Professional Documents
Culture Documents
Ace Ts Guide
Ace Ts Guide
Welcome to Cisco DocWiki. We encourage registered Cisco.com users to contribute to this wiki to collaborate on Cisco product
documentation. You do not need to log in to read the text. However, you must log in to edit the text. Select the "edit" tab to edit
an article or select the "discussion" tab to submit questions or comments about documentation content.
See Terms of Use and About DocWiki for more information about Cisco DocWiki.
Contents
• 1 Audience
• 2 Organization
• 3 Creating a PDF of the ACE
Troubleshooting Wiki
• 4 Related Documentation
♦ 4.1 ACE Module Documentation
♦ 4.2 ACE Appliance Documentation
This article provides a systematic approach to identifying and remedying problems that may arise as you use your ACE over a
period of time. This guide is not intended to replace configuration best practices or to be an all-inclusive guide for every
application. Rather, it is an attempt to provide you with the knowledge and skills necessary to correct the most common issues that
you may encounter.
Audience
This article is intended for all trained network administrators who have experience with the configuration and maintenance of the
ACE.
Organization
This article consists of the following major sections:
Troubleshooting Connectivity
Contents 1
Cisco Application Control Engine (ACE) Troubleshooting Guide
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Managing Resources
Related Documentation
ACE Module Documentation
• Customer Documentation for the Cisco Application Control Engine (ACE) Module
• Cisco Application Control Engine (ACE) Configuration Examples on DocWiki
• Release Notes for the Cisco 4700 Series Application Control Engine Appliance
• Command Reference for the Cisco 4700 Series Application Control Engine Appliance
• Configuration Guides for the Cisco 4700 Series Application Control Engine Appliance
This article introduces the basic concepts, methodology, and general troubleshooting guidelines for problems that may occur when
you configure and use your ACE.
Organization 2
Cisco Application Control Engine (ACE) Troubleshooting Guide
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of the ACE Troubleshooting Process
• 2 Verifying the ACE Image
• 3 Enabling ACE Logging
• 4 Gathering ACE Troubleshooting Information
♦ 4.1 Rebooting the ACE
♦ 4.2 Using show Commands
♦ 4.3 Capturing Packets in Real Time
♦ 4.4 Copying Core Dumps
♦ 4.5 After Gathering Troubleshooting Information
• 5 Verifying the Physical Connectivity Between the ACE and the End
Hosts
• 6 Verifying the ACE Layer 2 Connectivity
• 7 Verifying the ACE Layer 3 Connectivity
• 8 Contacting Cisco Technical Support
1. Maintain a consistent and recommended software version across all your ACEs. See the "Verifying the ACE Image"
section.
2. See the ACE module release notes for your software version for the latest features, operating considerations, caveats, and
CLI command changes.
3. Before you introduce configuration changes, use the ACE checkpoint feature to bookmark a known good configuration
and save your configuration. If you run into problems with the new configuration, you can roll back the new configuration
to the known good configuration. See the Cisco Application Control Engine Module Administration Guide. Troubleshoot
new configuration changes immediately after adding them.
4. Verify that your configuration is correct for your network application. Make any required changes to the running-config
file, and then test the configuration. If it is satisfactory, save it to the startup-config file using the copy running-config
startup-config command for a particular virtual context or the write memory command from the Admin context to copy
all running-config files in every virtual context to their respective startup-config files.
5. Enable system message logging. See the "Enabling ACE Logging" section.
6. Gather information that defines the specific symptoms. See the "Gathering ACE Troubleshooting Information" section.
7. Verify the physical connectivity between your device and end devices. See the "Verifying the Physical Connectivity
Between the ACE and the End Hosts" section.
8. Verify the ACE Layer 2 connectivity. See the "Verifying the ACE Layer 2 Connectivity" section.
9. Verify the ACE end-to-end connectivity and the routing configuration. See the "Verifying the ACE Layer 3 Connectivity"
section.
10. After you have determined that your troubleshooting attempts have not resolved the problem, contact the Cisco Technical
Assistance Center (TAC) or your technical support representative. See the "Contacting Cisco Technical Support" section.
Software
loader: Version 12.2[121]
system: Version A2(2.0) [build 3.0(0)A2(2.0)] <--------
system image file: [LCP] disk0:c6ace-t1k9-mzg.A2_2_0.bin <--------
installed license: no feature license is installed
Hardware
Cisco ACE (slot: 5)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
memory info:
total: 955396 kB, free: 289704 kB
shared: 0 kB, buffers: 2336 kB, cached 0 kB
Cisco Application Control Engine (ACE) Troubleshooting Guide
cf info:
filesystem: /dev/cf
total: 1000000 kB, used: 494912 kB, available: 505088 kB
• Slot in which the ACE resides in the Catalyst 6500 series switch (in this case, slot 5)
• Available control plane memory
• Last boot reason
• Configuration register (confreg) value (0x0 boot to rommon, 0x1 boot using boot string)
• ACE uptime
Note: Use the terminal no monitor command to stop viewing log messages in your remote session.
For more information about logging, see the "Troubleshooting with ACE Logging" section.
Note: Probe traffic will not hit a security ACL, so ACLs cannot control the capture of those packets. Therefore, probe traffic
cannot be captured by the packet capture utility.
If possible, you should capture packets using the ACE packet capturing utility before and after symptoms appear. Save the packet
captures to a file.
1. Create an ACL for packet capturing or use an existing ACL if it meets the packet capture requirements by entering the
following command:
ACE_module5/Admin(config)# access-list FILTER line 10 extended permit tcp any any eq www
ACE_module5/Admin# exit
Note: Ensure that the ACL you specify in the capture command is for an input interface. If you configure the packet capture
on the output interface, the ACE will fail to match any packets.
3. Display the capture status to determine the capture status and the buffer size by entering the following command:
Notice that the capture has not started yet. The default buffer size is 64 KB. You can specify a maximum of buffer size of 5000
KB and you can specify a circular buffer.
4. Start the packet capture on the ACE by entering the following command:
You can also copy the packet capture to an FTP, SFTP, or TFTP server.
6. Display the messages and connections within a packet capture by entering the following command:
7. Display the details of each packet within a capture by entering the following command:
Note: If you view the ACE capture file in a third-party sniffer (for example, Wireshark), you will notice only the messages or
type PKT_RCV and PKT_XMT are displayed. This situation is expected because the sniffer is not aware of the ACE's
internal messaging.
Copying Core Dumps
If the ACE fails with a core dump, the core dump files may contain useful information. The core dump files reside in the core:
directory. To view the contents of the core: directory, enter the following command:
You can copy the contents of the core: directory to several locations by using the copy core: command. The syntax of this
command is as follows:
The ACE provides core dumps for both the control plane and the data plane. Each core dump file contains the following
information:
• Version
• Time of failure
• FTP
• SFTP
• TFTP
Verifying the Physical Connectivity Between the ACE and the End
Hosts
To verify the physical connectivity of the ACE, follow these steps:
1. Check all cable connections on the Catalyst 6500 series switch or Cisco 7600 series router that may impact the ACE.
2. Use the extended ping command to send an ICMP Echo request to the end devices.
ACE_module5/Admin# ping
Target IP address: 10.1.1.2
Repeat count [5]: 4
Datagram size [100]: 200
Timeout in seconds [2]: 10
Extended commands [n]: 4
Pinging 10.1.1.2 with timeout = 10, count = 4, size = 200 ....
If a host is one hop away and you are unable to reach the host, then ping the intermediary gateway. If the gateway is not reachable,
enter the show ip route command and check to make sure that the correct route is displayed. For example, enter:
1. Verify that the ARP table is populated with the IP addresses and corresponding MAC addresses of the ACE, the gateway, the
local interface, and other IPs that the ACE has learned.
Context Admin
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
10.86.215.208 00.02.7e.39.51.9c vlan130 LEARNED 5 2350 sec up
10.86.215.228 00.e0.81.22.78.ff vlan130 LEARNED 6 6379 sec up
10.86.215.234 00.1a.a1.48.f3.44 vlan130 LEARNED 4 1114 sec up
10.86.215.1 00.00.0c.07.ac.00 vlan130 GATEWAY 2 153 sec up
10.86.215.2 00.11.5d.e1.2f.fc vlan130 LEARNED 3 12054 sec up
10.86.215.134 00.18.b9.a6.91.15 vlan130 INTERFACE LOCAL _ up
================================================================================
Total arp entries 6
2. Verify that the ACE is connected to the switch fabric of the Catalyst 6500 series switch or the Cisco 7600 series router. The
ACE uses a 10-Gigabit Ethernet switch fabric interface (SFI) to connect to the chassis backplane as opposed to the CSM, which
uses a port channel. The ACE uses the following format for this interface:
Te<slot>/1
For example, if the ACE is in slot 5, you can see the status of the backplane connection by entering the following command on the
Catalyst 6500 series switch or the Cisco 7600 series router:
If there is no output from this command, then either the ACE is not installed properly or the ACE is powered down.
3. Verify the association of the ACE MAC entries with the allocated VLAN interfaces. Enter the following command at the
Supervisor CLI:
Verifying the Physical Connectivity Between the ACE and the EndHosts 11
Cisco Application Control Engine (ACE) Troubleshooting Guide
cat6k# show module 5
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
5 1 Application Control Engine Module ACE10-6500-K9 SAD1031044S
4. Check the status of the Te5/1 port to ensure that it is in the forwarding state by entering the following command:
MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 0001.632f.2c17
Cost 200019
Port 642 (GigabitEthernet6/2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
For information on steps to take before calling Technical Support, see the "Gathering ACE Troubleshooting Information" section.
This article describes the ACE architecture and how data flows into, gets processed, and flows out of the ACE. It provides a basic
understanding of these concepts to assist you in troubleshooting the ACE.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Understanding the ACE Architecture
♦ 1.1 Overview of the ACE
Hardware Architecture
♦ 1.2 Control Plane
Contents 14
Cisco Application Control Engine (ACE) Troubleshooting Guide
A console connection allows direct access to the ACE control plane (CP) for initial configuration, management, and
troubleshooting. The supervisor engine connection allows you to determine the status of the ACE, to load images into the ACE, to
reboot the ACE, and to provide remote access to the ACE from the Catalyst 6500 series switch or Cisco 7600 series router when
you use the session command. Because the ACE has no external ports, packets enter the ACE through the Switch Fabric Interface
(SFI) connected to the Catalyst 6500 series switch or Cisco 7600 series router back plane. The two major functional areas of the
ACE are as follows:
• Control plane
• Data plane
Control Plane
The control plane (CP) is used to configure the ACE and for management traffic, syslogs, ARP, DHCP, and so on. You can access
the CP directly by using the console port. For remote management, you must configure a management interface and enable remote
access using a management policy to permit Telnet or SSH access, for example. The CP is responsible for the following ACE
functions:
Data Plane
The data plane (DP) is responsible for distributing and processing packets and connections that do not match a management
policy.
In the ACE, the CP and the DP are separated and run on different processors for maximum performance. See Figure 2.
Data Plane 16
Cisco Application Control Engine (ACE) Troubleshooting Guide
• Network processors (NPs)
• SSL Crypto Module
• Daughter card interfaces (for future feature expansion)
The Classification and Distribution Engine (CDE) is the traffic controller for the ACE. Its main purpose is to forward packets that
it receives from the SFI to the two network processors (NPs). It also acts as the central point of contact among all the major
subsystems within the ACE. The CDE computes, and if necessary, adjusts the IP, TCP, and UDP checksums of every packet that
it receives.
The CDE appends a special header known as the IMPH header to each packet before sending it to the fast path. The IMPH header
is 18 bytes long and contains information from the DBUS header (the header sent to the ACE Module by the Catalyst 6500 series
switch or Cisco 7600 series router) as well as special messaging directly understood by the fast path. Fields in the IMPH header
can include notification of a checksum error, Layer 3 or Layer 4 offsets, source and destination ports of the CDE, the VLAN for
determining the interface that the fast path will use, and so on.
Network Processors
The ACE has two network processors (NP1 and NP2) that perform most of the packet processing in the ACE. All traffic entering
the ACE must traverse one or both NPs after being forwarded by the CDE. Each NP contains a CPU (XScale) and several
components called microengines (MEs). See Figure 3.
Each microengine can handle eight simultaneous threads or processes and performs a specific function for the NP as follows:
• Load-balancing algorithms
• SSL handshake
• FTP and Real-Time Streaming Protocol (RTSP) inspection
• HTTP inspection (although a considerable part is performed by the microengines)
• High-availability heartbeat generation
• Returned statistics for most connection-related commands
Each network processor has RDRAM memory to store ACL entries, routing table entries, ARP entries, and inspection policies.
Additional SRAM memory provides faster access times and is used to store regular expressions and statistics on a per?virtual
system basis, among other things.
The SSL Crypto Module is responsible for SSL record layer processing. This processing includes encrypting and decrypting data
for SSL flows.
The CDE classifies the packets based on the configured traffic policies, fills out the IMPH header information, and forwards the
traffic to one of the NPs. To determine which NP to forward the traffic to, the CDE hashes incoming packets based on the traffic
type as follows:
The NPs process the traffic and forward it back through the CDE to either the control plane or the SSL Crypto Module for further
processing.
To-the-ACE Traffic
To-the-ACE traffic is traffic that is destined to an interface VLAN IP address on the ACE. This traffic must match a class map of
type management, which is associated with a policy map and applied as a service policy on an interface VLAN. The management
Cisco Application Control Engine (ACE) Troubleshooting Guide
This management traffic is called control plane traffic because it is destined to the CP. Because of the separation of the CP traffic
from the data plane traffic on different processors, the control plane traffic will never interfere with data plane traffic, even if the
control plane is oversubscribed.
Through-the-ACE Traffic
The CDE sends traffic that requires load balancing, forwarding, routing, or other processing by the ACE to one of the NPs.
The NPs comprise two parallel forwarding paths that maintain their own connection state information and forward traffic
independently.
This article describes some basic troubleshooting steps that you can perform to rule out some of the simpler issues before delving
deeper into the troubleshooting process.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
To-the-ACE Traffic 19
Cisco Application Control Engine (ACE) Troubleshooting Guide
Contents
• 1 Preliminary ACE Troubleshooting Steps
• 2 Checking the ACE Status from the Supervisor Engine
• 3 Verifying the MSFC VLAN Configuration
• 4 Establishing a Session with the ACE from the Supervisor
Engine
• 5 Verifying the ACE is Receiving VLAN Allocations from the
MSFC
• 6 Verifying the ACE Image
• 7 Verifying Your ACE Licenses
• 8 Configuring an ACL to Permit Input Traffic to the ACE
• 9 Verifying that the ACE is Sending and Receiving Traffic
• 10 Verifying to-the-ACE Traffic
Contents 20
Cisco Application Control Engine (ACE) Troubleshooting Guide
telnet 10.1.1.2
Password:
cat6k> enable
Password:
cat6k# show module
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
.
