Installation guide
5-38
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 5 Configuring Virtual Servers
Configuring Virtual Servers
Failaction
Reassign
Across Vlans
This field appears only when the L7 Load-Balancing Action parameters are set as follows:
Primary Action: LoadBalance, ServerFarm: New, Fail Action: Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup real
server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real server fails. If
a backup real server has not been configured for the failing server, this option has no effect and leaves the
existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
• Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to translate the
ACE VIP address to the server IP address. The Failaction Reassign Across Vlans option is intended for
use in stateful firewall load balancing (FWLB) on your ACE, where the destination IP address for the
connection coming in to the ACE is for the end-point real server, and the ACE reassigns the connection
so that it is transmitted through a different next hop.
• Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going to and
coming from the same server in a flow will traverse the same firewalls or stateful devices (see the
“Configuring Virtual Context VLAN Interfaces” section on page 10-10).
• Configure the Predictor Hash Address option. See Table 5-12 for the supported predictor methods and
configurable attributes for each predictor method.
• You must configure identical policies on the primary interface and the backup-server interface. The
backup interface must have the same feature configurations as the primary interface.
• If you configure a policy on the backup-server interface that is different from the policies on the
primary-server interface, that policy will be effective only for new connections. The reassigned
connection will always have only the primary-server interface policies.
• Interface-specific features (for example, NAT, application protocol inspection, outbound ACLs, or
SYN cookie) are not supported.
• You cannot reassign connections to the failed real server after it comes back up. This restriction also
applies to same-VLAN backup servers.
• Real servers must be directly connected to the ACE. This requirement also applies to same-VLAN
backup server.
• You must disable sequence number randomization on the firewall (see the “Configuring Connection
Parameter Maps” section on page 8-5).
• Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2, the
reassigned connections may become stuck because of the probe configuration mismatch. ACE-2 with
the low interval value will detect the primary server failure first and will reassign all its incoming
connections to the backup-server interface VLAN. ACE-1 with the high interval value may not detect
the failure before the primary server comes back up and will still point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs: Interval: 2,
Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Table 5-11 New Server Farm Attributes (continued)
Field Description