ACE ping probe
Hi,
I have a strange problem on my ACE in one-arm design.
I have a real server which I can ping from the ACE, but a ping probe always fails:
server : APACHE4
10.144.131.6 28 28 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 4 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply timeout (no reply)
Last probe time : Sat Dec 9 11:42:57 2006
Last fail time : Sat Dec 9 11:29:57 2006
Last active time : Never
ace/INTRANET# ping 10.144.131.6
Pinging 10.144.131.6 with timeout = 2, count = 5, size = 100 ....
Response from 10.144.131.6 : seq 1 time 0.335 ms
Response from 10.144.131.6 : seq 2 time 0.181 ms
Response from 10.144.131.6 : seq 3 time 0.340 ms
Response from 10.144.131.6 : seq 4 time 0.266 ms
Response from 10.144.131.6 : seq 5 time 0.341 ms
5 packet sent, 5 responses received, 0% packet loss
I have a couple of other real servers which do not have this problem.
Any ideas?
According to netflow on the 6500 the server answers correctly.
There are no syslog messages.
interface vlan 552
ip address 10.144.130.3 255.255.255.0
alias 10.144.130.1 255.255.255.0
peer ip address 10.144.130.2 255.255.255.0
no normalization
no icmp-guard
access-group input PERMIT
service-policy input MANAGEMENT
service-policy input SLB
no shutdown
probe icmp PING
interval 2
faildetect 5
passdetect interval 30
passdetect count 2
rserver host APACHE1
ip address 10.144.131.131
probe PING
inservice
rserver host APACHE2
ip address 10.144.131.132
probe PING
inservice
rserver host APACHE3
ip address 10.144.131.133
probe PING
inservice
rserver host APACHE4
ip address 10.144.131.6
probe TEST
probe PING
inservice
probe tcp TEST
port 22
interval 2
faildetect 5
passdetect interval 30
passdetect count 2
ace/INTRANET# sh probe
probe : PING
type : ICMP, state : ACTIVE
port : 0 address : 0.0.0.0 addr type : -
interval : 2 pass intvl : 30 pass count : 2
fail count: 5 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : APACHE1
10.144.131.131 2312 0 2312 SUCCESS
rserver : APACHE2
10.144.131.132 2311 0 2311 SUCCESS
rserver : APACHE3
10.144.131.133 2311 0 2311 SUCCESS
rserver : APACHE4
10.144.131.6 38 38 0 FAILED
rserver : IIS1
10.144.131.129 2311 0 2311 SUCCESS
rserver : IIS2
10.144.131.130 2311 0 2311 SUCCESS
probe : TEST
type : TCP, state : ACTIVE
port : 22 address : 0.0.0.0 addr type : -
interval : 2 pass intvl : 30 pass count : 2
fail count: 5 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : APACHE4
10.144.131.6 557 0 557 SUCCESS
I have 3.0(0)A1(3b)
Hi,
unfortunately your URL did not help me.
I found out that the sup720-3b adds a 23bytes zero-byte padding to exact the frames corresponding to the failing ping probe. I saw this by spanning the internal te4/1 port from the switch to the ACE to a sniffer.
The strange thing is that the frame is padded although it's larger than the minimum frame size of 64 bytes.
When I configure a log-input ACL on the sup720-3b to force the traffic to be routed by the MSFC3 instead of the PFC3 then the ping probe works and the same frames are not padded any more!!
We run IOS modularity on the sups and according to the 12.2SX release notes they do not support the ACE. I suppose that's the root cause. We will change the sup sw ASAP.
Similar Messages
-
I've setup a SIP probe to check the health of a Microsoft OCS. The health of this server is always failed. What am I missing? I also tried it with a telnet probe on port 5061, but got the same result. A telnet from ACE to the server on port 5061 works fine.
See below a show probe SIP detail and the relevant configuration.
