4-400000: IDS:1000)