ACE: probe timers

Similar Messages

• ACE Probe regex and escaping Parenthesis

  I'm trying to setup a ACE probe that expects a return of
  (server.domain.com) EXISTS=TRUE,AVAILABLE=TRUE,ACTIVE=TRUE
  But it doesn't appear that I can use Parenthesis inside a regex.  I've tried escaping as well.
  expect \(server\.domain\.com\) EXISTS=TRUE,AVAILABLE=TRUE,ACTIVE=TRUE
  % invalid command detected at '^' marker.   Pointing at the (
  But this doesn't work either.  Any ideas?

         Hi,
  Hi,
  If it has taken it, it should match the response from server.  Is it still not matching?
  If you look at the regex builder below, the regex matches the response which is expected from the server. So ACE should be able to match it.
  Also, you can try and put \ before dots but not sure. In my opinion it should work fine with what we have put in already. If it doesn't we will have to use hit and trial. Let me know if you need this regex builder. You can download it from google though. In any case i just attached it.

• Function of health probe timers on CSM

  Hi,
  we use the following configuration on a csm to monitor a server farm and I'm wondering how exactly the probe timers work.
  ===
  serverfarm sf
  nat server
  nat client natpool1
  failaction purge
  real name serv1
  weight 1
  inservice
  real name serv2
  weight 1
  inservice
  probe probe1
  probe probe1 script
  script LDAP_PROBE
  interval 5
  retries 2
  receive 1
  port 389
  ===
  So in my eyes the probes are sent every 5 seconds. When a probe isn't answered within one second it's marked as failed. If two probes are failed (retries 2) the real server is marked as down.
  Is this correct?
  In a network trace I see a different behaviour: Probes are sent every 5 seconds. If a real server goes out-of-service I see a probe which is not answered and the next probe is sent after 10 seconds (I expected 5 seconds). 5 seconds later the real server is marked down in the switch log.
  It would be fine if anybody could help me.
  Best Regards,
  Thorsten Steffen

  Hi,
  following the meaning of the parameters:
  Router(config-slb-probe)#
  interval seconds
  Sets the interval between probes in seconds (from the end of the previous probe to the beginning of the next probe) when the server is healthy.
  Range = 2-65535 seconds
  Default = 120 seconds
  Router(config-slb-probe)#
  retries retry-count
  Sets the number of failed probes that are allowed before marking the server as failed.
  Range = 0-65535
  Default = 3
  Router(config-slb-probe)#
  failed failed-interval
  Sets the time between health checks when the server has been marked as failed. The time is in seconds.
  Range = 2-65535
  Default = 300 seconds
  Router(config-slb-probe)# open
  open-timeout
  Sets the maximum time to wait for a TCP connection. This command is not used for any non-TCP health checks (ICMP or DNS1).
  Range = 1-65535
  Default = 10 seconds
  There are two different timeout values: open and receive. The open timeout specifies how many seconds to wait for the connection to open (that is, how many seconds to wait for SYN ACK after sending SYN). The receive timeout specifies how many seconds to wait for data to be received (that is, how many seconds to wait for an HTTP reply after sending a GET/HHEAD request). Because TCP probes close as soon as they open without sending any data, the receive timeout is not used.
  When sniffing, you should see a probe each 5 seconds. When a probe fails for the first time, a second probe should be send after 5 seconds. when this probe fails too, the server is put out of service.
  That should be the behaviour you should see.
  HTH,
  Dario

• ACE Probe Config for Blue Coat Proxy TCP Port 74 NETRJS-4

  We are running 4710's with A5(2.2). We use Blue Coat proxies for our internet connections, specifcally TCP port 74. So when we open up a browser connection to www.cisco.com, the HTTP GET is actually encapsulated in TCP port 74 netrjs-4. We want to load-balance these proxies with ACE and I'm trying to setup health probes, but the only ones that work are the tcp probes PROXY_BCC_PROBE and PROXY_PROBE. I'd like to have health probes that hit external websites, but I'm confused whether the "ip address" Probe sub command is all I need, and netrjs is simple encapsulation of the HTTP request (which is what it looks like on a sniffer). Does anyone have Blue Coat proxies/ACE working? If so, how are your probes configured?
  Thanks,
  probe tcp PROXY_BCC_PROBE
    port 8084
    interval 3
    passdetect interval 3
  probe http PROXY_HTTP1_PROBE
    ip address 198.133.219.25
    port 74
    interval 3
    passdetect interval 3
    request method head url /index.html
    expect status 200 299
  probe http PROXY_HTTP2_PROBE
  ip address 198.133.219.25
    port 74
    interval 3
    request method get url /
    expect status 200 299
  probe tcp PROXY_PROBE
    port 74
    interval 3
    passdetect interval 3