ACE21_Secondary/MOCS# sh probe SIP det
probe : SIP
type : SIP
state : ACTIVE
description :
port : 5061 address : 0.0.0.0 addr type : -
interval : 10 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 4
request-method : OPTIONS
conn termination : GRACEFUL
expect offset : 0 , open timeout : 2
expect regex : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
rserver : OCS_11
10.105.11.70 5061 -- 7566 7566 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply timeout (no reply)
Last probe time : Thu Oct 30 14:18:42 2008
Last fail time : Tue Oct 28 16:31:30 2008
Last active time : Never
ACE21_Secondary/MOCS# sh run
probe sip tcp SIP
port 5061
interval 10
passdetect interval 10
receive 4
expect status 200 200
open 2
rserver host OCS_11
ip address 10.105.11.70
probe SSL
probe PING
probe SIP
probe SIP_TELNET
inservice
Cheers
PeterPeter,
make sure to NOT run version A2(1.1a) as SIP probes are broken in that specific release.
If your version is something else, get a sniffer trace on the server to see what is going on.
Seems like we don't get a reply according to the line :
"Last disconnect err : Server reply timeout (no reply) "
Gilles. -
ACE HTTP Probe with regex
Hi,
I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
probe http HTTP-PROBE
port 43050
interval 30
passdetect interval 30
passdetect count 1
request method get url /action=help
open 43050
expect regex action=help
Q. Is there anything wrong with this configuration and what I'm trying to achive?
Thanks,
PriteshUse "expect status" under probe config. expect regex doesnt work if expect status is not configured.
expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
Specially if "content-length" header is missing from Server response.
Hope it helps
Syed Iftekhar Ahmed -
Hello,
May be silly question but...
When I check connectivity between two neighbour Cisco devices (routers and switches) using standart ping command with default parameters, I frequently see, what first ping probe is timeout and next four are successfull
I suppose what on Ethernet links this is due ARP mechanism. But default ping timeout 2s, ARP Requst/Reply roundtrip on 100 Mbit/s Ethernet is ~ 100 us (I have observed with analyzer).
The same situation on serial point-to-point links, where no ARP exists.
Any Idea, why first ping probe is timeout?
Also I have found this question in Cisco BCMSN Course LAB Guide
On some pings, there was one lost packet (.) and then four good packets. You should know why that occurred.
Best Regards,
TomasTomas
To understand this behavior I suggest that you start with show arp and look for the destination that you will ping. Then run debug arp and debug ip icmp. Then try the ping. This should help to clarify what the router does if the destination is not in the arp table and how that impacts the first ping.
HTH
Rick -
ACE http probe "request method type" mandatory on A3(2.6)?
Hi people,
I recently upgraded to A3(2.6) from A3(2.0) and I don't see the N/A option on the http probe "request method type".
It also has an asterisk * which means it's mandatory.
I tried to set up a new http probe for another farm I am creating and the probe shows status failed, although I can ping and telnet to the http server on port 80 from the ACE context. My probe is like that:
probe http http_probe_WWW
interval 15
passdetect interval 60
expect status 200 200
open 10
My other http probes for other farms work ok after the upgrade and they are similar.
So my question is: Do I need to set the request method type or something else causes the probe to fail?
thanks a lot.
GeorgeWhat you see is a problem with the GUI.
CSCtg78008 while creating http probe default method slected should be get as in CLI
But the request-method is not required.
So your config should work.
Do a 'show probe detail' to see the failure reason.
Get a sniffer trace as well.
Regards,
Gilles. -
hello
i have ace running in the router mode
i have server and client different vlan
(server vlan 20, client vlan 192)
1. client vlan(20) -> vip(20.1.1.102) service ok
2. client vlan(20) -> vip(20.1.1.102) ping fail?
why happen ping fail ?