.
5 1 Application Control Engine Module ACE20-6500-K9 SAD1031044S
.
.
1. Check the VLANs configured and allocated to the ACE by entering the following command from the supervisor
engine:
2. Ensure that the VLAN groups that you intend to use for your ACE are allocated properly in the MSFC configuration by
entering the following commands:
3. Verify that the VLANs you intend to use in your ACE are configured in the MSFC by entering the following command:
4. Ensure that traffic is routed to two ACEs in the same chassis when both client- and server-side VLANs are configured
as switched virtual interfaces (SVIs) on the MSFC in routed mode by entering the following command:
ACE_module5 login:
If interface VLANs are already assigned on the ACE you can use the show interface vlan <num> command to verify the
interface is properly assigned on the MSFC and up on the MSFC:
vlan10 is up
Hardware type is VLAN
MAC address is 00:18:b9:a6:89:0d
Mode : routed
IP address is 10.10.10.1 netmask is 255.255.255.0
FT status is non-redundant
Description:not set
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
7101679 unicast packets input, 878043707 bytes
0 multicast, 0 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
6387914 unicast packets output, 1541924399 bytes
0 multicast, 22826 broadcast
0 output errors, 0 ignored
Software
loader: Version 12.2[121]
system: Version A2(2.0) [build 3.0(0)A2(2.0)] <--------
system image file: [LCP] disk0:c6ace-t1k9-mzg.A2_2_0.bin <--------
installed license: no feature license is installed
Hardware
Cisco ACE (slot: 5)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
memory info:
total: 955396 kB, free: 289704 kB
shared: 0 kB, buffers: 2336 kB, cached 0 kB
cf info:
filesystem: /dev/cf
total: 1000000 kB, used: 494912 kB, available: 505088 kB
You can also see the licenses that reside on the Flash disk by entering the following command:
In the above example, there is an SSL 5K TPS license on the Flash disk that has not yet been installed in the ACE.
A trace of the Te?/1 (10-Gbps switch fabric interface, where ? = the module number) interface will show you whether packets are
arriving at the switch fabric interface (SFI).
Another useful command is the show cde health command on the ACE. This command shows the current state of the
Classification Distribution Engine (CDE). The network processors (NP1 and NP2) are represented by IXP0 and IXP1,
Cisco Application Control Engine (ACE) Troubleshooting Guide
respectively. You should not observe any drops, errors, or flow control issues in the output of this command. If the Packets
Received or the Packets Transmitted counters of the CDE Hyperion Interface are not increasing, then packets are not coming into
or going out of the ACE.
You can also use the show interface command on the ACE to display traffic that is sent and received on the interface for each
VLAN that is configured on the ACE.
vlan130 is up
Hardware type is VLAN
MAC address is 00:18:b9:a6:91:15
Mode : routed
IP address is 10.86.215.134 netmask is 255.255.255.0
FT status is non-redundant
Description:not set
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
59858 unicast packets input, 41711169 bytes <-------
193118 multicast, 280789 broadcast <-------
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops <-------
6260 unicast packets output, 785167 bytes <-------
0 multicast, 1892 broadcast <-------
0 output errors, 0 ignored <-------
Use the following commands to verify that traffic is going to and coming from the control plane.
Global Errors
-------------
Rx Underflows : 0
Rx Overflows : 0
Tx Underflows : 0
Tx Overflows : 0
Resets : 0
Zbuff alloc fail : 0
Interrupt Stats
---------------
Total Interrupt count : 2529603
Rx Interrupt count : 2524302
Tx interrupt count : 5310
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Understanding ROMMON Mode and the ACE Boot
Configuration
♦ 1.1 Setting the Boot Method from the Configuration
Register
♦ 1.2 Booting the ACE from the ROMMON Prompt
♦ 1.3 Setting the BOOT Environment Variable
♦ 1.4 Displaying the ACE Boot Configuration
• 2 Restarting the ACE
♦ 2.1 Restarting the ACE from the ACE CLI
♦ 2.2 Restarting the ACE from the Supervisor Engine
• 3 Establishing a Console Connection to the ACE
• 4 Troubleshooting ACE Boot Problems
Contents 30
Cisco Application Control Engine (ACE) Troubleshooting Guide
The ACE enters ROMMON mode if it does not find a valid system image, if the Flash memory configuration is corrupted, or if
the configuration register is set to enter ROMMON mode.
Note: You can manually enter ROMMON mode by restarting the ACE and then pressing the Break key during the first 60
seconds of startup. If you are connected to the ACE through a terminal server, you can escape to the Telnet prompt and
then enter the send break command to enter the ROMMON mode.
Setting the Boot Method from the Configuration Register
To change the configuration register settings and how the ACE boots from the CLI, use the following configuration mode
command:
config-register value
• 0?ACE boots to the ROMMON prompt. The ACE remains in ROMMON mode at startup.
• 1?ACE boots from the system image identified in the BOOT environment variable. If the ACE encounters an error or if
the image is not valid, it will try the second image (if one is specified). If the second image also fails to boot, the ACE
returns to ROMMON mode.
For example, to set configuration register to boot the system image identified in the BOOT environment variable, enter the
following command:
ACE_module5/Admin(config)# config-register 1
The ACE supports two methods of booting the module from the ROMMON prompt:
• To manually change the configuration register setting in ROMMON mode, use the confreg command followed by a value
of 0 or 1.
• To change the boot characteristics using onscreen prompts, use the confreg command without a value.
To instruct the ACE to manually boot from a particular system image, use the confreg command and specify a configuration
register value of 1. Identify the name of the system image file that the ACE uses to boot.
To instruct the ACE to automatically boot from the image specified in the BOOT variable, use the confreg command without
specifying a configuration register value to launch the Configuration Summary menu-based utility. You can then instruct the ACE
to boot from the system image identified in the BOOT environment variable. See the "Setting the BOOT Environment Variable"
section.
For example, to use the confreg command to display the onscreen prompts for changing the boot characteristics of the ACE and
change the configuration register to boot from an image on disk0:, enter the following command:
Configuration Summary
(Virtual Configuration Register: 0x2000)
enabled are:
ignore system config info
console baud: 9600
boot: the ROM monitor
Configuration Summary
(Virtual Configuration Register: 0x2001)
enabled are:
ignore system config info
console baud: 9600
boot: the file specified in BOOT variable
The image_name argument specifies the name of the system image file. If the file does not exist (for example, if you entered the
wrong filename), then the filename is appended to the bootstring, and the "Warning: File not found but still added in the
bootstring" message appears. If the file does exist, but is not a valid image, the file is not added to the bootstring, and the
"Warning: file found but it is not a valid boot image" message appears.
For example, to set the BOOT environment variable, enter the following command:
Caution: Configuration changes that are not written to the Flash partition are lost after a reload. Before rebooting, enter the copy
running-config startup-config command in Exec mode to store the current configuration in Flash memory. If you fail to save
your configuration changes, the ACE reverts to its previous settings upon restarting.
When you enter the reload command, the ACE prompts you for confirmation and performs a cold restart of the ACE:
ACE_module5/Admin# reload
For example, to use the supervisor engine CLI to reset the ACE located in slot 5 of the chassis, enter the following command:
Note: Only the Admin context is accessible through the console port; all other contexts can be reached through Telnet or SSH
sessions.
After you connect the terminal to the console port, use any terminal communications application to access the ACE CLI. The
following procedure uses HyperTerminal for Windows.
To access the ACE by using a direct serial connection, follow these steps:
4. From the drop-down list, select the COM port to which the device is connected.
7. Click OK to connect.
switch login:
9. If the ACE does not find a valid software image on disk0: or if the ACE is configured to enter ROMMON mode upon booting
up, the ROMMON prompt appears.
1. Log in to the Catalyst 6500 series switch or the Cisco 7600 series router and check the status of the ACE by entering the
following command:
Password:
cat6k>enable
Password:
cat6k# show module 5
Mod Ports Card Type Model Serial No.
--- ----- -------------------------------------- ------------------ -----------
5 1 Application Control Engine Module ACE10-6500-K9 SAD1031044S <------- Module is receiving power
The first row of information is populated, so you know that the ACE is powered up. The firmware and software versions are
Unknown and the Status is Other. At this point, you cannot session into the ACE from the supervisor engine.
2. Power cycle the ACE from the supervisor engine to attempt to boot the ACE by entering the following commands:
cat6k# config t
Enter configuration commands, one per line. End with CNTL/Z.
cat6k(config)# no power enable module 5
cat6k(config)# power enable module 5
Wait long enough for the ACE to boot up. Try to Telnet or session to the ACE. If you still cannot Telnet or session to the ACE,
continue with Step 3.
3. Establish a console connection to the ACE. For details about establishing a console connection to the ACE, see the
"Establishing a Console Connection to the ACE" section.
rommon 1>
4. Check the ACE configuration register (confreg) by entering the following command:
A value of 0x1 instructs the ACE to boot from the image in disk0:. A value 0x0 instructs the ACE to boot to the ROMMON
prompt. If the image specified in the BOOT variable is not in disk0:, then the ACE boots to the ROMMON prompt as shown in
Cisco Application Control Engine (ACE) Troubleshooting Guide
6. Ensure that the software image specified in the BOOT variable is present in disk0: by entering the following command:
7. If the specified image is not in disk0:, then you can boot from another image in disk0: by entering the following command:
8. If there is no image on the ACE disk0: to boot from, you can still boot from the supervisor engine. Copy the image to the
supervisor engine's disk0: or disk1:, and then from the supervisor CLI, enter the following command:
9. At the ROMMON prompt on the ACE console, enter the following command to boot the ACE from the Ethernet Out-of-Band
Channel (EOBC) between the ACE and the Catalyst 6500 series switch or the Cisco 7600 series router:
10. If the ACE is not local or you cannot establish a console connection for any other reason, use the following procedure to finish
booting the ACE from the supervisor engine with the boot eobc: command:
This article describes the ACE system logging facility, how to enable logging, and how to use system messages as troubleshooting
tools.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE System
Logging
• 2 Enabling ACE Logging
• 3 Logging Severity Levels
• 4 Adding Information to
syslogs
• 5 Troubleshooting ACE
Logging
♦ 5.1 Displaying Logging
Statistics
♦ 5.2 Displaying the
Logging History
♦ 5.3 Displaying Logging
Messages
♦ 5.4 Displaying Logging
Persistence
♦ 5.5 Displaying the
Logging Rate Limit
Contents 37
Cisco Application Control Engine (ACE) Troubleshooting Guide
• Buffer
• Console
• Flash memory
• Host (remote syslog server)
• Monitor
• Standby
• Supervisor
Each virtual context generates logs independently from the other virtual contexts. The admin virtual context does not log on behalf
of the other contexts in the ACE.
The ACE logs the following connection setup and teardown messages in the CP at the connection speed: 106023, 302022,
302023, 302024, and 302025. These setup and teardown syslogs are directly forwarded to a remote server. Because of the
potentially large number of these messages or if you require high-rate system logging of connection setup and teardown messages,
use the logging fastpath command. This command disables CP syslogs and enables logging of these messages through the DP
using a slightly different format and the following syslog IDs: 106028, 302028, 302029, 302030, and 302031, respectively. You
can log these messages through the fast path only to an external syslog server. All other enabled logging destinations are disabled
by the logging fastpath command.
You can limit the rate at which the ACE generates syslog messages by using the logging rate-limit command. This command
allows you to rate limit syslogs based on one of the following criteria:
• Time interval
• Logging level
• Message ID
Besides logging system messages, the ACE logs access control list (ACL) deny entries.
Note: Remember to enable logging on the standby ACE in a redundant configuration by entering the logging standby
command. To log failover information on the standby ACE, you need to set the logging level to 4.
For details about ACE system message logging, see the Cisco Application Control Engine Module System Message Guide
(Software Version A2(1.0)).
Use the logging monitor severity_level command only when you are troubleshooting problems on the ACE or when there is
minimal load on the network. Using this command at other times when the ACE is active may degrade performance.
Note: logging trap defines the severity sent to the syslog server.
Note: If you do not see syslog messages on the console after enabling logging with the logging enable and logging monitor 7
commands, log out of the ACE and then log in again.
Note: If you specify the default-udp option and TCP logging fails, the ACE sends logging messages over UDP.
You can verify that the ACE defaults to UDP by entering the following command:
Use the logging supervisor command to allow the aggregation of critical syslogs from multiple virtual devices to the Catalyst
6500 series switch or to the Cisco 7600 series router syslog. For example, enter the following command:
• Add a timestamp
• Identify the messages sent to a syslog server
• Identify the ACE device ID in messages that are sent to a syslog server
To identify messages that are sent to a syslog server by severity level, enter the following command:
For example, to identify the ACE device ID in messages that are sent to a syslog server, use the following command syntax:
Messages sent:
console 0
buffer 348
persistent 0
Cisco Application Control Engine (ACE) Troubleshooting Guide
supervisor 1
history 0
monitor 0
host 0
misc 0
Messages discarded:
cfg rate-limit 0
hard rate-limit 0
server down 5
queue full 59
errors 0
SNMP-related counters:
notifications sent 0
history table flushed 0
messages ignored 0
NP-related counters:
to-CP dropped 0
fastpath sent 0
fastpath dropped 0
In the above example, the ACE has discarded 59 control plane (CP) messages. By default, the syslog message queue can hold 80
messages. You can increase the size of the syslog message queue by using the logging queue command in configuration mode.
Set the queue size before you start collecting syslog messages. When traffic is heavy, messages may be discarded if the queue size
is too small. The maximum number of messages that the queue can hold is 8192.