  Hi,
  I have seen this working for one of the customer.
  probe http HTTPGET
    description Tests that www.gmail.com returns 302 redirect
    interval 10
    request method get url http://www.gmail.com
    expect status 302 302
  If I modify your probe :
  probe http PROXY_HTTP1_PROBE
    ip address 198.133.219.25
    port 74
    interval 3
    passdetect interval 3 
  request method get url
    http://www.gmail.com
  expect status 302 302
  Give it a try and see if that helps.
  regards,
  Ajay Kumar

• ACE: probe failing

  Hi,
  I've following probe configured:
  probe http probe1.test.com:10114
    port 10114
    interval 34
    faildetect 17
    passdetect interval 60
    expect status 200 200
    header Host header-value "hcmfincrp1.test.com"
    open 1
  and it is applied to serverfarm. but health check is failing. I see following when I do "sh probe probe1.test.com:10114 detail":
  sh probe probe1.test.com:10114 deta
  probe       : probe1.test.com:10114
  type        : HTTP
  state       : ACTIVE
  description :
     port      : 10114   address     : 0.0.0.0         addr type  : -
     interval  : 34      pass intvl  : 60              pass count : 3
     fail count: 17      recv timeout: 10
     http method      : GET
     http url         : /
     conn termination : GRACEFUL
     expect offset    : 0         , open timeout     : 1
     expect regex     : -
     send data        : -
                  ------------------ probe results ------------------
     associations ip-address      port  porttype probes   failed   passed   health
     ------------ ---------------+-----+--------+--------+--------+--------+------
     serverfarm  : probe1.test.com:443
       real      : server1.test.com[10114]
                  192.168.1.110114 PROBE    41531    19556    21975    FAILED
     Socket state        : CLOSED
     No. Passed states   : 5         No. Failed states : 6
     No. Probes skipped  : 0         Last status code  : 0
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Unrecognized or invalid response
     Last probe time     : Wed Oct 12 17:43:30 2011
     Last fail time      : Tue Oct 11 02:33:52 2011
     Last active time    : Sun Oct  9 20:24:02 2011
  May i know why health check is failing? why am I seeing msg "Last disconnect err : Unrecognized or invalid response" ?

  Hi ,
  This error means, that the ace is not receiving a 200 ok response from the server, this happens when server is not responding it or it is receiving that do not have a host header having value hcmfincrp1.test.com , which you have definied, or the page has got modified. Please check if your http server is working fine.
  Regards
  Abijith

• Ace probe failure after IIS app pool recycle?

  Windows Server 2003 SP2
  ACE Module A2(1.6a)
  I suspect this is caused by an IIS6 setting, but posting here in case anyone has seen this.  For this one particular site, we have 4 servers in the farm.  2 of those servers are fine.  The other 2 (new) servers will generate probe failure after the site's app pool recycles.  I then remove the 2 servers from service and re-activate (no inservice, then inservice) and the probe comes back as operational.  It appears that the app pool recycle somehow is resetting the hash on the default page, though I'm not sure how.  Any ideas are very much appreciated. 

  Yeah, the hash is inside the probe.  Here's the config for the serverfarm and the probe.  Public-007 and Public-008 are new servers...the other 6 have been in the farm for the last 2.5 years and they don't have this issue.  It's only the 2 new boxes that the probe fails when the app pool is recycled.
  serverfarm host PUBLIC
    probe URL-DEFAULT-ASPX
    rserver PUBLIC-001
      inservice
    rserver PUBLIC-002
      inservice
    rserver PUBLIC-003
      inservice
    rserver PUBLIC-004
      inservice
    rserver PUBLIC-005
      inservice
    rserver PUBLIC-006
      inservice
    rserver PUBLIC-007
      inservice
    rserver PUBLIC-008
      inservice
  probe http URL-DEFAULT-ASPX
    interval 2
    faildetect 2
    passdetect interval 2
    passdetect count 2
    request method get url /default.aspx
    expect status 200 200
    hash

