Installation guide
6-20
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 6 Configuring Real Servers and Server Farms
Configuring Server Farms
Failaction Reassign
Across Vlans
This field appears only when the Fail Action is set to Reassign.
Check the check box to specify that the ACE reassigns the existing server connections to the backup
real server on a different VLAN interface (commonly referred to as a bypass VLAN) if the real
server fails. If a backup real server has not been configured for the failing server, this option has no
effect and leaves the existing connections untouched in the failing real server.
Note the following configuration requirements and restrictions when you enable this option:
• Enable the Transparent option (see the next Field) to instruct the ACE not to use NAT to
translate the ACE VIP address to the server IP address. The Failaction Reassign Across Vlans
option is intended for use in stateful firewall load balancing (FWLB) on your ACE, where the
destination IP address for the connection coming in to the ACE is for the end-point real server,
and the ACE reassigns the connection so that it is transmitted through a different next hop.
• Enable the MAC Sticky option on all server-side interfaces to ensure that packets that are going
to and coming from the same server in a flow will traverse the same firewalls or stateful devices
(see the “Configuring Virtual Context VLAN Interfaces” section on page 10-10).
• Configure the Predictor Hash Address option. See the “Configuring the Predictor Method for
Server Farms” section on page 6-29 for the supported predictor methods and configurable
attributes for each predictor method.
• You must configure identical policies on the primary interface and the backup-server interface.
The backup interface must have the same feature configurations as the primary interface.
• If you configure a policy on the backup-server interface that is different from the policies on
the primary-server interface, that policy will be effective only for new connections. The
reassigned connection will always have only the primary-server interface policies.
• Interface-specific features (for example, NAT, application protocol inspection, outbound
ACLs, or SYN cookie) are not supported.
• You cannot reassign connections to the failed real server after it comes back up. This restriction
also applies to same-VLAN backup servers.
• Real servers must be directly connected to the ACE. This requirement also applies to
same-VLAN backup server.
• You must disable sequence number randomization on the firewall (see the “Configuring
Connection Parameter Maps” section on page 8-5).
• Probe configurations should be similar on both ACEs and the interval values should be low. For
example, if you configure a high interval value on ACE-1 and a low interval value on ACE-2,
the reassigned connections may become stuck because of the probe configuration mismatch.
ACE-2 with the low interval value will detect the primary server failure first and will reassign
all its incoming connections to the backup-server interface VLAN. ACE-1 with the high
interval value may not detect the failure before the primary server comes back up and will still
point to the primary server.
To minimize packet loss, we recommend the following probe parameter values on both ACEs:
Interval: 2, Faildetect: 2, Passdetect interval: 2, and Passdetect count: 5.
Table 6-5 Server Farm Attributes (continued)
Field Description