Hope this helps
[Configuration]
access-list ALL line 10 extended permit ip any any
access-list ALL line 11 extended permit icmp any any
probe tcp tcp_21
port 21
interval 2
faildetect 2
passdetect interval 5
passdetect count 2
serverfarm host slb
probe tcp_21
rserver test_01
inservice
rserver test_02
inservice
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
class-map match-all slb
2 match virtual-address 20.1.1.102 any
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm slb
policy-map multi-match test
class slb
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
interface vlan 20
ip address 20.1.1.2 255.255.255.0
alias 20.1.1.1 255.255.255.0
peer ip address 20.1.1.3 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input REMOTE_MGMT
service-policy input test
no shutdown
interface vlan 192
ip address 192.168.1.102 255.255.255.0
alias 192.168.1.1 255.255.255.0
peer ip address 192.168.1.103 255.255.255.0
access-group input ALL
access-group output ALL
service-policy input test
no shutdownIs the A2 train the current version recommended by Cisco? These devices load balance critical systems so we usually try and stay with Safe Harbor code were ever possible. In my deployment I require stability over features and in the past have stayed away from the "newest" code releases for fear of flaky or buggy behavior.
Thanks -
ACE - TCP probe goes into INVALID state
Hello,
I have a problem with the following configuration of a sticky serverfarm with a backup serverfarm
(this setup is ofcourse used only for failover purposes, not loadbalancing):
probe tcp tcp-8888-probe
port 8888
interval 5
faildetect 2
passdetect interval 3
passdetect count 1
rserver host rsrv1
ip address 10.1.2.10
inservice
rserver host rsrv2
ip address 10.1.2.11
inservice
serverfarm host rfarm-primary
predictor leastconns
probe tcp-8888-probe
rserver rsrv1 8888
inservice
serverfarm host rfarm-backup
predictor leastconns
probe tcp-8888-probe
rserver rsrv2 8888
inservice
sticky http-cookie RFARM-COOKIE sticky-rfarm-1
cookie insert browser-expire
serverfarm rfarm-primary backup rfarm-backup
etc....
The problem is that every time probe state changes (from SUCCESS to FAIL or otherwise), the tcp-8888-probe on the server that changed
the state of service, goes into INVALID state:
#show probe tcp-8888-probe detail
probe : tcp-8888-probe
type : TCP
state : ACTIVE
description :
port : 8888 address : 0.0.0.0 addr type : -
interval : 5 pass intvl : 3 pass count : 1
fail count: 2 recv timeout: 10
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : rfarm-backup
real : rsrv2[8888]
10.1.2.11 291 0 291 SUCCESS
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 0
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Thu Jun 17 22:12:31 2010
Last fail time : Never
Last active time : Thu Jun 17 21:48:21 2010
serverfarm : rfarm-primary
real : rsrv1[8888]
10.1.2.10 0 0 0 INVALID
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Never
Last fail time : Never
Last active time : Never
I have managed to get the probe into FAIL state again for a moment by removing it from serverfarm, and then reapplying, but in a few seconds it goes again from FAIL to INVAILD state, and stays in this state regardless of avaliability of probed TCP port. Only when i'm reapplying it when the port is avaliable/up, it can stay in SUCCESS state, and work till the failure of service, when INVALID state reappears.
What can be the cause of such behavior ?
thanks,
WMHello,
It looks very similar to this bug: CSCsh74871
You may need to collect a #show tech-support and do the following:
-remove the serverfarm in question
-reboot the ace module under a maintenance window.
You may upgrade to a higher version since your version is kind of old.
Jorge -
Hi,
I have a question about the config of the ACe probe.
I have the following probe defined :
probe http P_HTTP_TEST
interval 5
passdetect interval 2
passdetect count 2
request method get url /test
expect status 200 200
expect regex trululu
I would like to use the regex just like the expect string on the csm probe...
The regex doesn't seem to work as the strin trululu is not on the page tested.
I guess the expect status override the regex but without the expect status it doesn't work either.
Anyone know how exactly the probe expect works for http ?
Another question, on the CSM module, the tcp probe by default use the real port for the probe, not the default port of the probe type, is it possible to change that so it mimmicks the CSM way of working ?