• ACE ; probe for host header-value

  Hi,
  we have following probe setup. sometimes this probe fails because server resets the connection but server team claims there aren't any issues with server.
  probe https probe1.abc.com:10456
    port 10456
    interval 34
    passdetect interval 17
    ssl version all
    expect status 200 200
    header Host header-value "probe1.abc.com"
    open 1
  is there a way to validate able probe using linux/linux servers? i.e. using unix/linux server is there a way to send that host header-value to the servers and see if servers are responding with 200 OK status? if not from Unix/Linux servers than if there any otherway to validate it apart from validating it from ACE?
  Thanks...

  or can we do it using window? maybe using firefox on windows machine?
  please advise.

• ACE Probe with special Caracters

  I need to probe a URL that contains the caracter "?".
  I am working with the ACE and would like to know how can I put the URL within the probe format.
  Thanks

  Hi,
  It's one of the 2 solutions below, don't know which one :-)
  you can use brackets [ ] or a slash in front of you question mark.
  fe:
  request method get url /search[?]number=10
  If this doens't work, try to use the escape sequence like in IOS:
  escape sequence is CRTL-V
  so if you want to type it in a probe:
  request method get url /search(type CTRL-V)?number=10
  HTH,
  Dario

• ACE probe for LDAP

  Is there a way to configure a probe to check the health of LDAP and how? I can't find any reference in the docs for how to do this.

  You can use scripted ldap probe (LDAP_PROBE) available with ACE.It sends an
  anonymous bind request and check for bind success.
  Syed

• ACE probe to test telnet

  Is there a way to create a probe in the ACE that can telnet into a rserver login with a uid/pass and pass the probe when a expected return message is sent back from the rserver?  I have been looking into way to do this for days.  I thought I might be able to create a tcl script for it, but have had no luck.  Then I thought I could modify the imap probe but I keep getting an error "Invalid server greeting" in the probe state.  Has any one done this type of probe or can point me in the correct direction?

  The problem is that the telnet protocol use some communication parameters negotiation before you can start transmitting your text.
  You need to take into account when designing your tcl probe.
  The best is to capture a sniffer trace going to your server, extract the negotiation part and replay it from within your probe.
  Gilles.

• ACE probe dilemma

  Hi, I have a requirement to use the ACE to provide Active/Standby service for 2 services located on 2 physical servers. Server A is active for one port and backup for antoher, Server B vice versa.
  As well as this, I am doing port translation - incoming requests to one port are being translated to one of two ports - see config below
  rserver host TEST-FE01
  ip address 10.100.100.1
  inservice
  rserver host TEST-FE02
  ip address 10.100.100.2
  inservice
  serverfarm host test-farm
  predictor leastconns
  rserver TEST-FE01 20902
  backup-rserver TEST-FE02 20902
  inservice
  rserver TEST-FE01 20903
  inservice standby
  rserver TEST-FE02 20902
  inservice standby
  rserver TEST-FE02 20903
  backup-rserver TEST-FE01 20903
  inservice
  My problem is that I want to configure probes for each ip/port combination, but I can't seem to achieve this as my server farm contains servers that listen on more than one port and a probe can only be configured with one TCP port and can only be applied to either the rserver or the whole serverfarm.
  Can anynone see how I can achieve this
  Many Thanks in advance

  You will need to define probe under serverfarms's Rserver config
  probe tcp port-20902
  port 20902
  probe tcp port-20903
  port 20903
  rserver host TEST-FE01
  ip address 10.100.100.1
  inservice
  rserver host TEST-FE02
  ip address 10.100.100.2
  inservice
  serverfarm host test-farm
  predictor leastconns
  rserver TEST-FE01 20902
  probe port-20902
  inservice
  rserver TEST-FE01 20903
  probe port-20903
  inservice
  Syed

• ACE : PROBE-FAILED and Syslog messages

  Hi,
  When a real server is in PROBE-FAILED status, I observe a syslog message at each trial of the proble. This fills our syslog server. Is there a mean to configure the ACE in such a way that a syslog message would be generated only when a transition occurs in the probe status ?
  Thank you for any hints,
  Yves

