ACE TCP probe

My costomers ask different tcp port probes for different applications. Is there such things - standard probe TCL? So every time, I just need to work on the stand TCL and apply it to the serverfarm. That way can avoid a long probe config for different ports.
Thank you in advance,
June Hu

Could the soultion be that the probe is configured to terminate a TCP connection by sending a RST, with the connection term command?
It seems that this makes the probe pass the health check.
Br
Geir

Similar Messages

ACE - TCP probe goes into INVALID state

Hello,
I have a problem with the following configuration of a sticky serverfarm with a backup serverfarm
(this setup is ofcourse used only for failover purposes, not loadbalancing):
probe tcp tcp-8888-probe
port 8888
interval 5
faildetect 2
passdetect interval 3
passdetect count 1
rserver host rsrv1
ip address 10.1.2.10
inservice
rserver host rsrv2
ip address 10.1.2.11
inservice
serverfarm host rfarm-primary
predictor leastconns
probe tcp-8888-probe
rserver rsrv1 8888
    inservice
serverfarm host rfarm-backup
predictor leastconns
probe tcp-8888-probe
rserver rsrv2 8888
   inservice
sticky http-cookie RFARM-COOKIE sticky-rfarm-1
cookie insert browser-expire
serverfarm rfarm-primary backup rfarm-backup
etc....
The problem is that every time probe state changes (from SUCCESS to FAIL or otherwise), the tcp-8888-probe on the server that changed
the state of service, goes into INVALID state:
#show probe tcp-8888-probe detail
probe       : tcp-8888-probe
type        : TCP
state       : ACTIVE
description :
   port      : 8888    address     : 0.0.0.0         addr type : -
   interval : 5       pass intvl : 3               pass count : 1
   fail count: 2       recv timeout: 10
   conn termination : GRACEFUL
   expect offset    : 0         , open timeout     : 10
   expect regex     : -
   send data        : -
                       --------------------- probe results --------------------
   probe association   probed-address probes     failed     passed     health
   ------------------- ---------------+----------+----------+----------+-------
   serverfarm : rfarm-backup
     real      : rsrv2[8888]
                       10.1.2.11    291        0          291        SUCCESS
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 0
   No. Probes skipped : 0         Last status code : 0
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : -
   Last probe time     : Thu Jun 17 22:12:31 2010
   Last fail time      : Never
   Last active time    : Thu Jun 17 21:48:21 2010
   serverfarm : rfarm-primary
     real      : rsrv1[8888]
                       10.1.2.10    0          0          0          INVALID
   Socket state        : CLOSED
   No. Passed states   : 0         No. Failed states : 0
   No. Probes skipped : 0         Last status code : 0
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : -
   Last probe time     : Never
   Last fail time      : Never
   Last active time    : Never
I have managed to get the probe into FAIL state again for a moment by removing it from serverfarm, and then reapplying, but in a few seconds it goes again from FAIL to INVAILD state, and stays in this state regardless of avaliability of probed TCP port. Only when i'm reapplying it when the port is avaliable/up, it can stay in SUCCESS state, and work till the failure of service, when INVALID state reappears.
What can be the cause of such behavior ?
thanks,
WM

Hello,
It looks very similar to this bug: CSCsh74871
You may need to collect a #show tech-support and do the following:
-remove the serverfarm in question
-reboot the ace module under a maintenance window.
You may upgrade to a higher version since your version is kind of old.
Jorge

Ace HTTP Probe expect regex

Hi,
I have a question about the config of the ACe probe.
I have the following probe defined :
probe http P_HTTP_TEST
interval 5
passdetect interval 2
passdetect count 2
request method get url /test
expect status 200 200
expect regex trululu
I would like to use the regex just like the expect string on the csm probe...
The regex doesn't seem to work as the strin trululu is not on the page tested.
I guess the expect status override the regex but without the expect status it doesn't work either.
Anyone know how exactly the probe expect works for http ?
Another question, on the CSM module, the tcp probe by default use the real port for the probe, not the default port of the probe type, is it possible to change that so it mimmicks the CSM way of working ?
Thanks a lot ;-)