For example, to display all disabled system messages in the ACE, enter the following command:
Mar 24 2009 09:51:31 Admin: %ACE-4-405001: Received ARP REQUEST collision from 10.1.1.240 00.0c.29.74.51.fa on int
Mar 24 2009 09:51:32 Admin: %ACE-4-405001: Received ARP RESPONSE collision from 10.1.1.240 00.0b.fc.fe.1b.03 on in
Mar 24 2009 09:51:36 Admin: %ACE-4-405001: Received ARP REQUEST collision from 10.1.1.240 00.0c.29.74.51.fa on int
Mar 24 2009 09:51:37 Admin: %ACE-4-405001: Received ARP RESPONSE collision from 10.1.1.240 00.0b.fc.fe.1b.03 on in
This article describes how the ACE establishes connections and how to troubleshoot connectivity issues with your ACE.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE Connection Handling
• 2 Internal Mapping of ACE TCP and UDP
Flows
• 3 ACE Connection Table Entries
• 4 Tracking Connections Through the ACE
• 5 Troubleshooting Connections
For L7 flows (for example, L7 load balancing, URL parsing, and generic TCP payload parsing), the ACE acts as a proxy (spoofs
the server), intercepts the client's VIP request that matches an L7 rule, and terminates the TCP connection. See Figure 2. The ACE
sends a SYN-ACK to the client in response to the client's TCP SYN. The client responds with an ACK to complete the TCP
handshake and an L7 request method (for example, HTTP GET or POST).
After the ACE receives the L7 information (for example, HTTP GET), it sets up the back-end connection to the real server based
on the load-balancing method and other criteria. See Figure 3.
Finally, the ACE unproxies the connection with the client and splices it together with the back-end connection to the server. For
the life of the HTTP flow, the client communicates directly with the server through the fast path (hardware-accelerated path in the
network processors), which is depicted in the figures as "Shortcut." See Figures 4.
Figure 5 shows how the ACE adjusts the sequence numbers and ACK numbers when it splices the two flows together.
Figure 5. Layer 7 Flow Setup -- Adjusting the Sequence and ACK Numbers
With the persistence rebalance (connection keepalive) command configured, the ACE reproxies and parses subsequent HTTP 1.1
requests over the same TCP connection. In this case, the ACE again spoofs the server and ACKs the HTTP GET as shown in
Figure 6. The sequence shown in Figure 2 through Figure 5 repeats for each new HTTP 1.1 request over the same TCP
connection.
For SSL termination, TCP server reuse, application protocol inspection, and HTTP 1.1 pipelining, the ACE fully terminates the
client TCP connection. This connection remains fully proxied because the ACE is acting on behalf of the real server. For SSL
termination, the ACE completes an SSL handshake after it establishes the TCP connection with the server. See Figure 7.
For SSL termination, TCP server reuse, application protocol inspection, and HTTP 1.1 pipelining, the client and server
connections are completely independent and flows are handled in the software, not in the fast path. See Figure 8.
You can display both the front-end and the back-end connection statistics by entering the "-v" (verbose) option of the show np
command as follows:
Troubleshooting Connections
To troubleshoot suspected connectivity issues, follow these steps:
Cisco Application Control Engine (ACE) Troubleshooting Guide
1. Check the ACL hit count by entering the show access-list acl_name command. If the hit count is increasing, go to Step 2.
Otherwise, verify that the access list is configured properly to permit traffic.
2. Check the service policy hit count by entering the show service-policy detail command. If the hit count is 0, verify that the
service policy is active (show service-policy command) and the server farm is up (show server-farm detail command). If the
service policy is large, use the show service-policy policy_name summary command for more information as follows:
service-policy: VIP
Class VIP Prot Port VLAN
State Curr Conns Hit Count Conns Drop
VIP 192.168.12.192 tcp eq 443 100
IN-SRVC 0 0 0
192.168.12.192 tcp eq 80 100
IN-SRVC 0 0 0
192.168.12.193 tcp eq 80 100
IN-SRVC 0 0 0
192.168.12.193 tcp eq 443 100
IN-SRVC 0 0 0
VIP2 192.168.12.194 tcp eq 80 100
IN-SRVC 0 0 0
192.168.12.194 tcp eq 443 100
IN-SRVC 0 0 0
3. Check the load-balancing statistics by entering the show stats loadbalance command. If the Layer 4 or Layer 7 rejections or
the Layer 4 or Layer 7 policy misses are increasing, check the configured class maps for any misconfiguration.
+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch : 0
Total Layer4 decisions : 0
Total Layer4 rejections : 3 <-------|
Total Layer7 decisions : 0 |------- Failed connections due to traffic not matching the conf
Total Layer7 rejections : 7 <-------|
Total Layer4 LB policy misses : 0
Total Layer7 LB policy misses : 0
Total times rserver was unavailable : 10 <------- Failed connections due to no real server'
Total ACL denied : 0
Total IDMap Lookup Failures : 0
To clear the load-balancing statistical information stored in the ACE buffer, enter the clear stats loadbalance command.
4. If none of the error statistics is increasing, check the connection record by entering the show conn detail command and
checking the connections for the affected VIP.
+------------------------------------------+
+------- Connection statistics ------------+
+------------------------------------------+
Total Connections Created : 628950
Total Connections Current : 7
Total Connections Destroyed: 389
Total Connections Timed-out: 3958
Total Connections Failed : 624596 <------- Server did not reply to a SYN within the pending timeout period or i
The Total Connection Failed counter increases when the ACE cannot set up the back-end connection with the server. To clear the
statistical information stored in the ACE buffer, enter the clear stats connection command.
Troubleshooting Connections 71
Cisco Application Control Engine (ACE) Troubleshooting Guide
description : -
state : ACTIVE
predictor : ROUNDROBIN <------- Shows the load-balancing predictor that was used
failaction : -
back-inservice : 0
partial-threshold : 0
num times failover : 0
num times back inservice : 0
total conn-dropcount : 0
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+--------+---------------------+-----------+----------+---------
rserver: linux-1
192.168.1.11:0 8 OPERATIONAL 0 0 0 <------- Shows connection s
each real server
max-conns : - , out-of-rotation count : -
min-conns : -
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
The Connections Failures counter for a real server in a server farm may increment for one of the following reasons:
8. Display the statistics for a connection parameter map by entering the following command:
Number of parameter-maps : 1
Parameter-map : CONN_PARAMMAP
Type : connection
nagle : disabled
slow start : disabled
buffer-share size : 32768
inactivity timeout (seconds) : TCP: 3600, UDP: 120, ICMP: 2
embryonic timeout (seconds) : 5
ack-delay (milliseconds) : 200
WAN Optimization RTT (milliseconds): 65535
half-closed timeout (seconds) : 3600
TOS rewrite : disabled
syn retry count : 4
TCP MSS min : 0
TCP MSS max : 1460
tcp-options drop range : 0-0
tcp-options allow range : 0-0
tcp-options clear range : 1-255
selective-ack : clear
timestamp : clear
window-scale : clear
window-scale factor : 0
reserved-bits : allow
random-seq-num : enabled
SYN data : drop
exceed-mss : drop
urgent-flag : allow
conn-rate-limit : disabled
bandwidth-rate-limit : disabled
Troubleshooting Connections 72
Cisco Application Control Engine (ACE) Troubleshooting Guide
This article describes how to troubleshoot issues involving ACE remote access.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE Remote Access
• 2 Configuring a Management Policy for Remote
Access
• 3 Troubleshooting Remote Access
♦ 3.1 Troubleshooting Telnet
♦ 3.2 Troubleshooting SSH
♦ 3.3 Troubleshooting KAL-AP
Contents 73
Cisco Application Control Engine (ACE) Troubleshooting Guide
• HTTP
• HTTPS
• ICMP
• KALAP-UDP
• SSH
• SNMP
• Telnet
These protocols require that you configure a management traffic policy on the ACE and associate that policy with the interface
that you intend to use for management traffic. A management policy allows the classification and distribution engine (CDE) to
classify (match) incoming management traffic to the management policy and to forward that traffic to the control plane (CP). For
complete details about remote access, see the Cisco Application Control Engine Module Administration Guide (Software Version
A2(1.0)).
1. Beginning with ACE software release A2(1.1), by default, the ACE CLI is only locally accessible either using the ACE console
port or through the supervisor by entering the session command. Remote access to the ACE (for example, Telnet, SSH, and so on)
is disabled until you change the admin user account password from the default. Access to the XML API is also disabled until you
change the www user account password from the default. The ACE will display these warnings each time you access the CLI
using the the console port or the supervisor until you change these passwords.
Use the following commands to change the passwords of the admin and www user accounts:
ACE_module5/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
ACE_module5/Admin(config)# username admin password 0 cisco123 role Admin domain default-domain
ACE_module5/Admin(config)# username www password 0 cisco123 role Admin domain default-domain
ACE_module5/Admin(config)# exit
Note that, although the passwords were entered in clear text above, they will be stored in the ACE configuration in an encrypted
format:
2. Ensure that the remote access method protocol (for example, Telnet or SSH) that you are trying to use is configured in the
management class map and that the management class has been permitted in the management policy. If necessary, correct your
ACE configuration. To display your management policy configuration elements, enter the following Exec mode commands:
3. Ensure that the management policy is applied to the correct interface and that you are using the correct IP address for that
interface. If necessary, correct your configuration. Enter the following command:
4. Check the status of the management interface by entering the following command:
vlan100 is up
Hardware type is VLAN
MAC address is 00:18:b9:a6:91:15
Mode : routed
IP address is 192.168.12.15 netmask is 255.255.255.0
FT status is non-redundant
Description:not set
MTU: 1500 bytes
Last cleared: never
Alias IP address not set
Peer IP address not set
Assigned from the Supervisor, up on Supervisor
115303 unicast packets input, 74570169 bytes
273637 multicast, 521226 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
12591 unicast packets output, 2120271 bytes
0 multicast, 4604 broadcast
0 output errors, 0 ignored
5. If the interface is down, ensure that the no shutdown command is configured on the interface to enable it. If necessary, correct
your configuration. Enter the following command:
6. Ensure that you have not exceeded the allocated resources for management connections or maximum management bandwidth
by entering the following commands:
7. If necessary, allocate more resources to management connections by entering the following command:
Management traffic is considered to-the-ACE traffic or CP traffic. If traffic is reaching the CP, the Normal Priority (Data) Net Rx
Packets, Net Rx Bytes, Net TX packets, and Net TX bytes counters should be increasing. If not, contact TAC.
9. If traffic is not arriving at the CP, ensure that traffic is reaching the classification and distribution engine (CDE) from the SFI by
entering the following command:
<snip>
If traffic is reaching the CDE, the Packets received and the CDE Hyperion Interface Packets transmitted counters should be
increasing. If not, contact TAC.
10. If packets are not reaching the CDE, ensure that the MSFC in the Catalyst 6500 series switch or the Cisco 7600 series router is
sending packets to the switch fabric interface (SFI) by entering the following command on the supervisor engine:
If the MSFC is sending traffic to the SFI, the packets input and the packets output counters should be increasing. If not, contact
TAC.
Troubleshooting Telnet
If you cannot Telnet to the ACE, ensure that you have not reached the maximum connection limit for Telnet by entering the
following commands:
The show telnet command output shows only one Telnet session. A maximum of 15 more users can potentially Telnet to the
Admin context.
Troubleshooting Telnet 78
Cisco Application Control Engine (ACE) Troubleshooting Guide
To display the maximum number of users allowed to Telnet to a particular context, enter the following command:
Troubleshooting SSH
If you attempt to connect to the ACE using SSH and receive the following error, follow these steps:
1. Ensure that SSH is enabled in the management policy by entering the following command:
2. Ensure that the SSH key has been generated by entering the following command:
The show ssh key command output shows that no SSH key has been generated.
3. Generate an SSH key based upon your security requirements by entering the following commands:
ACE_module5/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
ACE_module5/Admin(config)# ssh key rsa 4096
generating rsa key(4096 bits).....
.........................
generated rsa key
ACE_module5/Admin(config)# exit
switch/Admin# show ssh key
dsa rsa rsa1
ACE_module5/Admin# show ssh key
**************************************
could not retrieve rsa1 key information
Cisco Application Control Engine (ACE) Troubleshooting Guide
**************************************
rsa Keys generated:Tue Apr 7 15:55:20 2009
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAgEAr3z0MO0knoS6YwntSxUkWDWjHZfFE7Y6nLd8qQVcPMu0
XpvkabDswLwoEdC9nOWM4v4g4PDpUz+tk+2WHJ4MMgRVeomVbK/2+Zx0Eds1p2XlhiV9KPcV
pflpNNt63Mr01oLHoHpjxJ8ubfJJ+gPhMoBmQyGKedQOk5tVlbOpyxS2f7yWGqzF26AzXTFFdS0xYEcN4GrtziduBlh4TYRxk99JR13
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+9C0i
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+uowK
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+gHaa
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+ryoo
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+iKsh
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+/cut
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+7OvN
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+w6ig
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+msEF
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+XvRo
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+w34s
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+mbRk
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+e9p2
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+PEAQ
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+D+Ty
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+GsLz
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+EaKa
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+MNQm
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+VVkV
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+4d21
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+x6VH
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+fEGT
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+64zM
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+Hf/a
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+e9Tu
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+W4nD
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+7SUP
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+leL+
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+Tmwt
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+8ymk
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+20L0
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+ym2A
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+mfe5
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+A+Py
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+k/Dx
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+NeCF
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+mSK1
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+V747
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+M0xG
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+QiEP
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+CCTj
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+8lkb
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+GXOo
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+C094
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+eDPM
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+F+xp
ZAWROUVbRMFz1MjblIVX+C9nygSGeaMJ9KDosbUlQCBnOtWViPblov0lViwk4QEHAAL+eNj
zsFzc1023QU8xwlrhgvL0xXKxUmITV4y2VaSmEc/0RH/c4XAinNy955X6w9ejqXG9aYFjljLBtCHKXgyAZbQ48E4UPtPwPTCC3R1pFapfNAJMQ55kf
/6x/6XVFPBw4okLcz6tVDLqn7dGiTEjzYgfQBwKXiIPrGg9EmBgwmQKWuJpOde+jbMD9kU1WmUoUWvTvPtXQ0=
bitcount:4096
fingerprint:
13:96:fe:f0:f7:d7:5f:9c:d7:2a:da:72:8a:93:53:a6
**************************************
could not retrieve dsa key information
**************************************
4. Try connecting to the ACE via SSH again by entering the following command:
Password:
Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 1985-2009 by Cisco S
The copyrights to certain works contained herein are owned by other third parties and are used and distributed und
Some parts of this software are covered under the GNU Public License. A copy of the license is available at http:/
ACE_module5/Admin#
5. Confirm the SSH session from the ACE CLI by entering the following command:
Troubleshooting KAL-AP
To troubleshoot KAL-AP related issues, follow these steps:
1. Make sure that KAL-AP is enabled under the management policy by entering the following commands:
2. Verify that traffic from the Cisco Global Site Selector (GSS) is reaching the ACE module. KAL-AP statistics should get
incremented.
