cannot ssh standby ACE

rathinilesh · ‎07-13-2012

Hi All,

I have a pair of ACE30 in Active/Standby mode. I can ssh to all active contexts. I can also ssh to all standby contexts except one. Could anybody please advise how should I go about troubleshooting this issue?

Regards,

Nilesh

Kanwaljeet Singh · ‎07-13-2012

Hi Nilesh,

Can you check which statements are there in class-map type management? You should see this type of configuration below in affected context.

class-map type management match-any Management

2 match protocol telnet any

3 match protocol ssh any

4 match protocol icmp any

policy-map type management first-match Remote_Management

class Management

permit

service-policy input Remote_Management.

And of course this policy should be applied to appropriate interfaces or you can apply it globally as mentioned above.

Was it working before? Can you send me the configuration from context on which you are able to SSH and configuration from context on which are unable to SSH?

Regards,

Kanwal

rathinilesh · ‎07-31-2012

Hi Kanwaljeet,

Thank you for your response and apologies for my late response to your reply. Below is the output you asked for.

Regards,

Nilesh

##########################################################################################

ACTIVE ACE

###########

class-map type management match-any MGMT-POLICY

3 match protocol icmp any

8 match protocol ssh source-address A.D.C.D 255.255.255.224

9 match protocol ssh source-address E.F.G.H 255.255.255.224

10 match protocol https source-address A.D.C.D 255.255.255.224

11 match protocol https source-address E.F.G.H 255.255.255.224

12 match protocol snmp source-address A.D.C.D 255.255.255.224

13 match protocol snmp source-address E.F.G.H 255.255.255.224

policy-map type management first-match MGMT-POLICY

class MGMT-POLICY

permit

interface vlan 216

bridge-group 1

mac-sticky enable

access-group input BPDU

access-group input ALL

service-policy input CLIENT-INPUT-POLICY-216

service-policy input MGMT-POLICY

no shutdown

interface vlan 217

bridge-group 2

mac-sticky enable

access-group input BPDU

access-group input ALL

service-policy input CLIENT-INPUT-POLICY-217

service-policy input MGMT-POLICY

no shutdown

interface vlan 226

bridge-group 1

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown

interface vlan 227

bridge-group 2

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown

interface bvi 1

ip address 10.201.6.251 255.255.255.0

alias 10.201.6.252 255.255.255.0

peer ip address 10.201.6.250 255.255.255.0

no shutdown

interface bvi 2

ip address 10.201.7.251 255.255.255.0

alias 10.201.7.252 255.255.255.0

peer ip address 10.201.7.250 255.255.255.0

no shutdown

##########################################################################################

STANDBY ACE

#############

class-map type management match-any MGMT-POLICY

3 match protocol icmp any

8 match protocol ssh source-address A.D.C.D 255.255.255.224

9 match protocol ssh source-address E.F.G.H 255.255.255.224

10 match protocol https source-address A.D.C.D 255.255.255.224

11 match protocol https source-address E.F.G.H 255.255.255.224

12 match protocol snmp source-address A.D.C.D 255.255.255.224

13 match protocol snmp source-address E.F.G.H 255.255.255.224

policy-map type management first-match MGMT-POLICY

class MGMT-POLICY

permit

interface vlan 216

bridge-group 1

mac-sticky enable

access-group input BPDU

access-group input ALL

service-policy input CLIENT-INPUT-POLICY-216

service-policy input MGMT-POLICY

no shutdown

interface vlan 217

bridge-group 2

mac-sticky enable

access-group input BPDU

access-group input ALL

service-policy input CLIENT-INPUT-POLICY-217

service-policy input MGMT-POLICY

no shutdown

interface vlan 226

bridge-group 1

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown

interface vlan 227

bridge-group 2

mac-sticky enable

access-group input BPDU

access-group input ALL

no shutdown

interface bvi 1

ip address 10.201.6.250 255.255.255.0

alias 10.201.6.252 255.255.255.0

peer ip address 10.201.6.251 255.255.255.0

no shutdown

interface bvi 2

ip address 10.201.7.250 255.255.255.0

alias 10.201.7.252 255.255.255.0

peer ip address 10.201.7.251 255.255.255.0

no shutdown

##########################################################################################

rathinilesh · ‎07-31-2012

Also to confirm the policy is applied to appropriate interfaces. Also this config was working before on ACE10s. Recently I migrated all clients to ACE30s. I can ssh to active and standby ACE contexts of all clients except the standby ACE context of the above mentioned client.

Regards,

Nilesh

mikram · ‎08-01-2012

Hi Nilesh,

I dont see the FT group, ft peer configuration on both ACEs. It is high availbility group between two ACEs pairs.

Cheers

,

rathinilesh · ‎08-01-2012

Hi Mikram,

The configs you are asking for are done on the admin context and not user contexts. I am having issues logging onto one of the standby user contexts.

Regards,

Nilesh

mikram · ‎08-01-2012

Hi Nilesh,

Is HA working between two ACEs?. Can you post ft config from adim context and also output from following commands.

show ft peer status

show ft group status

Cheers