This seems to be bug related to some version of ACE software as HTTP return code overrides missing regexp. For sure this bug is present in:
system:    Version A2(2.0) [build 3.0(0)A2(2.0)]
Notice the difference between 192.168.1.1 (is missing regex in HTTP response) and 192.168.1.2 (sends regexp in HTTP response). Both are successful and as addition 192.168.1.1 (missing regexp) is showing last status code 200 which seems to be sufficient for probe to pass. 192.168.1.2 (which sends expected regexp) doesn't show last status code.
probe       : tw2_http_81
type        : HTTP
state       : ACTIVE
description :
   port      : 81      address     : 0.0.0.0         addr type : -
   interval : 30      pass intvl : 30              pass count : 1
   fail count: 1       recv timeout: 10
   http method      : GET
   http url         : /knowtw2-f/livelink.exe?func=ll&objtype=142&bypass
   conn termination : GRACEFUL
   expect offset    : 0         , open timeout     : 10
   expect regex     : lbmonitor
   send data        : -
                       --------------------- probe results --------------------
   probe association   probed-address probes     failed     passed     health
   ------------------- ---------------+----------+----------+----------+-------
     real      : 192.168.1.1[81]
                       192.168.1.1    2          0          2          SUCCESS
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 0
   No. Probes skipped : 0         Last status code : 200
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : -
   Last probe time     : Mon Nov 7 12:38:42 2011
   Last fail time      : Never
   Last active time    : Mon Nov 7 12:38:22 2011
     real      : 192.168.1.2[81]
                       192.168.1.2    2          0          2          SUCCESS
   Socket state        : CLOSED
   No. Passed states   : 1         No. Failed states : 0
   No. Probes skipped : 0         Last status code : 0
   No. Out of Sockets : 0         No. Internal error: 0
   Last disconnect err : -
   Last probe time     : Mon Nov 7 12:38:27 2011
   Last fail time      : Never
   Last active time    : Mon Nov 7 12:37:58 2011

ACE TCP connection timeout

Hello,
our customer has a problem with correct closing TCP connections on the ACE. TCP session (HTTP protocol) is closed _correctly_ (we can see it in the sniffer output), but 'sh conn' on the ACE shows it as 'established' (session is already closed). TCP timeout is set to default (60min).
Any new connection from the same src port (because many connection to the service) is closed after TCP session is established.
When I try generate 200 concurrent sessions TCP sessions in my lab, this are on the ACE closed correctly. Customer's traffic is around 20-30.000 concurrent session, but I can't generate so much traffic.
SW version on the ACE: 3.0(0)A1(3b)
thx
martin

Thanks Gilles!
The problem occurs only with traffic from WAP nodes (too many short HTTP requests).
We try it upgrade to A1(5b), but I'm not sure, if this is our problem...
Bug description:
Symptom:
With L7 LB configuration, Some times connections do not close.
Conditions:
SYN sent to Real server may result in ACK coming from server. ACE TCP module was not handling this ACK correctly.
...but our traffic is only L4 LB and we have a problem with connection state on the ACE from both sides (client and server). on the client and server side is connection closed properly, but on the ACE module ('sh conn') we can see it in 'established' state. It's closed after TCP timeout and that is not correct.
martin

ACE HTTP Probe with regex

ACE HTTP Probe with regex
Hi,
I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
probe http HTTP-PROBE
port 43050
interval 30
passdetect interval 30
passdetect count 1
request method get url /action=help
open 43050
expect regex action=help
Q. Is there anything wrong with this configuration and what I'm trying to achive?
Thanks,
Pritesh

Use "expect status" under probe config. expect regex doesnt work if expect status is not configured.
expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
Specially if "content-length" header is missing from Server response.
Hope it helps
Syed Iftekhar Ahmed

TCP Probe on ACE 4710

Hi,
I am trying to configure proble on ACE device and I have few queries on those:
1. I want to probe 10 different tcp ports for a serverfarm, is there any way i can give the range on probe ? if not and if i have to probe individual port and then configure in a serverfarm, how it would behave i.e. I want to fail the probe only when all the configured ports are failed.
2. I am trying to configure probe for a particular tcp port, but I suppose server is not sending RST to that port, so probe is failing. However if I try to telnet that port from any other location it is getting connected. How can I configure probe in that case for that port ?
Pls. suggest.
Thanks
Pawan

You will need to configure a probe for each port.
Add all the probes to the serverfarm.
Use the command "fail-on-all" under the serverfarm.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/servfarm.html#wp1106543
Gilles.