Thanks a lot ;-)This seems to be bug related to some version of ACE software as HTTP return code overrides missing regexp. For sure this bug is present in:
system: Version A2(2.0) [build 3.0(0)A2(2.0)]
Notice the difference between 192.168.1.1 (is missing regex in HTTP response) and 192.168.1.2 (sends regexp in HTTP response). Both are successful and as addition 192.168.1.1 (missing regexp) is showing last status code 200 which seems to be sufficient for probe to pass. 192.168.1.2 (which sends expected regexp) doesn't show last status code.
probe : tw2_http_81
type : HTTP
state : ACTIVE
description :
port : 81 address : 0.0.0.0 addr type : -
interval : 30 pass intvl : 30 pass count : 1
fail count: 1 recv timeout: 10
http method : GET
http url : /knowtw2-f/livelink.exe?func=ll&objtype=142&bypass
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : lbmonitor
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
real : 192.168.1.1[81]
192.168.1.1 2 0 2 SUCCESS
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 0
No. Probes skipped : 0 Last status code : 200
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Mon Nov 7 12:38:42 2011
Last fail time : Never
Last active time : Mon Nov 7 12:38:22 2011
real : 192.168.1.2[81]
192.168.1.2 2 0 2 SUCCESS
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 0
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Mon Nov 7 12:38:27 2011
Last fail time : Never
Last active time : Mon Nov 7 12:37:58 2011 -
Hi,
We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
Is this possible to get it on the ACE as we do on the CSS?
We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
Many thanks for your help.
Regards/ludovic.probe http MD5-HTTP
interval 15
passdetect interval 15
request method get url /index.html
expect status 200 200
hash 2441DA7F68A265F8CFB4426B6897CE33
And here is how I computed the hash on the server itself [linux machine]
md5sum /var/www/HTML/index.html
2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
[root@linux-1 tftpboot]#
The probe is UP
switch/Admin# sho probe MD5-HTTP detail
probe : MD5-HTTP
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 15 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /index.html
Hash-value : 2441da7f68a265f8cfb4426b6897ce33
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : linux1
real : linux1[0]
192.168.30.27 13 4 9 SUCCESS
md5sum is a standard tool.
Nothing fancy about it.
Gilles. -
Hi,
I have a strange behavior on a ACE blade :
The blade is configured in bridge mode, when a configured reals server, if they are on the same site, the probe is ok, if they are on another site, the probe is failed.
What I found is that the echo reply on the PO of the blade is padded with 23 bytes of "0" only for the probe.
This is really strange...
the version of the blade and ios:
blade : 3.0(0)A1(4a)
Sup (720): 12.2(18)SXF8
I found on the forum that it could be related to the PFC3b but I don't see how I could try to bypass it.
Thanks for your help ;-)I understand the reply will come on some ethernet module and be forwarded into the ACE PO.
So, what is the the ethernet hardware module type ? 'show mod'.
Could you also give us the trace so we can look at the icmp packet.
Thanks,
Gilles. -
Hello,
We are trying to configure an SSH probe.
I've tried creating a TCP port which checks for port 22, but I want to go further and get the probe to actually log on.
I noticed that only HTTP probes have an option to configure credentials.
Is there a way that I can configure a probe on the ACE to do this without having to create a script?
Thanks.Hi Michelle,
If you manage to have a TCL script that connects through SSH, you can pass the username and password through arguments of the scripted probe and those arguments could be use to login.
Now how can you use TCL to login through SSH, I'm sorry but I don't know.
Regards,
Nicolas -
ACE Health probe using get URL
Hello,
We are trying to create a health probe for our google search appliances and as part of the URL get there is a question mark but the ACE doesn't like that. Is there a way around this or should it be done differently?
request method get url /searchq? (This is what we want the URL to be)
request method get url /searchq (This is where it thinks i'm asking it for help)
Thanks in Advance.Hello,
You need to typ CRTL+v prior to entering the ?
That's the Control key then lowercase v, then your question mark.
Hope this helps,
Sean -
Hi All,
Has anyone seen sample TCL code for probing a generic SQL server?