  Hello,
  You can utilize "logging trap " command and
  "logging message level " command
  in order to achive what you are seeking.
  The "logging trap " command limits the logging messages sent to a syslog server based on severity.
  If it is set to "5 - notification", all messages that have security level of 5 or lower number are sent to the syslog server.
  You can disable the display of a specific syslog
  message or change the severity level of a specific system log message using
  "logging message level " command.
  Not sure what kind of probe you are using but If it is ICMP probe and
  the reason of probe failure is arp, it generates a message for every try
  as below with severity level of 3, by default.
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-3-251009: ICMP health probe failed for server 192.168.0.1, connectivity error: ARP not resolved for destination ip address
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442007: VIP in class: 'VIP' changed state from OUTOFSERVICE to INSERVICE
  %ACE-5-441002: Serverfarm (SF) is now back in service in policy_map (fs) -->
  class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0
  %ACE-4-442004: Health probe ICMP detected rserver r1 (interface vlan31) changed state to UP
  %ACE-4-442001: Health probe ICMP detected r1 (interface vlan31) in serverfarm SF changed state to UP
  If your "logging trap " is set to "5 - notification" and you do not want
  the message "%ACE-3-251009:xxx" to be sent to syslog server,
  you can change its security level like below.
  switch/Admin(config)# logging message 251009 level 6
  switch/Admin(config)# do show logging message 251009
  Message logging:
                  message 251009: current-level 6  default-level 3 (enabled)
  You can check the message id that is filling the syslog server
  and change its security level to higher number than "logging trap ".
  Regards,
  Kimihito.

• SMTP and IMAP ACE Probe configuration Example

  Hi,
  Could someone share he SMTPS and IMAPS probe setting configuration in CISCO ACE 4710 for my reference.
  I have two server 10.1.1.58 and 10.1.1.59 which supposed to be load balaced for the service 993 and 465.
  Regards
  BR

  Hello There,
  The ACE has built-in scripted probes in order to check connectivity beyond layer 4 with these kinds of mail servers but only for the unencrypted versions SMTP/IMAP.
  In your case since you're working with these protocols over SSL/TLS, you'll need to configure regular TCP probes for each serverfarm so reachability will be test'd based on TCP port.
  probe tcp IMAPS-993
    port 993
    interval 5
    faildetect 2
    passdetect interval 3
    passdetect count 1
    open 1
  probe tcp SMTPS-464
    port 465
    interval 5
    faildetect 2
    passdetect interval 3
    passdetect count 1
    open 1
  HTH
  Pablo

• Looking for ACE Probe TCL script specific for LDAPS

  Hello Everyone,
  I have searched the forum, and i am having difficulty finding an example of how to modify the LDAP TCL probe from port 389 to secure LDAP port 636.
  Could someone kindly point me or provide me the modified TCL script if you happen to have it.
  During my search I also found a config that someone had provided, which contained the following probe:
  probe tcp LDAPS_Probe
    port 636
  probe tcp LDAP_Probe
    port 389
  I was trying to figure out if this a modified TCL script for LDAP or modifed TCP TCL script specific for port 636.
  This is how I applied the script for LDAP port 389.
  script file 1 LDAP_PROBE
  probe scripted LDAP_PROBE_389
  interval 5
  passdetect interval 30
  receive 5
  script LDAP_PROBE
  serverfarm host SF-LDAP-389
  description SF LDAP Port 389
  predictor leastconns
  probe LDAP_PROBE_389
  rserver LDAP-RS1-389
  inservice
  I will be more than glad to provide you any additional information that you need.
  As always thanks for your input.
  Raman Azizian
  SAIC/NISN Network services