ACE Health probe for SIP

I've setup a SIP probe to check the health of a Microsoft OCS. The health of this server is always failed. What am I missing? I also tried it with a telnet probe on port 5061, but got the same result. A telnet from ACE to the server on port 5061 works fine.
See below a show probe SIP detail and the relevant configuration.
ACE21_Secondary/MOCS# sh probe SIP det
probe : SIP
type : SIP
state : ACTIVE
description :
port : 5061 address : 0.0.0.0 addr type : -
interval : 10 pass intvl : 10 pass count : 3
fail count: 3 recv timeout: 4
request-method : OPTIONS
conn termination : GRACEFUL
expect offset : 0 , open timeout : 2
expect regex : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
rserver : OCS_11
10.105.11.70 5061 -- 7566 7566 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply timeout (no reply)
Last probe time : Thu Oct 30 14:18:42 2008
Last fail time : Tue Oct 28 16:31:30 2008
Last active time : Never
ACE21_Secondary/MOCS# sh run
probe sip tcp SIP
port 5061
interval 10
passdetect interval 10
receive 4
expect status 200 200
open 2
rserver host OCS_11
ip address 10.105.11.70
probe SSL
probe PING
probe SIP
probe SIP_TELNET
inservice
Cheers
Peter

Peter,
make sure to NOT run version A2(1.1a) as SIP probes are broken in that specific release.
If your version is something else, get a sniffer trace on the server to see what is going on.
Seems like we don't get a reply according to the line :
"Last disconnect err : Server reply timeout (no reply) "
Gilles.

ACE ping probe

Hi,
I have a strange problem on my ACE in one-arm design.
I have a real server which I can ping from the ACE, but a ping probe always fails:
server : APACHE4
10.144.131.6 28 28 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 4 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply timeout (no reply)
Last probe time : Sat Dec 9 11:42:57 2006
Last fail time : Sat Dec 9 11:29:57 2006
Last active time : Never
ace/INTRANET# ping 10.144.131.6
Pinging 10.144.131.6 with timeout = 2, count = 5, size = 100 ....
Response from 10.144.131.6 : seq 1 time 0.335 ms
Response from 10.144.131.6 : seq 2 time 0.181 ms
Response from 10.144.131.6 : seq 3 time 0.340 ms
Response from 10.144.131.6 : seq 4 time 0.266 ms
Response from 10.144.131.6 : seq 5 time 0.341 ms
5 packet sent, 5 responses received, 0% packet loss
I have a couple of other real servers which do not have this problem.
Any ideas?
According to netflow on the 6500 the server answers correctly.
There are no syslog messages.
interface vlan 552
ip address 10.144.130.3 255.255.255.0
alias 10.144.130.1 255.255.255.0
peer ip address 10.144.130.2 255.255.255.0
no normalization
no icmp-guard
access-group input PERMIT
service-policy input MANAGEMENT
service-policy input SLB
no shutdown
probe icmp PING
interval 2
faildetect 5
passdetect interval 30
passdetect count 2
rserver host APACHE1
ip address 10.144.131.131
probe PING
inservice
rserver host APACHE2
ip address 10.144.131.132
probe PING
inservice
rserver host APACHE3
ip address 10.144.131.133
probe PING
inservice
rserver host APACHE4
ip address 10.144.131.6
probe TEST
probe PING
inservice
probe tcp TEST
port 22
interval 2
faildetect 5
passdetect interval 30
passdetect count 2
ace/INTRANET# sh probe
probe : PING
type : ICMP, state : ACTIVE
port : 0 address : 0.0.0.0 addr type : -
interval : 2 pass intvl : 30 pass count : 2
fail count: 5 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : APACHE1
10.144.131.131 2312 0 2312 SUCCESS
rserver : APACHE2
10.144.131.132 2311 0 2311 SUCCESS
rserver : APACHE3
10.144.131.133 2311 0 2311 SUCCESS
rserver : APACHE4
10.144.131.6 38 38 0 FAILED
rserver : IIS1
10.144.131.129 2311 0 2311 SUCCESS
rserver : IIS2
10.144.131.130 2311 0 2311 SUCCESS
probe : TEST
type : TCP, state : ACTIVE
port : 22 address : 0.0.0.0 addr type : -
interval : 2 pass intvl : 30 pass count : 2
fail count: 5 recv timeout: 10
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : APACHE4
10.144.131.6 557 0 557 SUCCESS
I have 3.0(0)A1(3b)