+-----------------------------------------------------+
+---------------- KAL-AP(UDP) statistics -------------+
+-----------------------------------------------------+
Troubleshooting KAL-AP 81
Cisco Application Control Engine (ACE) Troubleshooting Guide
Total requests with parse errors : 0
Total response transfer errors : 0
-----------------------------------------------------
3. Allow secure KAL-AP requests, and add the GSS IP address and the shared secret to the ACE by entering the following
commands:
ACE_module5/Admin# config
ACE_module5/Admin(config)# kalap udp
ACE_module5/Admin(config-kalap-udp)# ip address 192.168.10.52 encryption md5 cisco
(GSS IP)
4. Display information about the load VIP by entering the following command:
If the VIP object is not found while displaying the load value as shown above, check whether the VIP got downloaded in the
configuration manager internal table by entering the following command:
This article describes security access control lists (ACLs) in the ACE, how to configure them, and troubleshooting steps to follow
if you encounter problems with ACLs.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
Troubleshooting KAL-AP 82
Cisco Application Control Engine (ACE) Troubleshooting Guide
Contents
• 1 Overview of Security Access
Control Lists
♦ 1.1 ACL Types and Uses
♦ 1.2 ACL Configuration
Guidelines
◊ 1.2.1 ACL Entry
Order
◊ 1.2.2 ACL Implicit
Deny
◊ 1.2.3 Maximum
Number of ACL
Entries
• 2 Configuring ACLs
• 3 ACL-Related syslogs
• 4 Troubleshooting ACLs
An implicit deny-all entry exists at the end of each ACL, so you must configure an ACL on each interface that you want to permit
connections. Otherwise, the ACE denies all traffic on the interface.
ACLs allow you to control network connection setups rather than processing each packet. Such ACLs are commonly referred to as
security ACLs. You can configure ACLs as parts of other features (for example, security, Network Address Translation (NAT),
Contents 83
Cisco Application Control Engine (ACE) Troubleshooting Guide
server load balancing (SLB), and so on). The ACE merges these individual ACLs into one large ACL called a merged ACL. The
ACL compiler then parses the merged ACL and generates the ACL lookup mechanisms. A match on this merged ACL can result
in multiple actions.
Note: You can apply only one extended ACL to each direction (inbound or outbound) of an interface. You can also apply the
same ACL on multiple interfaces. You can apply EtherType ACLs only in the inbound direction and only on Layer 2
interfaces.
ACL Types and Uses
You can configure the following two types of ACLs in the ACE:
The ACE does not explicitly support standard ACLs. To configure a standard ACL, specify the destination address as any and do
not specify ports in an extended ACL. For details about configuring an extended ACL, see the ?Configuring an Extended ACL?
section.
An ACL consists of one or more entries. Depending on the ACL type, you can specify the source and destination addresses, the
protocol, the ports (for TCP or UDP), the ICMP type, the ICMP code, or the EtherType as the match criteria. By default, the ACE
appends each ACL entry at the end of the ACL. You can also indicate the location of each entry within an ACL by specifying a
line number.
The order of the entries is important. When the ACE decides whether to accept or refuse a connection, the ACE tests the packet
against each ACL entry in the order in which the entries are listed. After it finds a match, the ACE does not check any more
entries. For example, if you create an entry at the beginning of an ACL that explicitly permits all traffic, the ACE does not check
any other statements in the ACL.
Note: If there is a deny statement for packets coming to the Control Plane (CP), then the ACE skips to the next ACL entry.
ACL Implicit Deny
All ACLs have an implicit deny entry at the end of the ACL, so, unless you explicitly permit it, traffic cannot pass. For example, if
you want to allow all users to access a network through the ACE except for those users with particular IP addresses, then you must
deny the particular IP addresses in one entry and permit all other IP addresses in another entry.
ACLs are used in ACE as conventional access-groups, and also for use in class maps. The ACLs are converted into trees of
different data structures called nodes, which are merged into a single tree instance that consists of nodes of one type called Policy
Action Nodes (PANs). This merged tree is then transferred to the dataplane. A tree is created for each instance, and an instance is
defined as a VLAN interface in either the input or output direction. Therefore, all ACLs that are applied to a given VLAN and a
given direction contribute to the node usage for that instance.
Cisco Application Control Engine (ACE) Troubleshooting Guide
The ACE supports a maximum of 256,000 Policy Action Nodes (PANs) entries. Some ACLs use more memory than others, such
as an ACL that uses large port number ranges or overlapping networks (for example, one entry specifies 10.0.0.0/8 and another
entry specifies 10.1.1.0/24). Depending on the type of ACL, the actual limit that the ACE can support may be less than 256,000
PANs entries.
If you use object groups in ACL entries, you enter fewer actual ACL entries, but the same number of expanded ACL entries as
you did when you entered entries without object groups. Expanded ACL entries count toward the system limit. To view the
number of expanded ACL entries in an ACL, use the show access-list name command.
If you exceed the memory limitations of the ACE, it generates a syslog message and increments the Download Failures counter in
the output of the show interface vlan number command. The configuration remains in the running-config file and the interface
stays enabled. The ACL entries stay the same as they were before the failing configuration was attempted.
For example, if you add a new ACL with ten entries, but the addition of the sixth entry fails because the ACE runs out of memory,
the ACE removes the five entries that you successfully entered.
Note: You must allocate sufficient ACL memory resources for each virtual context in the ACE. The ACE does not generate a
syslog if you exceed the maximum number of ACL entries.
Configuring ACLs
You can configure ACLs in one of two ways:
You can permit or deny network connections based on the IP protocol, source and destination IP addresses, and TCP or UDP
ports. To configure a non-ICMP extended ACL, enter the following command:
access-list name [line number] extended {deny | permit} {protocol {any | host src_ip_address | src_ip_address netmask |
object-group net_obj_grp_name} [operator port1 [port2]] {any | host dest_ip_address | dest_ip_address netmask | object-group
net_obj_grp_name} [operator port3 [port4]]} | {object-group service_obj_grp_name} {any | host src_ip_address |
src_ip_address netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask |
object-group net_obj_grp_name}
You can also permit or deny network connections based on the ICMP type (for example, echo, echo-reply, unreachable, and so
on). To configure an ICMP extended ACL, enter the following command:
access-list name [line number] extended {deny | permit} {icmp {any | host src_ip_address | src_ip_address netmask |
object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group net_obj_grp_name}
[icmp-type code [operator code1 [code2]]]} | {object-group service_obj_grp_name} {any | host src_ip_address | src_ip_address
netmask | object-group net_obj_grp_name} {any | host dest_ip_address | dest_ip_address netmask | object-group
net_obj_grp_name}
You can configure an ACL that controls traffic based on its EtherType. An EtherType is a subprotocol identifier. EtherType ACLs
support Ethernet V2 frames; they do not do not support 802.3-formatted frames. To configure an Ethertype ACL, enter the
following command:
Note: You can configure an EtherType ACL on a Layer 2 interface in the inbound direction only. If you are operating the
ACE in bridge mode, be sure to configure an ACL on all interfaces that permit BPDUs. Otherwise, a bridge loop may
result.
Cisco Application Control Engine (ACE) Troubleshooting Guide
For example, to configure an extended ACL to permit all IP traffic from any source IP address and that is destined to any IP
address on interface VLAN 200, enter the following commands:
You can apply an ACL to all interfaces in a context at once, subject to the following conditions:
For example, to apply ACL1 to all interfaces in the Admin context, enter the following command in configuration mode:
To configure an ACL match statement in a class map, enter the following commands:
For more details about ACLs and how to configure them, see the Cisco Application Control Engine Module Security
Configuration Guide.
ACL-Related syslogs
When a packet matches an ACL entry, a syslog message is generated based on the following rules:
• All ACL deny entries generate a syslog message unless logging is explicitly disabled using the no logging enable
command in configuration mode.
• An ACL permit entry generates a syslog message only if logging is enabled using the logging enable command in
configuration mode.
• All implicit deny entries generate the default deny syslog (%ACE-4-106023).
To minimize syslog message generation, the ACE uses the flow cache as follows:
1. For the first packet hit on an ACL entry, the ACE generates a syslog and caches the flow (5-tuple) in the connection table.
2. For subsequent hits on the same ACL entry, the ACE checks the cache. If it finds the flow in the cache, the ACE
increments a hit counter for this entry in the cache and does not generate a syslog.
3. After some time (the default is 300 seconds, which is configurable in the ACL entry definition in the CLI as the
interval_secs option), the ACE generates a syslog and sets the hit count to 0.
Cisco Application Control Engine (ACE) Troubleshooting Guide
4. However, if at the expiry of the above time, the hit count is 0, the ACE deletes the cache entry silently. So by default, a
cache entry is aged out 600 seconds after the last hit.
Troubleshooting ACLs
Many ACL issues manifest themselves by all traffic or only certain traffic being denied or permitted access to the ACE or out of
the ACE. Remember that, initially, all traffic to the ACE is denied until you permit traffic using an ACL. Every ACL contains an
implicit deny at the end of it, so only traffic that you explicitly permit will have access to the ACE. To troubleshoot ACLs, follow
these steps:
1. Verify that your ACL configuration is correct for your network application. Make any required changes to the running-config
file, and then test the configuration. If it is satisfactory, save it to the startup-config file using the copy runnning-config
startup-config command.
For example, to display the ACLs that you have configured in your ACE, enter the following command:
access-list ACL1 remark This ACL permits any IP traffic from any source going to any destination except for ICMP t
192.168.12.15 255.255.255.192.
access-list ACL1 line 8 extended permit ip any any
access-list ACL1 line 10 extended deny icmp 192.168.12.15 255.255.255.192 any echo code range 1 1 (hitcount=0) [0x
access-list ANYONE line 8 extended permit ip any any
To verify that the configured ACLs are applied to the correct interfaces and in the right directions (input or output), enter the
following command:
2. Verify that you have allocated sufficient resources for ACLs. To display the allocated resources in your ACE, enter the
following command:
For example, to allocate a 10 percent minimum and a maximum of unlimited resources for ACL memory in the Admin virtual
context, enter the following commands:
3. Display the details of an individual ACL by using the show access-list acl_name detail command. This command displays
every entry in the specified ACL, the hit counts for each entry, and a 32-bit hexadecimal MD5-hash value that the ACE computes
from the access-list command immediately when you configure an ACL. The ACE includes this hash value in deny syslog
messages (106023) to help you identify the ACL entry that caused the deny syslog. For example to display the details of the ACL1
access control list, enter the following command:
%ACE-4-106023: Deny protocol number | name src incoming-interface:src-ip dst outgoing-interface:dst-ip by access-g
An IP packet was denied by the ACL.
Explanation: This message displays even if you do not have the log option enabled for an ACL. If a packet hits an input
ACL, the outgoing interface will not be known. In this case, the ACE prints the outgoing interface as undetermined. The
source IP and destination IP addresses are the unmapped and mapped addresses for the input and output ACLs,
respectively, when used with NAT.
Troubleshooting ACLs 88
Cisco Application Control Engine (ACE) Troubleshooting Guide
Recommended Action: If messages persist from the same source address, messages may indicate a foot-printing or
port-scanning attempt. Contact the remote host administrators.
An ACL merged list is a large ACL that the CP compiles from multiple security ACL entries and policies. When the ACE
executes an ACL merged list, it performs multiple actions on a flow that matches the merged list.
4. Display the actions that the ACE will perform on a flow by entering the show acl-merge merged-list command. For example,
to display the merged list for VLAN 100, enter the following command:
5. If the acl-memory Denied counter in the output of the show resource usage command is incrementing and the Peak (ACL)
memory counter has not exceeded the Max Allocated ACL memory counter, the problem may lie with one of the nodes in the
ACL merge tree. The ACL merge tree contains several different kinds of nodes (see the example output below), each of a different
size and each with a maximum limit. If you allocate a minimum of 10 percent of the ACE resources to ACL memory, the ACE
will guarantee 10% of the maximum number of each node. If your configuration causes the ACE to exceed the maximum value of
one of these nodes, the ACL resource allocation will fail and the acl-memory Denied counter will increment.
To monitor the ACL merge tree node usage in the ACE, enter the following command:
You can calculate the percentage of use for each node type by dividing the used nodes value by the maximum number of nodes
and multiplying the result by 100. If any of these percentages exceeds the maximum value of allocated ACL memory for the
context, increase the max value of allocated ACL memory using the limit-resource acl-memory command in resource class
configuration mode so that that value is greater than or equal to the highest used nodes percentage that you calculated.
Alternatively, if you are approaching the limits of ACL resource capacity, you may consider consolidating your ACL
configuration.
If the ACL nodes are depleted while the ACE is downloading ACL configurations for an interface, the complete ACL merged list
for that interface is deleted and no traffic flows through that interface. The ACE increments the download failure counter in the
output of the show interface command and the ACE logs a system message from the configuration manager.
ACE_module5/Admin# show np 1 access-list trace vlan 130 in protocol 1 source 172.27.16.23 2000 destination 192.168
Root 0x2c01b00
Src Mtrie (0) offset 1 curr 0x2c01b00 child 0x0 leaf 0x10a840
Dst Mtrie (0) offset 2 curr 0x10a840 child 0x0 leaf 0x3c01330
proto ICMP head node 0x4004880
proto node 0x4004880
src op range port 0/65535
dst op range port 0/65535 lineno 112000
inner match line#:112000
inner match line#: 112000
Troubleshooting ACLs 90
Cisco Application Control Engine (ACE) Troubleshooting Guide
This article describes ACE network address translation (NAT), how to configure it, and how to troubleshoot issues with NAT that
you may encounter.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE Network Address
Translation
• 2 NAT Configuration Guidelines and
Restrictions
• 3 Configuring Dynamic NAT and PAT
• 4 Configuring Server-Farm Based Dynamic
NAT
• 5 Configuring Static NAT and Port Redirection
• 6 Configuring SNAT with Cookie and Load
Balancing
• 7 Troubleshooting ACE NAT and PAT
Contents 91
Cisco Application Control Engine (ACE) Troubleshooting Guide
You can also configure the ACE to translate the private address of a server to a global IP address that is accessible to clients. This
process is called destination NAT (DNAT) and protects the server by hiding its real IP address from the Internet.
Besides translating IP addresses, you can configure the ACE to translate TCP and UDP ports. This process is called port address
translation (PAT).
• If a packet egresses an interface that you have not configured for NAT, the ACE transmits the packet untranslated.
• You can configure dynamic NAT or static NAT as an input service policy only; you cannot configure it as an output
service policy.
• When you remove a traffic policy from the last VLAN interface on which you applied the service policy, the ACE
automatically resets the associated service-policy statistics. The ACE performs this action to provide a new starting point
for the service-policy statistics the next time that you attach a traffic policy to a specific VLAN interface.