  normally you would engage a TCL developer or ciso advanced services to develop a custom script for anything other than what Cisco provides in canned scripts. If you are comfortable with tcl you can do it yourself. Here is an example of the LDAP script modified to include initiation via ssl.  default port is 389 when you implement you would specify 636.
  #!name = LDAP_PROBE
  # Description:
  #    LDAP_PROBE opens a TCP connection to an LDAP server, sends a bind request. and
  #    determines whether the bind request succeeds.  LDAP_PROBE then closes the
  #    connection with a TCP RST.
  #    If a port is specified in the "probe scripted" configuration, the script probes
  #     each suspect on that port. If no port is specified, the default LDAP port 389
  #     is used.
  # Success:
  #   The script succeeds if the server returns a bind response indicating success
  #    (status code 0x0a0100) to the bind request.
  #   The script closes the TCP connection with a RST following a successful attempt.
  # Failure:
  #   The script fails due to timeout if the response is not returned.  This
  #    includes a failure to receive ARP resolution, a failure to create a TCP connection
  #    to the port, or a failure to return a response to the LDAP bind request.
  #   The script also fails if the server bind response does not indicate success.
  #    This specific error returns the 30002 error code.
  #   The script closes any attempted TCP connection, successful or not, with a RST.
  #  PLEASE NOTE:  This script expects the server LDAP bind response to specify length
  #   in ASN.1 short definite form.  Responses using other length forms (e.g., long
  #   definite length form) will require script modification to achieve success.
  # SCRIPT version: 1.0       April 1, 2008
  # Parameters:
  #   [DEBUG]
  #      username - user login name
  #      password - password
  #      DEBUG        - optional key word 'DEBUG'. default is off
  #         Do not enable this flag while multiple probe suspects are configured for this
  #         script.
  # Example config :
  #   probe scripted USE_LDAP_PROBE
  #         script LDAP_PROBE
  #   Values configured in the "probe scripted" configuration populate the
  #   scriptprobe_env array.  These may be accessed or manipulated if desired.
  # Documentation:
  #    A detailed discussion of the use of scripts on the ACE is included in
  #       "Using Toolkit Command Language (TCL) Scripts with the ACE"
  #    in the "Load-Balancing Configuration Guide" section of the ACE documentation set.
  # Copyright (c) 2005-2008 by Cisco Systems, Inc.
  # debug procedure
  # set the EXIT_MSG environment variable to help debug
  # also print the debug message when debug flag is on
  proc ace_debug { msg } {
      global debug ip port EXIT_MSG
      set EXIT_MSG $msg
      if { [ info exists ip ] && [ info exists port ] } {
       set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
      if { [ info exists debug ] && $debug } {
       puts $EXIT_MSG
  # main
  # parse cmd line args and initialize variables
  ## set debug value
  set debug 0
  if { [ regsub -nocase "DEBUG" $argv "" argv] } {
      set debug 1
  ace_debug "initializing variable"
  set EXIT_MSG "Error config:  script LDAP_PROBE \[DEBUG\]"
  set ip $scriptprobe_env(realIP)
  set port $scriptprobe_env(realPort)
  # if port is zero the use well known ldap port 389
  if { $port == 0 } {
      set port 389
  # PROBE START
  # open connection
  ace_debug "opening socket"
  set sock [  socket -sslversion all -sslcipher RSA_WITH_RC4_128_MD5 $ip $port ]
  fconfigure $sock -buffering line -translation binary
  # send a standard anonymous bind request
  ace_debug "sending ldap bind request"
  puts -nonewline $sock [ binary format "H*" 300c020101600702010304008000 ]
  flush $sock
  #  read string back from server
  ace_debug "receiving ldap bind result"
  set line [read $sock 14]
  binary scan $line H* res
  binary scan $line @7H6 code
  ace_debug "received $res with code $code"
  #  close connection
  ace_debug "closing socket"
  close $sock
  #  make probe fail by exit with 30002 if ldap reply code != success code  0x0a0100
  if {  $code != "0a0100" } {
      ace_debug " probe failed : expect response code \'0a0100\' but received \'$code\'"
      exit 30002
  ## make probe success by exit with 30001
  ace_debug "probe success"
  exit 30001

• Cisco ACE probe setup

  Configured a Probe to check the heath of server webpage .But getting a status code of 400.
  probe http PROBE_80
    interval 10
    faildetect 2
    passdetect interval 10
    passdetect count 2
    receive 5
    request method get url http://<host>:<port>/eml/HealthCheckServlet
    expect status 200 202
    open 10
  getting below status code .would like to know the correct format for the requesr method of the above url
       real      : app02p[0]
                           192.168.10.6  80 VIP     161    161    0      FAILED
     Socket state        : CLOSED
     No. Passed states   : 0         No. Failed states : 1
     No. Probes skipped  : 0         Last status code  : 400
     No. Out of Sockets  : 0         No. Internal error: 0
     Last disconnect err : Received invalid status code
     Last probe time     : Tue Mar 17 02:53:58 2015
     Last fail time      : Tue Mar 17 02:27:15 2015
     Last active time    : Never

  Hi Hari,
  Does this URL return status 200 when you send the request directly from your browser?
  You should use the exact URL here.  If the URL is fine, then check with your server team why server is responding with 400. The syntax looks fine. You can also take a pcap on server and see what is ACE sending for probe.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.