Hi,
unfortunately your URL did not help me.
I found out that the sup720-3b adds a 23bytes zero-byte padding to exact the frames corresponding to the failing ping probe. I saw this by spanning the internal te4/1 port from the switch to the ACE to a sniffer.
The strange thing is that the frame is padded although it's larger than the minimum frame size of 64 bytes.
When I configure a log-input ACL on the sup720-3b to force the traffic to be routed by the MSFC3 instead of the PFC3 then the ping probe works and the same frames are not padded any more!!
We run IOS modularity on the sups and according to the 12.2SX release notes they do not support the ACE. I suppose that's the root cause. We will change the sup sw ASAP.

ACE -- SSH probe

Hello,
We are trying to configure an SSH probe.
I've tried creating a TCP port which checks for port 22, but I want to go further and get the probe to actually log on.
I noticed that only HTTP probes have an option to configure credentials.
Is there a way that I can configure a probe on the ACE to do this without having to create a script?
Thanks.

Hi Michelle,
If you manage to have a TCL script that connects through SSH, you can pass the username and password through arguments of the scripted probe and those arguments could be use to login.
Now how can you use TCL to login through SSH, I'm sorry but I don't know.
Regards,
Nicolas

ACE 4710 Probes on other servers than the real server

Hi,
I wanted to know if there is a means to configure a probe that is independent of the real servers.
The aim is to configure a probe a real server but also probe another intermediate server which is not in the server farm.
The objective is to declare the real server down if its probe fails but also the probe to an intermediate server fails as well as a or condition.
From the document, there is no mention of it.
But is there a means to do it.
Thanks.

Hi Ashley,
i see it is not mentioned anywhere in document but i think ou should be able to bind two probes with real server of which one probe is actually probing another server.
I would configure one probe let's say TCP based and bind it with serverfarm. Then i would configure another probe TCP based and define IP address in that probe (the other server IP which we need to probe) and bind this probe with same serverfarm. Serverfarm will not have this rserver added. And then i would configure "fail-on-all" and test if that works for you.
i know you can set probe on redirect server/serverfarm which actually probes another real server so logically should work for normal host rserver as well. But i have never tested it myself.
Regards,
Kanwal

ACE http probe "request method type" mandatory on A3(2.6)?

Hi people,
I recently upgraded to A3(2.6) from A3(2.0) and I don't see the N/A option on the http probe "request method type".
It also has an asterisk * which means it's mandatory.
I tried to set up a new http probe for another farm I am creating and the probe shows status failed, although I can ping and telnet to the http server on port 80 from the ACE context. My probe is like that:
probe http http_probe_WWW
interval 15
passdetect interval 60
expect status 200 200
open 10
My other http probes for other farms work ok after the upgrade and they are similar.
So my question is: Do I need to set the request method type or something else causes the probe to fail?
thanks a lot.
George

What you see is a problem with the GUI.
CSCtg78008 while creating http probe default method slected should be get as in CLI
But the request-method is not required.
So your config should work.
Do a 'show probe detail' to see the failure reason.
Get a sniffer trace as well.
Regards,
Gilles.

ACE - TCP 60 minute idle timer?