The following SNAT configuration example shows the commands that you use to configure dynamic NAT and PAT on your
ACE. In this SNAT example, packets that ingress the ACE from the 192.168.12.0 network are translated to one of the IP
addresses in the NAT pool defined on VLAN 200 by the nat-pool command. The pat keyword indicates that ports higher than
1024 are also translated.
Note: If you are operating the ACE in one-arm mode, omit the client-side interface VLAN 100 and configure the service
policy on interface VLAN 200.
access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 172.27.16.0 255.255.255.0 eq http
Note: If you are operating the ACE in one-arm mode, omit interface VLAN 100 and configure the service policy on interface
VLAN 200.
access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 255.255.255.0 172.27.16.0 255.255.255.0 eq http
rserver SERVER1
ip address 172.27.16.3
inservice
rserver SERVER2
ip address 172.27.16.4
inservice
serverfarm SFARM1
rserver SERVER1
inservice
rserver SERVER2
inservice
class-map type http loadbalance match-any L7_CLASS
match http content .*cisco.com
class-map match-any NAT_CLASS
match access-list NAT_ACCESS
access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 any
1. Display your NAT and PAT configurations by entering the following commands:
Status : ACTIVE
-----------------------------------------
Interface: vlan 100
service-policy: NAT_POLICY
class: NAT_CLASS
nat:
nat dynamic 1 vlan 200
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
2. Use the show xlate command to verify that dynamic NAT and PAT, and static NAT and port redirection, are taking place
properly.
The following example output of the show xlate command shows dynamic NAT (SNAT in this example). When you use
Telnet from IP address 172.27.16.5 in VLAN 2020, the ACE translates it to IP address 192.168.100.1 in VLAN 2021.
The following example shows dynamic PAT. When you use Telnet from IP address 172.27.16.5 port 38097 in VLAN
2020, the ACE translates it to IP address 192.168.201.1 port 1025 in VLAN 2021.
The following example shows static NAT. The ACE maps real IP address 172.27.16.5 to IP address 192.168.210.1.
The following example shows static port redirection (DNAT in this example). A host at IP address 192.168.0.10:37766
uses Telnet to connect to IP address 192.168.211.1:3030 on VLAN 2021 on the ACE. The ACE maps IP address
172.27.0.5:23 on VLAN 2020 to IP address 192.168.211.1:3030 on VLAN 2021.
3. To display the NAT policy and pool information for the current context, enter the show nat-fabric command. The syntax of
this command is as follows:
show nat-fabric {policies | src-nat policy_id mapped_if | dst-nat static_xlate_id | nat-pools | implicit-pat| global-static}
src-nat policy_id mapped_if -- Displays the specified source NAT policy information. To obtain the values for the
policy_id and mapped_if arguments, view the policy_id and mapped_if fields displayed by the show nat-fabric policies
command.
dst-nat static_xlate_id -- Displays the static address translation for the specified static XLATE ID. To obtain the value for
the static_xlate_id argument, view the static_xlate_id field displayed by the show nat-fabric policies command.
global-static -- Displays global static NAT information when the static command in global configuration mode is
configured.
Nat objects:
This article describes ACE health monitoring (probes), how to configure it, and how to troubleshoot issues with probes that you
may encounter.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Contents
• 1 Overview of ACE Health
Monitoring
♦ 1.1 Configuring Probes
♦ 1.2 Example of a Probe
Configuration
• 2 Troubleshooting ACE Health
Monitoring
♦ 2.1 Troubleshooting an
HTTP Probe Error
♦ 2.2 Troubleshooting an
HTTPS Probe Error
♦ 2.3 Troubleshooting an
SNMP Probe Issue
♦ 2.4 Using the Last Status
Code Field
Contents 98
Cisco Application Control Engine (ACE) Troubleshooting Guide
server response, the ACE can place the server in or out of service and can make reliable load-balancing decisions.
You can also use health monitoring to detect failures for a gateway or a host in high-availability (redundant) configurations. For
more information, see the Cisco Application Control Engine Module Administration Guide.
The ACE evaluates the health of a server by marking the probes as follows:
• Failed?The server fails to provide a valid response to the ACE and the ACE is unable to reach a server for a specified
number of retries.
By configuring the ACE for health monitoring, the ACE sends active probes periodically to determine the server state. The ACE
supports 4096 unique probe configurations, which includes ICMP, TCP, HTTP, and other predefined health probes. The ACE can
execute only up to 200 concurrent scripted probes at a time. The ACE also allows the opening of 2048 sockets simultaneously.
You can associate the same probe with multiple real servers or server farms. Each time that you use the same probe again, the
ACE counts it as another probe instance. You can allocate a maximum of 16,000 probe instances.
Configuring Probes
You can configure health probes on the ACE to actively make connections and explicitly send traffic to servers. The probes
determine whether the health status of a server passes or fails by the server's response.
◊ A real server.
◊ A real server and then associate the real server with a server farm. You can associate a single probe or multiple
probes with real servers within a server farm.
◊ A server farm. All servers in the server farm receive probes of the associated probe types.
probe : HTTP_PROBE
type : HTTP
state : ACTIVE
Cisco Application Control Engine (ACE) Troubleshooting Guide
description :
----------------------------------------------
port : 80 address : 0.0.0.0 addr type : -
interval : 10 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
rserver : SERVER1
192.168.10.45 80 -- 2 2 0 FAILED
The Last disconnect err field indicates that the ACE received an invalid status code. This error means that you have has not
configured the expect status command for the probe.
ACE_module5/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
ACE_module5/Admin(config)# probe http HTTP_PROBE
ACE_module5/Admin(config-probe-http)# expect status 200 200 <------- 200 indicates the 200 OK message from the ser
ACE_module5/Admin(config-probe-http)# end
5. Display the probe status details again and observe that the server health status value is SUCCESS by entering the following
command:
probe : HTTP_PROBE
type : HTTP
state : ACTIVE
description :
----------------------------------------------
port : 80 address : 0.0.0.0 addr type : -
interval : 10 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
rserver : SERVER1
192.168.10.45 80 -- 24 15 9 SUCCESS
probe : SNMP_PROBE
type : SNMP
state : ACTIVE
description : snmp probe
----------------------------------------------
port : 161 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 10
version : 2c community : test_comm
oid string #1 : .1.3.6.1.2.1.4.3.0
type : ABSOLUTE max value : 1000000000
weight : 10000 threshold : 1000000000
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : least-loaded, predictor least-loaded
real : SERVER1[0]
The reason for this error is that the weight command needs to be configured when you have multiple OIDs configured for a single
probe and from those OIDs if you want to give priority to a specific OID.
The sum of the weights should equal 16000 (see the Server Load field). For a single OID, the weight command does not have any
significance.
In the above configuration, the weight is configured as 10000 for a single OID. The ACE is expecting another OID to be
configured in the probe and the sum of both weights should equal 16000.
The configuration is not complete and the ACE is expecting additional parameters in the probe configuration. Because there is not
another OID in the configuration, the ACE is not able to calculate the load and that is why the "Sum of weights don't add up to
max weight value" error message appears.
4. Display the probe status details again by entering the following command:
probe : snmp1
probe : TEST
type : SCRIPTED
state : ACTIVE
description :
----------------------------------------------
port : 0 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 20 pass count : 3
fail count: 3 recv timeout: 10
script filename : PROBENOTICE_PROBE
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : sf1
real : rs2[0]
23.0.0.5 4082 54 4028 SUCCESS
This article describes how to troubleshoot Layer 4 (L4) load balancing on the ACE.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE L4 Load Balancing
♦ 1.1 Classifying L4 Traffic for Server
Load Balancing
♦ 1.2 Example of a Layer 4 Load-Balancing
Configuration
• 2 Troubleshooting L4 Load Balancing on the
ACE
Contents 105
Cisco Application Control Engine (ACE) Troubleshooting Guide
For detailed information about ACE load balancing, see the Cisco Application Control Engine Module Server Load Balancing
Configuration Guide.
ACE L3 and L4 traffic policies support the following server load-balancing (SLB) traffic attributes:
The three major steps in the traffic classification process are as follows:
1. Create a class map using the class-map command and the associated match commands, which comprise a set of match
criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications.
2. Create a policy map using the policy-map command, which refers to the class maps and identifies a series of actions to
perform based on the traffic match criteria.
3. Activate the policy map by associating it with a specific VLAN interface or globally with all VLAN interfaces using the
service-policy command to filter the traffic received by the ACE.
Figure 1 provides a basic overview of the process required to build and apply the Layer 3, Layer 4, and Layer 7 policies that the
ACE uses for SLB. The figure also shows how you associate the various components of the SLB policy configuration with each
other.
1. Ensure that your load-balancing configuration is correct and that the following conditions exist:
3. Verify that the L4 VIP class map is referenced in a L4 policy by entering the following command. Also, check the following
fields:
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 100
service-policy: L4WEB_POLICY <------- L4 multimatch policy map
class: L4WEB_CLASS <------- L4 VIP class map
VIP Address: Protocol: Port:
192.168.120.112 tcp eq 80 <------- VIP address, protocol, and port
loadbalance:
L7 loadbalance policy: LB_WEB_POLICY
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE <------- VIP state should be INSERVICE
curr conns : 0 , hit count : 56
dropped conns : 14 <------- Number of attempted connections to this VIP that the ACE discarded
client pkt count : 6297 , client byte count: 1047583
server pkt count : 1238 , server byte count: 1325495
L7 Loadbalance policy : LB_WEB_POLICY
class/match : class-default
LB action :
serverfarm: SFARM1
hit count : 0 <-------|-- Check these counters to see if they are increasing
The dropped conns counter under a VIP in the output of the show service policy detail command is incremented whenever the
ACE discards a connection request destined to that VIP. There are several reasons why the ACE discards such connection
requests. For example:
• If all the real servers in the server farm associated with the VIP go down, then the VIP will go down. So, all the incoming
connections to that VIP are discarded.
• If the URL in a connection request to the VIP is unknown, then the connection request is discarded.
• If the server to which the ACE load balances the connection does not respond to the request, then, after the maximum
number of retries, the ACE discards the connection.
The dropped conns counter is cumulative and the value may comprise entries from any of the following show command counters:
• The Total drop decisions counter of the show stats inspect command
4. Verify that the L4 policy is applied as a service policy to an active interface by entering the following command:
5. Check the total conn-dropcount field for the primary server farm in the output of the following command. Also, check the IP
address, state, and the connection statistics for each real server that is configured in the server farm.
rserver: SERVER2
192.168.252.246:0 20 INSERVICE 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: SERVER3
192.168.252.247:0 30 INSERVICE 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch : 0
Total Layer4 decisions : 0
Total Layer4 rejections : 0
Total Layer7 decisions : 0
Total Layer7 rejections : 0
Total Layer4 LB policy misses : 0
Total Layer7 LB policy misses : 0
Total times rserver was unavailable : 0
Total ACL denied : 0
Total IDMap Lookup Failures : 0
Note: The ID Map is used to map real servers and server farms between the local and the remote peers in a redundant
configuration. The Total IDMap Lookup Failures field increments if the local ACE fails to find the local ACE to peer
ACE ID mapping. A failure can occur if the peer ACE did not send a proper remote ID for the local ACE to look up and
so the local ACE could not perform a mapping or if the ID Map table was not created.
This article describes how to diagnose and troubleshoot ACE L7 load-balancing issues.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE Layer 7 Load Balancing
♦ 1.1 Load-Balancing Predictors
♦ 1.2 Classifying L7 Traffic for Server
Load Balancing
• 2 Example of a L7 Load-Balancing
Configuration
• 3 Troubleshooting Layer 7 Load Balancing
Contents 112
Cisco Application Control Engine (ACE) Troubleshooting Guide
• Generic protocols
• HTTP
• Remote Authentication Dial-In User Service (RADIUS)
• Reliable Datagram Protocol (RDP)
• Real-Time Streaming Protocol (RTSP)
• Session Initiation Protocol (SIP)
Depending on the load-balancing algorithm?or predictor?that you configure, the ACE performs a series of checks and calculations
to determine which server can best service each client request. The ACE bases server selection on several factors including the
source or destination address, cookies, URLs, HTTP headers, or the server with the fewest connections with respect to load.
For detailed information about ACE load balancing, see the Cisco Application Control Engine Module Server Load Balancing
Configuration Guide.
Load-Balancing Predictors
The ACE uses the following predictors to select the best server to fulfill a client request:
• Application response?Selects the server with the lowest average response time for the specified response-time
measurement based on the current connection count and server weight (if configured).
• Hash address?Selects the server using a hash value based on either the source or destination IP address or both. Use these
predictors for firewall load balancing (FWLB). For more information about FWLB, see Configuring Firewall Load
Balancing in the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide (Software
Version A2(1.0)).
• Hash content?Selects the server using a hash value based on a content string in the Trusted Third Parties (TTP) packet
body.
• Hash cookie?Selects the server using a hash value based on a cookie name.
• Hash header?Selects the server using a hash value based on the HTTP header name.
• Hash URL?Selects the server using a hash value based on the requested URL. You can specify a beginning pattern and an
ending pattern to match in the URL. Use this predictor method to load balance cache servers.
• Least bandwidth?Selects the server that processed the least amount of network traffic based on the average bandwidth that
the server used over a specified number of samples.
• Least connections?Selects the server with the fewest number of active connections based on the server weight. For the
least-connections predictor, you can configure a slow-start mechanism to avoid sending a high rate of new connections to
servers that you have just put into service.
• Least loaded?Selects the server with the lowest load based on information obtained from Simple Network Management
Protocol (SNMP) probes. To use this predictor, you must associate an SNMP probe with it.
• Round-robin?Selects the next server in the list of real servers based on the server weight (weighted round-robin). Servers
with a higher weight value receive a higher percentage of the connections. This is the default predictor.
Note: The hash predictor methods do not recognize the weight value that you configure for real servers. The ACE uses the
weight that you assign to real servers only in the least-connections, application-response, and round-robin predictor
methods.
Classifying L7 Traffic for Server Load Balancing
You classify inbound network traffic destined to or passing through the ACE based on a series of flow match criteria specified by
a class map. Each class map defines a traffic classification, which is network traffic that is of interest to you. A policy map defines
a series of actions (functions) that you want applied to a set of classified inbound or outbound traffic.
