7-35
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
7






Configuring

Virtual

Servers
Configuring
Virtual

Servers
Failaction
Reassign
Across
Vlans
Option
that

is

available

only

for

the

ACE

module

A2(3.0),

ACE

appliance

A4(1.0),

and

later

releases

of
either
device

type.

This

field

appears

only

when

the

L7

Load-Balancing

Action

parameters

are

set

as
follows:
Primary

Action:

LoadBalance;

ServerFarm:

New;

Fail

Action:

Reassign.
Check
the

check

box

to

specify

that

the

ACE

reassigns

the

existing

server

connections

to

the

backup

real
server
on

a

different

VLAN

interface

(commonly

referred

to

as

a

bypass

VLAN)

if

the

real

server

fails.
If
a

backup

real

server

has

not

been

configured

for

the

failing

server,

this

option

has

no

effect

and

leaves
the
existing

connections

untouched

in

the

failing

real

server.
Note
the

following

configuration

requirements

and

restrictions

when

you

enable

this

option:


Enable
the

Transparent

option
(see
the
next
Field)
to
instruct
the

ACE

not

to

use

NAT

to
translate

the
ACE
VIP

address

to

the

server

IP

address.

The

Failaction

Reassign

Across

Vlans

option

is

intended
for
use

in

stateful

firewall

load

balancing

(FWLB)

on

your

ACE,

where

the

destination

IP

address

for
the
connection

coming

in

to

the

ACE

is

for

the

end-point

real

server,

and

the

ACE

reassigns

the
connection
so

that

it

i

s

transmitted

through

a

different

next

hop.


Enable
the

MAC

Sticky

option

on

all

server-side

interfaces

to

ensure

that

packets

that

are

going

to
and
coming

from

the

same

server

in

a

flow

will

traverse

the

same

firewalls

or

stateful

devices

(see
the
“Configuring

Virtual

Context

VLAN

Interfaces”

section

on

page

12-6 ).


Configure
the

Predictor

Hash

Address

option.

See
Ta

b

l

e
7-14

for

the

supported

predictor

methods
and
configurable

attributes

for

each

predictor

method.


You
must
configure
identical

policies

on
the

primary

interface

and

the

backup-server

interface.

The
backup
interface

must

have

the

same

feature

configurations

as

the

primary

interface.


If
you
configure
a
policy
on

the
backup-server
interface

that

is

different
from

the

policies

on

the
primary-server
interface,

that

policy

will

be

effective

only

for

new

connections.

The

reassigned
connection
will

always

have

only

the

primary-server

interface

policies.


Interface-specific
features

(for

example,
NAT,
application

protocol
inspection,
outbound

ACLs,

or
SYN
cookie)

are

not

supported.


You
cannot

reassign

connections

to

the

failed

real

server
after
it

comes

back

up.

This

restriction

also
applies
to

same-VLAN

backup

servers.


Real
servers

must

be

directly

connected

to
the
ACE.

This

requirement

also

applies

to
same-VLAN
backup
server.


You
must

disable

sequence

number

randomization

on

the

firewall

(see

the
“Configuring
Connection
Parameter
Maps”

section

on

pa

ge

10-3 ).


Probe
configurations

should

be

similar

on

both

ACEs

and

the

interval

values
should
be
low.

For
example,
if

you

configure

a

hi

gh

interval

value

on

ACE-1

and

a

l

ow

interval

value

on

ACE-2,

the
reassigned
connections

may

become

stuck

because

of

the

probe

configuration

mismatch.

ACE-2

with
the
low

interval

value

will

detect

the

primary

server

failure

first

and

will

reassign

all

its

incoming
connections
to

the

backup-server

interface

VLAN.

ACE-1

with

the

high

interval

value

may

not

detect
the
failure

before

the

primary

server

comes

back

up

and

will

still

point

to

the

primary

server.
To
minimize

packet

loss,

we

recommend

the

following

probe

parameter

values

on

both

ACEs:

Interval:
2,
Faildetect:

2,

Passdetect

interval:

2,

and

Passdetect

count:

5.
Table
7-13
New
Server

Farm

Attributes

(continued)
Field
Description