8-32
User
Guide

for

the

Cisco

Application

Networking

Manager

5.2
OL-26572-01
Chapter
8






Configuring

Real

Servers

and

Server

Farms
Configuring
Server

Farms
Failaction
Reassign
Across
Vlans
Option
that

is

available

only

for

the

ACE

module

A2(3.0),

ACE

appliance

A4(1.0),

and

later
releases
of

either

device

type.

This

field

appears

only

when

the

Fail

Action

is

set

to

Reassign.
Check
the

check

box

to

specify

that

the

ACE

reassigns

the

existing

server

connections

to

the

backup
real
server

on

a

different

VLAN

interface

(commonly

referred

t

o

as

a

bypass

VLAN)

i

f

the

real
server
fails.

If

a

backup

real

server

has

not

been

configured

for

the

failing

server,

this

option

has

no
effect
and

leaves

the

existing

connections

untouched

in

the

failing

real

server.
Note
the

following

configuration

requirements

and

restrictions

when

you

enable

this

option:


Enable
the

Transparent

option

(see

the

next

Field)
to

instruct

the

ACE

not

to

use

NAT

to
translate
the

ACE

VIP

address

to

the

server

IP

address.

The

Failaction

Reassign

Across

Vlans
option
is

intended

for

use

in

stateful

firewall

load

balancing

(FWLB)

on

your

ACE,

where

the
destination
IP

address

for

the

connection

coming

in

to

the

ACE

is

for

the

end-point

real

server,
and
the

ACE

reassigns

the

connection

so

that

it

is

transmitted

through

a

different

next

hop.


Enable
the

MAC

Sticky

option

on

all

server-side

interfaces

to

ensure

that

packets

that

are

going
to
and

coming

from

the

same

server

in

a

flow

will

traverse

the

same

firewalls

or

stateful

devices
(see
the

“Configuring

Virtual

Context

VLAN

Interfaces”

section

on

pa

ge

12-6 ).


Configure
the

Predictor

Hash

Address

option

after

you

add

the

serverfarm

(see
the
“Configuring
the

Predictor

Method

for

Ser

ver

Farms”

section

on

page

8-39 ).


You
must

configure

identical

policies

on

the

primary

interface

and

the

backup-server

interface.
The
backup

interface

must

have

the

same

feature

configurations

as

the

primary

interface.


If
you
configure

a

policy

on

the

backup-server

interface

that

is

different

from

the

policies

on
the
primary-server

interface,

that

policy

will

be

effective

only

for

new

connections.

The
reassigned
connection

will

always

have

only

the

primary-server

interface

policies.


Interface-specific
features

(for

example,

NAT,

application

pr

otocol

inspection,

outbound
ACLs,
or

SYN

cookie)

are

not

supported.


You
cannot

reassign

connections

to

the
failed

real

server

after
it
comes

back

up.

This
restriction
also
applies

to

same-VLAN

backup

servers.


Real
servers

must

be
directly

connected

to

the
ACE.
This

requirement

also

applies

to
same-VLAN
backup

server.


You
must

disable

sequence

number

randomization

on

the

firewall

(see
the
“Configuring
Connection
Parameter

Maps”

section

on

pa

ge

10-3 ).


Probe
configurations

should

be

similar

on

both

ACEs

and

the

interval

values

should

be

low.

For
example,
if

you

configure

a

high

interval

value

on

ACE-1

and

a

low

interval

value

on

ACE-2,
the
reassigned

connections

may

become

stuck

because

of

the

probe

configuration

mismatch.
ACE-2
with

the

low

interval

value

will

detect

the

primary

server

failure

first

and

will

reassign
all
its

incoming

connections

to

the

backup-server

interface

VLAN.

ACE-1

with

the

high
interval
value

may

not

detect

the

failure

before

the

primary

server

comes

back

up

and

will

still
point
to

the

primary

server.
To
minimize

packet

loss,

we

recommend

the

following

probe

parameter

values

on

both

ACEs:
Interval:
2,

Faildetect:

2,

Passdetect

interval:

2,

and

Passdetect

count:

5.
Table
8-7
Server
Farm

Attributes

(continued)
Field
Description