ACE traffic policies support the following server load-balancing (SLB) traffic attributes:
• Layer 3 and Layer 4 connection information?Source or destination IP address, source or destination port, virtual IP
address, and IP protocol
• Layer 7 protocol information?Hypertext Transfer Protocol (HTTP) cookie, HTTP URL, HTTP header, Remote
Authentication Dial-In User Service (RADIUS), Remote Desktop Protocol (RDP), Real-Time Streaming Protocol
(RTSP), Session Initiation Protocol (SIP), and Secure Sockets Layer (SSL)
The three major steps in the traffic classification process are as follows:
1. Create a class map using the class-map command and the associated match commands, which comprise a set of match
criteria related to Layer 3 and Layer 4 traffic classifications or Layer 7 protocol classifications.
2. Create a policy map using the policy-map command, which refers to the class maps and identifies a series of actions to
perform based on the traffic match criteria.
3. Activate the policy map by associating it with a specific VLAN interface or globally with all VLAN interfaces using the
service-policy command to filter the traffic received by the ACE.
Figure 1 provides a basic overview of the process required to build and apply the Layer 3, Layer 4, and Layer 7 policies that the
ACE uses for SLB. The figure also shows how to associate the various components of the SLB policy configuration with each
other.
rserver SERVER1
3. Verify that the L7 load-balancing policy is referenced in the L4 policy by entering the following command. Also, check the
following fields:
Status : ACTIVE
Description: -
-----------------------------------------
Interface: vlan 100
service-policy: L4WEB_POLICY
class: L4WEB_CLASS
VIP Address: Protocol: Port:
192.168.120.112 tcp eq 80 <------- VIP address, protocol, and port
loadbalance:
L7 loadbalance policy: LB_WEB_POLICY <-------L7 load-balancing policy referenced in the L4 multimatch poli
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE <------- VIP state should be INSERVICE
curr conns : 0 , hit count : 56
dropped conns : 14 <------- Number of attempted connections to this VIP that the ACE discarded
client pkt count : 6297 , client byte count: 1047583
server pkt count : 1238 , server byte count: 1325495
L7 Loadbalance policy : LB_WEB_POLICY <------- L7 policy statistics
class/match : class-default
LB action :
serverfarm: SFARM1
hit count : 0 <-------|-- Check these counters to see if they are increasing
dropped conns : 0 <-------|
4. Verify that the L4 policy is applied as a service policy to an active interface by entering the following command:
Cisco Application Control Engine (ACE) Troubleshooting Guide
ACE_module5/Admin# show running-config interface
Generating configuration....
5. Check the total conn-dropcount field for the primary server farm in the output of the following command. Also, check the IP
address, state, and the connection statistics for each real server that is configured in the server farm.
rserver: SERVER2
192.168.252.246:0 20 INSERVICE 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
rserver: SERVER3
192.168.252.247:0 30 INSERVICE 0 0 0
max-conns : 4000000 , out-of-rotation count : 0
min-conns : 4000000
conn-rate-limit : - , out-of-rotation count : -
bandwidth-rate-limit : - , out-of-rotation count : -
retcode out-of-rotation count : -
load value : 0
Note:
The connection failures counter increments only if the ACE attempts to load balance a connection and the ACE does not
receive a SYN-ACK from the real server in response to a SYN or if the real server responds to the SYN with a RST.
6. Check the L7 load-balance statistics by entering the following command:
+------------------------------------------+
+------- Loadbalance statistics -----------+
+------------------------------------------+
Total version mismatch : 0
Total Layer4 decisions : 0
Total Layer4 rejections : 0
Total Layer7 decisions : 0
Total Layer7 rejections : 0
Total Layer4 LB policy misses : 0
Total Layer7 LB policy misses : 0
Total times rserver was unavailable : 0
Total ACL denied : 0
Total IDMap Lookup Failures : 0
Note: The ID Map is used to map real servers and server farms between the local and the remote peers in a redundant
configuration. The Total IDMap Lookup Failures field increments if the local ACE fails to find the local ACE to peer
ACE ID mapping. A failure can occur if the peer ACE did not send a proper remote ID for the local ACE to look up and
so the local ACE could not perform a mapping or if the ID Map table was not created.
7. If you are having problems with HTTP, check the HTTP statistics and error counters by entering the following command:
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0
SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
8. If you suspect a probe issue, for example, a TCP probe, check the probe statistics and error counters by entering the following
command:
+------------------------------------------+
+----------- Probe statistics -------------+
+------------------------------------------+
----- tcp probe ----
Total probes sent : 0 Total send failures : 0
Total probes passed : 0 Total probes failed : 0
Total connect errors : 0 Total conns refused : 0
Total RST received : 0 Total open timeouts : 0
9. Check the parameter map statistics for an HTTP parameter map by entering the following command:
Number of parameter-maps : 1
Parameter-map : HTTP_PMAP
Type : http
server-side connection reuse : disabled
case-insensitive parsing : disabled
persistence-rebalance : disabled <---------------------------- Enabled by default in the ACE
header modify per-request : disabled
header-maxparse-length : 4096
content-maxparse-length : 4096
parse length-exceed action : drop
urlcookie-delimiters : /&#+
This article describes the procedures for troubleshooting redundancy issues with your ACE.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE Redundancy
♦ 1.1 Redundancy Protocol
♦ 1.2 FT VLAN
♦ 1.3 Configuration Requirements and
Restrictions
♦ 1.4 Example of a Redundancy Configuration
• 2 Troubleshooting ACE Redundancy
• 3 FT Peer and Group Status Details
♦ 3.1 FT Group Status Conditions
◊ 3.1.1 STANDBY_COLD
◊ 3.1.2 STANDBY_CONFIG
♦ 3.2 FT Peer Status Conditions
◊ 3.2.1 PEER_DOWN
◊ 3.2.2 TL_ERROR
◊ 3.2.3 FT_VLAN_DOWN
◊ 3.2.4 FSM_PEER_STATE_ERROR
♦ 3.3 About WARM_COMPATIBLE and
STANDBY_WARM
Redundancy provides seamless switchover of flows if an ACE becomes unresponsive or a critical host, interface, or HSRP group
(ACE module only) fails. Redundancy supports the following network applications that require fault tolerance:
Redundancy Protocol
You can configure a maximum of two ACE modules (peers) in the same Catalyst 6500 series switch or in different chassis for
redundancy. You can also configure a maximum of two ACE 4710 appliances for redundancy. Each peer ACE can contain one or
more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. For more
information about contexts, see the Cisco Application Control Engine Module Virtualization Configuration Guide or the Cisco
4700 Series Application Control Engine Appliance Administration Guide (Software Version A3(2.4)). An FT group has a unique
group ID that you assign.
Both ACEs can be active at the same time, processing traffic for distinct virtual devices and backing up each other (stateful
redundancy). An Active-Active configuration requires two FT groups and two virtual contexts on each ACE. See Figure 1.
Contents 122
Cisco Application Control Engine (ACE) Troubleshooting Guide
The ACE uses the redundancy protocol to communicate between the redundant peers. The election of the active member within
each FT group is based on a priority scheme. The member configured with the higher priority is elected as the active member. If a
member with a higher priority is found after the other member becomes active, the new member becomes active because it has a
higher priority. This behavior is known as preemption and is enabled by default.
One virtual MAC address (VMAC) is associated with each FT group. The format of the VMAC is: 00-0b-fc-fe-1b-groupID.
Because a VMAC does not change upon a switchover, the client and server ARP tables does not require updating. The ACE
selects a VMAC from a pool of virtual MACs available to it. You can specify the pool of MAC addresses that the local ACE and
the peer ACE use by configuring the shared-vlan-hostid command and the peer shared-vlan-hostid command, respectively. To
avoid MAC address conflicts, be sure that the two pools are different on the two ACEs. For more information about VMACs and
MAC address pools, see the Cisco Application Control Engine Module Routing and Bridging Configuration Guide.
Each FT group acts as an independent redundancy instance. When a switchover occurs, the active member in the FT group
becomes the standby member and the original standby member becomes the active member. A switchover can occur for the
following reasons:
FT VLAN
Redundancy uses a dedicated FT VLAN between redundant ACEs to transmit flow-state information and the redundancy
heartbeat. You must configure this same VLAN on both peer ACEs. You also must configure a different IP address within the
same subnet on each ACE for the FT VLAN. Cisco recommends two port-channeled 1-Gigabit Ethernet links for the FT VLAN.
For the appliance, when you configure the ft-port-vlan command, the ACE modifies the associated Ethernet port or port-channel
interface to a trunk port, so you have to put your switch port in trunk mode or tag the FT VLAN, it's very important.
Note: Do not use the FT VLAN for any other network traffic, including HSRP traffic and data.
The two redundant ACEs constantly communicate over the FT VLAN to determine the operating status of each ACE. The standby
member uses the heartbeat packet to monitor the health of the active member. The active member uses the heartbeat packet to
monitor the health of the standby member. Communications over the switchover link include the following data:
• Heartbeat packets
For multiple contexts, the FT VLAN resides in the system configuration file. Each FT VLAN on the ACE has one unique MAC
address associated with it. The ACE uses these device MAC addresses as the source or destination MACs for sending or receiving
redundancy protocol state and configuration replication packets.
Note: The IP address and the MAC address of the FT VLAN do not change at switchover.
Configuration Requirements and Restrictions
Follow these requirements and restrictions when configuring the redundancy feature:
• Redundancy is not supported between an ACE module and an ACE appliance operating as peers. Redundancy must be of
the same ACE device type and software release.
• In bridged mode (Layer 2), two contexts cannot share the same VLAN.
• To achieve active-active redundancy, a minimum of two contexts and two FT groups are required on each ACE.
• When you configure redundancy, the ACE keeps all interfaces that do not have an IP address in the Down state. The IP
address and the peer IP address that you assign to a VLAN interface should be in the same subnet but should be different
IP addresses. For more information about configuring VLAN interfaces, see the Cisco Application Control Engine
Module Routing and Bridging Configuration Guide or the Cisco ACE 4700 Series Appliance Routing and Bridging
Configuration Guide
• FT Interfaces are put into an automatic trunk status and, for the module, the Catalyst 6500 series switch needs to be set
to trunk the specific VLAN you are using for the FT interface.
• A dedicated FT VLAN for communication between the members of an FT group. You must configure this same VLAN
on both peers.
• An FT peer definition.
• An FT group that is associated with the Admin context.
• A critical tracking and failure detection process for an interface.
FT VLAN 124
Cisco Application Control Engine (ACE) Troubleshooting Guide
access-group input ACL1
service-policy input L4_REMOTE-MGT_POLICY
no shutdown
ft peer 1
ft-interface vlan 200
heartbeat interval 300
heartbeat count 10
ft group 1
peer 1
priority 200
associate-context Admin
inservice
1. Ensure that the software versions and licenses installed in the two ACEs are identical. A software or license mismatch may
generate the following syslog message:
To verify the software (SRG) and license compatibility of the FT peer, enter the following command:
Peer Id : 1
State : FSM_PEER_STATE_MY_IPADDR
Maintenance mode : MAINT_MODE_OFF
SRG Compatibility : COMPATIBLE
License Compatibility : COMPATIBLE
FT Groups : 1
If the software or license is incompatible, install the appropriate software image or license in the peer to correct the problem.
2. Ensure that any SSL certificates (certs) and keys that exist in the active ACE are also configured in the standby ACE. SSL certs
and keys are not synchronized automatically from the active to the standby. Use the crypto export and crypto import commands
to accomplish this task. This requirement also applies to scripts and scripted probes. Failure to keep the active and standby
configurations identical will cause configuration synchronization to fail and may cause the standby ACE to enter the
STANDBY_COLD state.
3. The ACE sends heartbeat packets via UDP over the FT VLAN between peers. When heartbeats are not received during the
specified interval (the interval and count are configurable), the ACE notifies the HA processor on the CP by sending a Peer_Down
interprocess communication protocol (IPCP) message. If a peer is down or unreachable, you may receive one of the following
syslog messages:
%ACE-1-727002: HA: FT interface interface name to reach peer IP address is down. Error: error str
4. Verify connectivity between the peers over the FT VLAN. If a peer device is physically up but connectivity is the problem, you
may end up with two active devices. If connectivity is lost due to the peer going down, reboot the peer to restore redundancy
between the two devices.
5. Display heartbeat statistics, including missed heartbeats, by entering the following command:
6. Provide an alternate path for the ACE to check the peer's status in case of missed heartbeats and configure a query interface
using the followng commands:
ACE_5/Admin# config
Enter configuration commands, one per line. End with CNTL/Z.
ACE_5/Admin(config)# ft peer 1
ACE_5/Admin(config-ft-peer)# query-interface vlan 100
If the query interface is configured, upon receiving a PEER_DOWN message from the heartbeat process, the ACE data plane
attempts to ping the peer using the Query VLAN. If the ping fails, the standby transitions to the ACTIVE state. If the ping is
successful, the standby transitions to the STANDBY_COLD state. To recover from the STANDBY_COLD state, reboot the
standby.
7. Each peer uses a VMAC that is dependent on the FT group number. If you are using multiple ACE modules in the same chassis,
be careful when you configure the same FT groups in more than one module.
8. If the members of an FT group are unable to reach the ACTIVE or the STANDBY_HOT state, there may be a context name
mismatch for the same FT group. You may receive the following syslog message:
%ACE-1-727003: HA: Mismatch in context names detected for FT group FTgroupID. Cannot be redundant.
Be sure that the context names within the same FT group are identical on both ACEs.
9. Check the FT group configuration on both devices. Make sure that both devices are associated with the same context. Enter the
following command:
10. Verify the FT peer status and configuration by entering the following command:
Peer Id : 1
State : FSM_PEER_STATE_COMPATIBLE
Maintenance mode : MAINT_MODE_OFF
FT Vlan : 100
FT Vlan IF State : DOWN
My IP Addr : 10.1.1.1
Peer IP Addr : 10.1.1.2
Query Vlan : 110
Query Vlan IF State : DOWN
Peer Query IP Addr : 172.25.91.202
Heartbeat Interval : 300
Heartbeat Count : 20
Tx Packets : 318573
Tx Bytes : 66301061
Rx Packets : 318540
Rx Bytes : 66272840
Rx Error Bytes : 0
Tx Keepalive Packets : 318480
Rx Keepalive Packets : 318480
TL_CLOSE count : 0
FT_VLAN_DOWN count : 0
PEER_DOWN count : 0
SRG Compatibility : COMPATIBLE
License Compatibility : COMPATIBLE
FT Groups : 3
11. Verify the FT group status and configuration by entering the following command:
FT Group : 1
No. of Contexts : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 110
My Net Priority : 110
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Thu Apr 2 00:00:00 2009
Running cfg sync enabled : Enabled
Running cfg sync status : Running configuration sync has completed
Startup cfg sync enabled : Enabled
Startup cfg sync status : Running configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
For information on troubleshooting the FT group status, see the "FT Group Status Conditions"
STANDBY_COLD
In configuration synchronization fails, the peers are not correctly exchanging configuration information. This failure can be
identified as follows:
1. Output of the show ft peer detail command shows that the peer state is "Compatible".
2. Entering show ft group detail shows that the FT group is in "Standby Cold" mode and entering cfg sync status shows the
reason for the failure. For incr-sync failure, the output shows exactly which command resulted in an execution error on the
standby. For a bulk-sync failure, the reason is "Error on Standby device when applying configuration file replicated from
active".