Thanks,
DaveYou can use the following configuration:
probe tcp MS-SQL
description TO-RBSQL1
ip address 10.15.160.3
port 1433
interval 2
faildetect 2
passdetect interval 2
passdetect count 2
rserver host RBWEB1
ip address 10.15.177.11
rserver host RBWEB3
ip address 10.15.177.13
inservice
serverfarm host RBWEB
description TO-VLAN-177-RBWEB-SERVERS
predictor leastconns
probe WWW-RISKBROWSER
probe PING
rserver RBWEB1
rserver RBWEB3
inservice
And also you can use the command sh probe MS-SQL, to know probe association probed-address probes health. Sure that the server respond or responded with a RST. -
ACE failed probe and established connections
Hello,
I have four ACE 4710. Each pair of ACE is in one geographical location. Probes are configured so that it is checking regular regex (HTTP GET).
When there is need rserver update we change text in our testpage.html (for ie. from "OK" to "SUSPEND" ) so that probe detect fail.
In fact rservers are still operational, but should not accept new connections. This works fine.
BUT I observed that established connection/sessions did not end up after probe fails. ACE probably wait for openned/established connections to end up and it is what I am askign for.
What happens if probe fails but in fact rserver is operational? I thought that if probe fails it also end up/cut all established connections to rserver. But seems it is not true. Does anybody has this experience?
Thanks for your opinion.
JanHello Jan,
if I understood correctly what you're looking for is domented in the area for the failaction command which actually makes the ACE behavior on this aspect configurable:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_2_0/configuration/slb/guide/rsfarms.html#wp1117375
indeed the default behavior of the ACE is to take a failed real server out of load-balancing rotation for new connections and to allow existing connections to complete.
Hope it helps,
Francesco -
Hi,
I have the need of a dual probe with a AND-action, ie both probes needs to be down to take the service down.
The following configuration is an OR-operation but I need a AND-operation.
Any? Scripted?
probe https HEALTHCHECK-OPEN-SSL
interval 10
passdetect interval 5
receive 2
ssl version all
request method get url /open/healthcheck.html
expect status 200 200
header User-Agent header-value "Cisco-Probe"
hash
connection term forced
open 2
probe https HEALTHCHECK-SSL
interval 10
passdetect interval 5
receive 2
ssl version all
request method get url /healthcheck.html
expect status 200 200
header User-Agent header-value "Cisco-Probe"
hash
connection term forced
open 2
serverfarm host MOBI-SSL
probe HEALTHCHECK-SSL
probe HEALTHCHECK-OPEN-SSL
rserver MOBI-NY-L 443
inservice
rserver MOBI-NY-R 443
inserviceHi,
Use the "fail-on-all" command to configure the ACE to take the rserver out of service if all the associated probes fail. You can use this command under the serverfarm or the rserver.
-Alex
Maybe you are looking for
-
Can't add artwork to new movies
Until last weekend, I could add artwork and pictures to movie files I was importing to iTunes. Now I can't. I add the artwork in the usual way, and it immediately reverts to showing the thumbnail of the video, and when I check for artwork under 'Get
-
After installing Shutterfly's Export Assistant for iPhoto, I'm unable to export directly from iPhoto 5.0 to shutterfly and I can't seem to get into the Share/Export feature to adjust size, type (JPEG,etc) of photos. What to I do now?
-
HI All, on 3PL wms when they process IOD it will PGI on sap if WMS use done in error (iod) it is PGI'd SAP, now on SAP we need to raise a return delivery and issue credit memo to customer (this is the procedure followed by customer ) iam assuming t
-
Mass user creation in NW 2004s
Hello Experts, I am trying to setup mass users in SAP NW2004s which is the backend for xRPM system. Normal method of doing this using SCAT does not seem to work. Please let me know for possible options for mass user setup in such a system. Thanks for
-
A prompt that says "Could not use the clone stamp because the are to clone has not been defined (option-click to define a source point), appears EVERY time I try to use the clone stamp. What is wrong and how can I fix this?