cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2654
Views
2
Helpful
6
Replies

cannot ssh standby ACE

rathinilesh
Level 1
Level 1

Hi All,

I have a pair of ACE30 in Active/Standby mode. I can ssh to all active contexts. I can also ssh to all standby contexts except one. Could anybody please advise how should I go about troubleshooting this issue?

Regards,

Nilesh

6 Replies 6

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Nilesh,

Can you check which statements are there in class-map type management? You should see this type of configuration below in affected context.

class-map type management match-any Management

  2 match protocol telnet any

  3 match protocol ssh any

  4 match protocol icmp any

policy-map type management first-match Remote_Management

  class Management

   permit

service-policy input Remote_Management.

And of course this policy should be applied to appropriate interfaces or you can apply it globally as mentioned above.

Was it working before? Can you send me the configuration from context on which you are able to SSH and configuration from context on which are unable to SSH?

Regards,

Kanwal

Hi Kanwaljeet,

Thank you for your response and apologies for my late response to your reply. Below is the output you asked for.

Regards,

Nilesh

##########################################################################################

ACTIVE ACE

###########

class-map type management match-any MGMT-POLICY

  3 match protocol icmp any

  8 match protocol ssh source-address A.D.C.D 255.255.255.224

  9 match protocol ssh source-address E.F.G.H 255.255.255.224

  10 match protocol https source-address A.D.C.D 255.255.255.224

  11 match protocol https source-address E.F.G.H 255.255.255.224

  12 match protocol snmp source-address A.D.C.D 255.255.255.224

  13 match protocol snmp source-address E.F.G.H 255.255.255.224

policy-map type management first-match MGMT-POLICY

  class MGMT-POLICY

    permit

interface vlan 216

  bridge-group 1

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  service-policy input CLIENT-INPUT-POLICY-216

  service-policy input MGMT-POLICY

  no shutdown

interface vlan 217

  bridge-group 2

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  service-policy input CLIENT-INPUT-POLICY-217

  service-policy input MGMT-POLICY

  no shutdown

interface vlan 226

  bridge-group 1

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  no shutdown

interface vlan 227

  bridge-group 2

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  no shutdown

interface bvi 1

  ip address 10.201.6.251 255.255.255.0

  alias 10.201.6.252 255.255.255.0

  peer ip address 10.201.6.250 255.255.255.0

  no shutdown

interface bvi 2

  ip address 10.201.7.251 255.255.255.0

  alias 10.201.7.252 255.255.255.0

  peer ip address 10.201.7.250 255.255.255.0

  no shutdown

##########################################################################################

STANDBY ACE

#############

class-map type management match-any MGMT-POLICY

  3 match protocol icmp any

  8 match protocol ssh source-address A.D.C.D 255.255.255.224

  9 match protocol ssh source-address E.F.G.H 255.255.255.224

  10 match protocol https source-address A.D.C.D 255.255.255.224

  11 match protocol https source-address E.F.G.H 255.255.255.224

  12 match protocol snmp source-address A.D.C.D 255.255.255.224

  13 match protocol snmp source-address E.F.G.H 255.255.255.224

policy-map type management first-match MGMT-POLICY

  class MGMT-POLICY

    permit

interface vlan 216

  bridge-group 1

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  service-policy input CLIENT-INPUT-POLICY-216

  service-policy input MGMT-POLICY

  no shutdown

interface vlan 217

  bridge-group 2

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  service-policy input CLIENT-INPUT-POLICY-217

  service-policy input MGMT-POLICY

  no shutdown

interface vlan 226

  bridge-group 1

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  no shutdown

interface vlan 227

  bridge-group 2

  mac-sticky enable

  access-group input BPDU

  access-group input ALL

  no shutdown

interface bvi 1

  ip address 10.201.6.250 255.255.255.0

  alias 10.201.6.252 255.255.255.0

  peer ip address 10.201.6.251 255.255.255.0

  no shutdown

interface bvi 2

  ip address 10.201.7.250 255.255.255.0

  alias 10.201.7.252 255.255.255.0

  peer ip address 10.201.7.251 255.255.255.0

  no shutdown

##########################################################################################

Also to confirm the policy is applied to appropriate interfaces. Also this config was working before on ACE10s. Recently I migrated all clients to ACE30s. I can ssh to active and standby ACE contexts of all clients except the standby ACE context of the above mentioned client.

Regards,

Nilesh

Hi Nilesh,

I dont see the FT group, ft peer configuration on both ACEs.  It is high availbility group between two ACEs pairs.

Cheers

,

Hi Mikram,

The configs you are asking for are done on the admin context and not user contexts. I am having issues logging onto one of the standby user contexts.

Regards,

Nilesh

Hi Nilesh,

Is HA working between two ACEs?. Can you post ft config from adim context and also output from following commands.

show ft peer status

show ft group status

Cheers

Review Cisco Networking for a $25 gift card