3. To further investigate a bulk-sync failure, perform these steps on the standby device:
◊ For software version A2(2.0) and earlier and version A2(1.3) and earlier releases, from the Admin context, enter
show ft history cfg_cntlr and grep for "error:" to find any CLI commands that caused execution errors.
◊ For later releases, enter show ft config-error ctx_name to view the failed CLI commands.
To work around a bulk sync failure, perform these steps to remove the CLI commands that triggered the error (as identified from
the preceding analysis) and then retrigger the bulk sync operation, as follows:
1. Retrigger bulk sync by disabling config sync with the no ft auto-sync running command in configuration mode in the
affected context.
2. Re-enable config sync with ft auto-sync running.
If the problem persists, repeat the above sequence until you eliminate the CLI command that triggered the problem.
In this case, check the physical connectivity of the device. It might be a physical port or cable issue.
STANDBY_CONFIG
1. Run show ft history cfg_cntlr to determine whether the peer devices successfully exchanged notifications regarding
configuration synchronization.
2. Grep for the keywords MTS_OPC_REQ_CFG_DNLD_STATUS and MTS_OPC_CFG_DNLD_STATUS.
If one or both of the messages are missing, an error occurred in the synchronization exchange process.
Note that once it is stuck in the STANDBY_CONFIG state, configuration mode will be disabled on both the active and standby
devices. It can be stuck in this state for up to 4 hours, after which a timeout period expires.
PEER_DOWN
1. Check whether IP addresses for the local and peer device are configured correctly on both.
2. Verify that pinging or telneting to the peer IP address works. If ping fails, check whether the interface is up (show
interface). If so, the interface VLAN is probably not allocated to the ACE module on the supervisor (which suggests a
configuration issue on the supervisor).
3. Enter show arp to see if the FT peer IP address is resolved. (If ARP is not resolved and ping/telnet also failed, it might be
an encapsulation issue requiring support).
4. Enter show conn on both sides to see if HA connections have been set up. If connections have not been set up, check the
HA DP manager log (show ft history ha_dp_mgr). Setup may have failed for various reasons. If this is the case, contact
Cisco technical support.
5. Enter show ft stats on both devices to see if heartbeats are being sent or received. If the Number of Heartbeats Missed
counter is incrementing, the heartbeat packets could be getting dropped. Enter show np 1 me-stats -sfp to see if heartbeat
packets are being received and forwarded to X-Scale, as indicated by the counter Packets forward to XScale. If this
counter is not incrementing, provide the information to Cisco technical support.
STANDBY_COLD 129
Cisco Application Control Engine (ACE) Troubleshooting Guide
TL_ERROR
This state may occur when the telnet connection used to exchange configuration information between the peers cannot be
established but heartbeat packets are exchanged successfully. To identify this issue:
1. Verify that heartbeats are flowing by checking the statistics, show ft stats.
2. Attempt to connect by telnet or to ping the FT peer. The telnet connection attempt will likely fail.
3. Run show arp to see if the FT peer IP address can be resolved.
If show arp indicates that the address is not resolvable and the ping or telnet connect attempts fail, it is likely an encapsulation
issue on the ACE.
FT_VLAN_DOWN
This state typically occurs when the FT VLAN goes down while the query interface is up. If the heartbeat exchange fails and the
query interface is determined to be up based on an ICMP message check, the status is FT_VLAN_DOWN.
If running show ft stats indicates that heartbeats are being missed, it is likely a physical connectivity issue, such as the physical
port or cable failure.
FSM_PEER_STATE_ERROR
This indicates a Software Relationship Graph (SRG) version inconsistency between the peers. See the relationship graph table in
the following section.
When you upgrade or downgrade the ACE software in a redundant configuration with different software versions, the
STANDBY_WARM and WARM_COMPATIBLE states allow the configuration and state synchronization process between the
peers to continue on a best-effort basis. This basis allows the active ACE to synchronize configuration and state information with
the standby even though the standby may not recognize or understand the CLI commands or state information.
In the STANDBY_WARM state, as with the STANDBY_HOT state, configuration mode is disabled on the standby ACE and
configuration and state synchronization continues. A failover from the active to the standby based on priorities and preempt can
still occur while the standby is in the STANDBY_WARM state. However, while stateful failover is possible for a WARM
standby, it is not guaranteed. In general, modules should be allowed to remain in this state only for a short period of time.
When redundancy peers run different software versions, the SRG compatibility field shown by the show ft peer status command
output displays WARM_COMPATIBLE instead of COMPATIBLE. When the peer is in the WARM_COMPATIBLE state, the
FT groups in the standby transition to the STANDBY_WARM state instead of the STANDBY_HOT state.
The following software version combinations tables indicate whether the SRG compatibility field will display
WARM_COMPATIBLE (WC) or COMPATIBLE (C):
TL_ERROR 130
Cisco Application Control Engine (ACE) Troubleshooting Guide
A2(1.5) C WC C C WC WC WC
A2(1.6) WC C C WC WC WC WC
A2(2.0) C C C C C C C
A2(2.1) C WC C C WC WC WC
A2(2.2) WC WC C WC C WC WC
A2(3.0) WC WC C WC WC C WC
A2(2.3) WC WC C WC WC WC C
ACE Appliance: C = COMPATIBLE / WC = WARM_COMPATIBLE
Active(Column)/Standby(Row) A3(1.0) A3(2.0) A3(2.1) A3(2.2) A3(2.3) A3(2.4)
A3(1.0) C C C C WC WC
A3(2.0) C C C C WC WC
A3(2.1) C C C C WC WC
A3(2.2) C C C C WC WC
A3(2.3) WC WC WC WC C WC
A3(2.4) WC WC WC WC WC C
This article describes the process and CLI commands for troubleshooting SSL in the ACE.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE SSL Troubleshooting
♦ 1.1 Example of an SSL
Termination Configuration
♦ 1.2 Example of an SSL Initiation
Configuration
• 2 Troubleshooting ACE SSL
The ACE supports the following SSL configurations (see Figure 2):
Before you begin to troubleshoot potential SSL issues, be sure that the following conditions exist:
• You have configured basic SLB and SSL on your ACE. For details about configuring SLB, see the Cisco Application
Control Engine Module Server Load-Balancing Configuration Guide or the Cisco ACE 4700 Series Appliance Server
Load-Balancing Configuration Guide. For details about configuring SSL, see the Cisco Application Control Engine
Module SSL Configuration Guide or the Cisco ACE 4700 Series Appliance SSL Configuration Guide.
• If you are running multiple ACEs in a redundant configuration, be sure that you have copied the SSL certificates (certs)
and keys to the standby ACE. Certs and keys are not replicated in a redundant configuration from the active ACE to the
standby ACE. Also, ensure that the configurations on the active and the standby are identical, including the same licenses
and software versions.
• Be sure that the certs and keys are no larger than 4096 bits and that they are of an RSA type supported by the ACE. For
details about configuring SSL, see the Cisco Application Control Engine Module SSL Configuration Guide or the Cisco
ACE 4700 Series Appliance SSL Configuration Guide. The ACE supports the following RSA key pair sizes:
◊ 4096 (high security, level 4) - For software release A2(2.4) and later in the ACE module and software release
A3(2.6) and later in the ACE appliance, you can use 4096-bit SSL certificates in chaingroups and authgroups.
You can also import public certificates and keys that are 4096 bits in length.
rserver SERVER1
ip address 10.1.0.11
inservice
rserver SERVER2
ip address 10.1.0.12
inservice
rserver SERVER3
ip address 10.1.0.13
inservice
rserver SERVER4
ip address 10.1.0.14
inservice
rserver SERVER5
ip address 10.1.0.15
inservice
rserver SERVER6
ip address 10.1.0.16
inservice
rserver SERVER7
ip address 10.1.0.17
inservice
rserver SERVER8
ip address 10.1.0.18
inservice
transmits the data as cipher text to the SSL server. On the reverse side, the ACE decrypts the cipher text that it receives from the
SSL server and sends the data to the client as clear text.
rserver SERVER1
ip address 10.1.0.11
inservice
rserver SERVER2
ip address 10.1.0.12
inservice
rserver SERVER3
ip address 10.1.0.13
inservice
rserver SERVER4
ip address 10.1.0.14
inservice
rserver SERVER5
ip address 10.1.0.15
inservice
rserver SERVER6
ip address 10.1.0.16
inservice
rserver SERVER7
ip address 10.1.0.17
inservice
rserver SERVER8
ip address 10.1.0.18
inservice
1. For the ACE module, check the health of the Nitrox-II (crypto module) and ensure that it has not become unresponsive. Stop all
traffic, and then enter the following command:
Figure 3. Example of the Show Crypto Hardware Command Output for an Unresponsive Crypto Module
STX1 is a count of the number of packets transmitted by the Nitrox-II and IMX1 is the number of packets received by the
Nitrox-II. On a normal system, these values should be the same once traffic has stopped. If the values are not the same, the
Nitrox-II has become unresponsive.
The Nitrox-II uses 0x500 TX buffers to transmit packets and 0x200 RX buffers to receive packets. If the [TR]X Buffers used
count ever exceeds the amount available, the Nitrox-II has become unresponsive.
The available cores field shows which of the 22 cores of the Nitrox-II are active. When no traffic is flowing, there should be no
numbers following the Using: statement. If there are, as in the sample output above, then that core (0 in this case) is hung, and the
Nitrox-II has become unresponsive.
Cisco Application Control Engine (ACE) Troubleshooting Guide
For the POM count, there are two numbers, A(B). The "A" value is the number of outstanding packets to the Packet Order
Manager, while the "B" value, counts the number of packets that have been processed in the last second. When no traffic is
flowing, both of these values should be 0. If no traffic is flowing, and the value of "A" is nonzero as shown above, then there are
outstanding requests to the POM that are not being processed, because the Nitrox-II has become unresponsive.
2. Ensure that appropriate ports are designated for PAT in an SSL termination configuration. By default, connections to the real
server from the ACE will inherit the destination port from the client to VIP connection so that a connection to port 443 on the VIP
will go to port 443 on the real server, unless otherwise specified in the server farm configuration. This will cause problems if you
are using ACE to offload SSL between the client and the VIP and send clear-text traffic to the real servers. The following example
demonstrates a port definition in a server farm configuration:
3. Verify that the SSL certificate and key are correct by entering the following command:
4. Verify that a certificate revocation list (CRL) has been downloaded, enter the following command:
test1:
URL: http://192.168.12.23/test.crl
Last Downloaded: not downloaded yet
Total Number Of Download Attempts: 0
Failed Download Attempts: 0
+----------------------------------------------+
+---- Crypto client termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
Cisco Application Control Engine (ACE) Troubleshooting Guide
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+----------------------------------------------+
+------- Crypto client alert statistics -------+
+----------------------------------------------+
SSL alert CLOSE_NOTIFY rcvd: 0
SSL alert UNEXPECTED_MSG rcvd: 0
SSL alert BAD_RECORD_MAC rcvd: 0
SSL alert DECRYPTION_FAILED rcvd: 0
SSL alert RECORD_OVERFLOW rcvd: 0
SSL alert DECOMPRESSION_FAILED rcvd: 0
SSL alert HANDSHAKE_FAILED rcvd: 0
SSL alert NO_CERTIFICATE rcvd: 0
SSL alert BAD_CERTIFICATE rcvd: 0
SSL alert UNSUPPORTED_CERTIFICATE rcvd: 0
SSL alert CERTIFICATE_REVOKED rcvd: 0
SSL alert CERTIFICATE_EXPIRED rcvd: 0
SSL alert CERTIFICATE_UNKNOWN rcvd: 0
SSL alert ILLEGAL_PARAMETER rcvd: 0
SSL alert UNKNOWN_CA rcvd: 0
SSL alert ACCESS_DENIED rcvd: 0
SSL alert DECODE_ERROR rcvd: 0
SSL alert DECRYPT_ERROR rcvd: 0
SSL alert EXPORT_RESTRICTION rcvd: 0
SSL alert PROTOCOL_VERSION rcvd: 0
SSL alert INSUFFICIENT_SECURITY rcvd: 0
SSL alert INTERNAL_ERROR rcvd: 0
SSL alert USER_CANCELED rcvd: 0
SSL alert NO_RENEGOTIATION rcvd: 0
SSL alert CLOSE_NOTIFY sent: 0
SSL alert UNEXPECTED_MSG sent: 0
SSL alert BAD_RECORD_MAC sent: 0
SSL alert DECRYPTION_FAILED sent: 0
SSL alert RECORD_OVERFLOW sent: 0
SSL alert DECOMPRESSION_FAILED sent: 0
SSL alert HANDSHAKE_FAILED sent: 0
SSL alert NO_CERTIFICATE sent: 0
SSL alert BAD_CERTIFICATE sent: 0
SSL alert UNSUPPORTED_CERTIFICATE sent: 0
SSL alert CERTIFICATE_REVOKED sent: 0
SSL alert CERTIFICATE_EXPIRED sent: 0
SSL alert CERTIFICATE_UNKNOWN sent: 0
SSL alert ILLEGAL_PARAMETER sent: 0
SSL alert UNKNOWN_CA sent: 0
SSL alert ACCESS_DENIED sent: 0
SSL alert DECODE_ERROR sent: 0
SSL alert DECRYPT_ERROR sent: 0
SSL alert EXPORT_RESTRICTION sent: 0
SSL alert PROTOCOL_VERSION sent: 0
SSL alert INSUFFICIENT_SECURITY sent: 0
SSL alert INTERNAL_ERROR sent: 0
SSL alert USER_CANCELED sent: 0
SSL alert NO_RENEGOTIATION sent: 0
+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
+-----------------------------------------------+
+------- Crypto client cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
+----------------------------------------------+
+---- Crypto server termination statistics ----+
+----------------------------------------------+
SSLv3 negotiated protocol: 0
TLSv1 negotiated protocol: 0
SSLv3 full handshakes: 0
SSLv3 resumed handshakes: 0
SSLv3 rehandshakes: 0
TLSv1 full handshakes: 0
TLSv1 resumed handshakes: 0
TLSv1 rehandshakes: 0
SSLv3 handshake failures: 0
SSLv3 failures during data phase: 0
TLSv1 handshake failures: 0
TLSv1 failures during data phase: 0
Handshake Timeouts: 0
total transactions: 0
SSLv3 active connections: 0
SSLv3 connections in handshake phase: 0
SSLv3 conns in renegotiation phase: 0
SSLv3 connections in data phase: 0
TLSv1 active connections: 0
TLSv1 connections in handshake phase: 0
TLSv1 conns in renegotiation phase: 0
TLSv1 connections in data phase: 0
+-----------------------------------------------+
+--- Crypto server authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications: 0
Failed SSL client authentications: 0
SSL client authentication cache hits: 0
SSL static CRL lookups: 0
SSL best effort CRL lookups: 0
SSL CRL lookup cache hits: 0
SSL revoked certificates: 0
Total SSL server authentications: 0
Failed SSL server authentications: 0
+-----------------------------------------------+
+------- Crypto server cipher statistics -------+
+-----------------------------------------------+
Cipher sslv3_rsa_rc4_128_md5: 0
Cipher sslv3_rsa_rc4_128_sha: 0
Cipher sslv3_rsa_des_cbc_sha: 0
Cipher sslv3_rsa_3des_ede_cbc_sha: 0
Cipher sslv3_rsa_exp_rc4_40_md5: 0
Cipher sslv3_rsa_exp_des40_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_md5: 0
Cipher sslv3_rsa_exp1024_des_cbc_sha: 0
Cipher sslv3_rsa_exp1024_rc4_56_sha: 0
Cipher sslv3_rsa_aes_128_cbc_sha: 0
Cipher sslv3_rsa_aes_256_cbc_sha: 0
Cipher tlsv1_rsa_rc4_128_md5: 0
Cipher tlsv1_rsa_rc4_128_sha: 0
Cipher tlsv1_rsa_des_cbc_sha: 0
Cipher tlsv1_rsa_3des_ede_cbc_sha: 0
Cipher tlsv1_rsa_exp_rc4_40_md5: 0
Cipher tlsv1_rsa_exp_des40_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_md5: 0
Cipher tlsv1_rsa_exp1024_des_cbc_sha: 0
Cipher tlsv1_rsa_exp1024_rc4_56_sha: 0
Cipher tlsv1_rsa_aes_128_cbc_sha: 0
Cipher tlsv1_rsa_aes_256_cbc_sha: 0
8. Display the number of SSL data messages sent and SSL FIN/RST messages sent by entering the following command:
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0 <-------
sent
TCP fin/rst msgs sent : 0 , Bounced fin/rst msgs sent: 0
SSL fin/rst msgs sent : 0 , Unproxy msgs sent : 0 <-------
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
9. Display session cache statistics for the current context by entering the following command:
This article describes how to troubleshoot performance issues with your ACE.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of Troubleshooting
Performance Issues
• 2 Troubleshooting Performance Issues
Contents 146
Cisco Application Control Engine (ACE) Troubleshooting Guide
2. Record the number of flows that you are sending to the ACE.
4. Identify the type of traffic: unidirectional (UDP, management) or bidirectional (TCP, HTTP, SSL, and so on)
6. Enter the following Exec mode commands and save the output to a file:
1. Display the resources allocated to each resource class in the ACE by entering the following command:
2. Display the resources allocated to the context in question by entering the following command:
Note: All bandwidth values are in units of bytes per second. To convert to bits per second (bps), multiply the displayed
bandwidth value by eight. The ACE reserves 1 Gbps of bandwidth for management (to-the-ACE) traffic.
3. From the supervisor CLI, check the connectivity to the back plane by entering the following command:
5. Display the load of the network processors (NPs) in terms of packets and connection processing for each microengine (ME) by
entering the following command:
Note: All show np commands must be entered for both NP1 and NP2 to obtain the total combined results. NPs operate safely
at any percentage of utilization. As ME functions within the NPs approach 100 percent, the traffic load is stressing the
system close to its architectural limits. Any ME function that reaches 100 percent utilization can cause back pressure
and lead to dropped packets or dropped connections.
6. Monitor the CDE queues and ensure that the Fifo Full drop count counter is not incrementing by entering the following
command:
Backpressure is the mechanism that the ACE uses to slow the system down if queues start to fill up internally. Queues that can be
affected and create backpressure are as follows:
It is possible that some packets that are received by the ACE could be dropped internally if backpressure is applied.
7. Monitor the Fastpath micro engine queues and ensure that the FastQ Transmit Backpressure, the SlowQ Transmit Backpressure,
the Drop: Transmit Backpressure, and the Drop: Next-Hop queue full counters are not incrementing by entering the following
command:
8. Monitor the TCP micro engine queues and ensure the Drops due to FastTX queue full, Drops due to Fastpath queue full, Drops
due to HTTP queue full, Drops due to SSL queue full, Drops due to AI queue full, and Drops due to Fixup queue full are not
incrementing by entering the following command. If TCP receives backpressure, it can drop packets, fail to ACK packets, and fail
to properly track the next packet in the TCP connection.
The control plane (CP) processor processes all CP traffic (ARP, HSRP, ICMP to VIPs, routing, syslogs, SNMP, probes, and so
on) and handles configuration management to parse the CLI for syntactical errors and enforce configuration dependencies and
requirements before pushing the configuration to the data plane.
9. Display a three-way moving average of the CP processor utilization (updated every five seconds) by entering the following
command:
The ACE allocates data-plane memory to guarantee concurrent connection support for basic Layer 4 connections (such as TCP,
UDP, IPsec), Layer 7 connections (proxied flows, typically for application aware load balancing or inspection, and SSL
connection when using SSL acceleration). The ACE can support the maximum bidirectional concurrent connection limit
regardless of the features enabled.
The state for both directions (client-to-VIP/ACE and server-to-ACE) of a TCP connection is maintained with distinct connection
objects.
Note: You can add the detail command option to provide the following additional fields: connection idle time, elapsed time of
the connection, byte count, and packet count for each connection object.
The total current connections counter is also maintained in the output of the following command:
+------------------------------------------+
+------- Connection statistics ------------+
+------------------------------------------+
Total Connections Created : 124
Total Connections Current : 6
Total Connections Destroyed: 62
Total Connections Timed-out: 58
Total Connections Failed : 0
Note: The Total Connections Current counter counts the number of used connection objects, not the number of TCP flows.
The number of TCP flows can be roughly determined as half the number of connection objects minus any UDP
connections. The Total Connections Current counter is always up to date and the maximum value can be 8,000,000.
Because of the Cisco ACE Module?s architecture, with distinct paths for new and established connections, the number of existing
concurrent connections does not heavily impact the rate at which new connections can be set up. Nevertheless, a very large
number of concurrent connections will eventually affect the performance of the system in setting up new connections.
11. Use the command "tcp wan-optimization rtt 0" for slow connections.
The ACE module architecture includes a mechanism where connections can be moved to the fastpath in order to increase
performance for a given connection. The LB decision is made in the software (proxy) and then moved to the fastpath (unproxy). In
a persistence rebalance scenario, the proxy/unproxy can occur Many times on a given connection. It is possible that if a packet
enters the system during the transition Between the proxy and unproxy states, a packet may not be forwarded as expected and a
retransmission may be relied upon. This can affect performance. As a workaround, it is possible to configure the ACE such that
fastpath forwarding is prohibited This can be accomplished by configuring a parameter map with the following:
This article describes the ACE system limits and performance numbers for various resources and configuration objects.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 ACE Performance Numbers and Resource
Limits
♦ 1.1 ACE Appliance Data Sheet
♦ 1.2 ACE Module Data Sheets
♦ 1.3 SLB-Related Limits
♦ 1.4 Security-Related Limits
♦ 1.5 Management-Related Limits
Contents 152
Cisco Application Control Engine (ACE) Troubleshooting Guide
If you have any questions or concerns related to ACE performance, please contact your Cisco account team for guidance.
SLB-Related Limits
Scalability Numbers The scalability numbers provided here are intended to provide guidelines related to configuration
scalability. The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to
your deployment, testing with your feature combination is strongly recommended. If there are any questions or concerns related to
ACE performance, please contact your Cisco account team for guidance.
Security-Related Limits
Scalability Numbers The scalability numbers provided here are meant to provide guidelines related to configuration scalability.
The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular
customer, testing with that customer?s feature combination is strongly recommended before any commitment on ACE
performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your
Cisco account team for guidance.
Management-Related Limits
Scalability Numbers The scalability numbers provided here are meant to provide guidelines related to configuration scalability.
The scalability numbers, however, are based on basic configurations. In order to obtain scalability numbers specific to a particular
customer, testing with that customer?s feature combination is strongly recommended before any commitment on ACE
performance is made to the customer. If there are any questions or concerns related to ACE performance, please contact your
Cisco account team for guidance.
This article describes how to manage and control the ACE system resources.
Guide Contents
Main Article
Overview of ACE Troubleshooting
Understanding the ACE Module Architecture and Traffic Flow
Preliminary ACE Troubleshooting
Troubleshooting ACE Boot Issues
Troubleshooting with ACE Logging
Troubleshooting Connectivity
Troubleshooting ACE Appliance Ethernet Ports
Troubleshooting Remote Access
Troubleshooting Access Control Lists
Troubleshooting Network Address Translation
Troubleshooting ACE Health Monitoring
Troubleshooting Layer 4 Load Balancing
Troubleshooting Layer 7 Load Balancing
Troubleshooting Redundancy
Troubleshooting SSL
Troubleshooting Compression
Troubleshooting Performance Issues
ACE Resource Limits
Managing ACE Resources
Show Counter Reference
Contents
• 1 Overview of ACE Resources
• 2 Managing ACE Resources
♦ 2.1 ACE Resource Planning
♦ 2.2 Creating a Resource Class for Resource
Management
♦ 2.3 Allocating Resources Within a
Resource Class
♦ 2.4 Changing the Resource Allocation of a
Resource Class
♦ 2.5 Displaying the ACE Resource
Allocation and Usage
Contents 156
Cisco Application Control Engine (ACE) Troubleshooting Guide
When you use the default resource class with multiple contexts, you run the risk of oversubscribing ACE resources because the
ACE permits all contexts to have full access to all of the resources on a first-come, first-served basis. When a resource is utilized
to its maximum limit, the ACE denies additional requests made by any context for that resource.
To avoid oversubscribing resources and to help guarantee access to a resource by any context, the ACE allows you to create
customized resource classes that you associate with one or more contexts. A context becomes a member of the resource class
when you make the association. Creating a resource class allows you to set limits on the minimum and maximum amounts of each
ACE resource that a member context is entitled to use. You define the minimum and maximum values as percentages of all
resources. For example, you can create a resource class that allows its member contexts access to no less that 25 percent of the
total number of SSL connections that the ACE supports.
You can limit and manage the allocation of the following ACE resources:
• ACL memory
• Buffers for syslog messages and TCP out-of-order (OOO) segments
• Concurrent connections (through-the-ACE traffic)
• Management connections (to-the-ACE traffic)
• Proxy connections
• Set resource limit as a rate (number per second)
• Regular expression (regexp) memory
• SSL connections
• Sticky entries
• Static or dynamic network address translations (Xlates)
By default, when you create a context, the ACE associates the context with the default resource class. The default resource class
provides resources of a minimum of 0 and a maximum of unlimited for all resources except sticky entries. For stickiness to work
properly, you must explicitly configure a minimum resource limit for sticky entries by using the limit-resource command.
For more information about managing ACE resources, see the Cisco Application Control Engine Module Virtualization
Configuration Guide (Software Version A2(1.0)).
To address scaling and capacity planning, we recommend that new installations do not exceed 60 to 80 percent of the ACE's total
capacity. To accomplish this goal, create a reserved resource class with a guarantee of 20 to 40 percent of all the ACE resources
and configure a virtual context dedicated solely to ensuring that these resources are reserved. Then, you can efficiently distribute
such reserved resources to contexts as capacity demands for handling client traffic increase over time.
resource-class name
For the name argument, enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
For example, to create the RC1 resource class, enter the following command:
To remove the resource class from the configuration, enter the following command:
When you remove a resource class from the ACE, any contexts that were members of that resource class automatically become
members of the default resource class. The default resource class allocates a minimum of 0.00 percent to a maximum of 100.00
percent of all ACE resources to each context. You cannot modify the default resource class.
Note: The limit that you set for individual resources when you use the limit-resource command overrides the limit that you
set for all resources when you use the limit-resource all command.
If you lower the limits for one context (context A) in order to increase the limits of another context (context B), you may
experience a delay in the configuration change because the ACE will not lower the limits of context A until the resources are no
longer being used by the context.
For example, to allocate 20 percent of all resources (minimum and maximum) to all member contexts of the resource class, enter
the following command:
To restore resource allocation to the default values of 0 percent minimum and 100 percent maximum for all resources to all
member contexts, enter the following command:
Table 1 lists the managed system resources of the ACE. You can limit these resources per context or for all contexts associated
with the resource class by using the limit-resource command. See the "Allocating Resources within a Resource Class" section.
You can upgrade the ACE maximum bandwidth to 8 Gbps or 16 Gbps by purchasing a separate
license from Cisco. For more information, see the Cisco Application Control Engine Module
Administration Guide (Software Version A2(1.0)).
---Connections (any kind) 325,000 connections per second (CPS)
For traffic going through the ACE (data plane), 350,000 messages per second
Regular Expression Memory 1,048,576 bytes
Sticky Entries 4,194,304 entries
Xlates (network and port 524,286 translations
address translation entries)
• Inform the Context B administrator to start allocating resources after the Context A administrator releases the resources
Note: As resources are released from other contexts, the ACE assigns the resources to resource-starved contexts (contexts
where the resource-class minimum allocations have not been met).
Displaying the ACE Resource Allocation and Usage
To view the current resource allocation in your ACE, enter the following command:
Note: All bandwidth values are in bytes per second. To convert to bits per second (bps), multiply the values by eight. The
ACE guarantees 1 Gbps of bandwidth for management traffic. So, the total bandwidth for a 4-Gbps ACE license is
actually 5 Gbps. Throughput is still 4 Gbps.
To display the data plane resource allocation and usage and to cross-check the output of the above two commands, enter the
following command:
The Admin context has a context ID of 0. To display the resource allocation and and usage statistics for another context, change
the "0" in the "-L<context_id>" parameter to the context ID of another context.