Hi Gilles,
is there a tcp idle timeout with exact 60 minutes within ACE Software for NON LB connections?
I have a certain TCP Connection from a FrontendServer to a certain Backend Server which gets a TCP RST every 60 minutes.
The application guys blame the network for this tcp reset. In my opinion all the timing values which are e.g. set in a connection map are only for the Ports designated within the corresponding loadbalancing rules.
So if i am not wrong any other connection traversing the ACE module should be treated as "simple" connection over any other layer 2/3 switch in a network with the exception that the ace is in charge for the routing of this network.
As i am not hundert percent sure that there isn't a timer comparable to the xlate timeout on PIX or ASA for idle sessions i thought maybe you have an idea.
Have a look at the attached textfile.
Thanks for reading
Roble

Hi,
good information, but i have a doubt.
I have an existing policy L3/L4 multi-match like the one below.
I   would like to increase the inactivity timeout on every TCP connections. Can i nest the new class map (match all) to my policy-map, as shown below in bold?
This can create problems for the existing policy?
Can you confirm me that i can apply only one L3L4 policy map to the interface Vlan?
In necessary to remove and apply the policy to see the effect of the new timeout?
Thanks in advance
Best Regards
policy-map multi-match L4_VIP3_POLICY
description Multi-Match VIPs on Vlan 18 to ServerFarms
class L4-FARM-RDP
    loadbalance vip inservice
    loadbalance policy L7-FARM-RDP
    loadbalance vip icmp-reply active
class L4-FARM-RDP-TOKYO
    loadbalance vip inservice
    loadbalance policy L7-FARM-RDP-TOKYO
    loadbalance vip icmp-reply active
class L4-FARM-RDP-NY
    loadbalance vip inservice
    loadbalance policy L7-FARM-RDP-NY
    loadbalance vip icmp-reply active
class L4-FARM-RDP-KUALA
    loadbalance vip inservice
    loadbalance policy L7-FARM-RDP-KUALA
    loadbalance vip icmp-reply active
class L4-FARM-RDP-NY
    loadbalance vip inservice
    loadbalance policy L7-FARM-RDP-NY
    loadbalance vip icmp-reply active
class TCP-CLASS
     connection advanced TCP-PARAM
where:
parameter-map type connection TCP-PARAM
set timeout inactivity 36000
class-map match-all TCP-CLASS
match port tcp any

ACE HTTP probe hash md5 value

Hi,
We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
Is this possible to get it on the ACE as we do on the CSS?
We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
Many thanks for your help.
Regards/ludovic.

probe http MD5-HTTP
interval 15
passdetect interval 15
request method get url /index.html
expect status 200 200
hash 2441DA7F68A265F8CFB4426B6897CE33
And here is how I computed the hash on the server itself [linux machine]
md5sum /var/www/HTML/index.html
2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
[root@linux-1 tftpboot]#
The probe is UP
switch/Admin# sho probe MD5-HTTP detail
probe : MD5-HTTP
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 15 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /index.html
Hash-value : 2441da7f68a265f8cfb4426b6897ce33
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : linux1
real : linux1[0]
192.168.30.27 13 4 9 SUCCESS
md5sum is a standard tool.
Nothing fancy about it.
Gilles.

ACE - TCP Options for Proxy-Connections

Hi all,
I have the issue that my ACE does not seem to allow tcp options with L7 proxied connections to the servers. For the client side connection I see the TCP option timestamp for example, but unfortunately the ACE itself does not put the timestamp option into its own TCP connection to the rserver. A 'parameter-map type connection' does only seem to have an effect on L4 connections, not proxied ones. Does anybody know a way how to tell the ACE to have e.g. a timestamp option in the TCP connection to the server as part of a L7 loadbalancing?
Any help is highly appreciated!
Thanks,
Daniel

Daniel,
we do not support timestamp at L7.
I think we only support window scaling.
Gilles.

ACE ICMP probe

Hi,
I have a strange behavior on a ACE blade :
The blade is configured in bridge mode, when a configured reals server, if they are on the same site, the probe is ok, if they are on another site, the probe is failed.
What I found is that the echo reply on the PO of the blade is padded with 23 bytes of "0" only for the probe.
This is really strange...
the version of the blade and ios:
blade : 3.0(0)A1(4a)
Sup (720): 12.2(18)SXF8
I found on the forum that it could be related to the PFC3b but I don't see how I could try to bypass it.
Thanks for your help ;-)

I understand the reply will come on some ethernet module and be forwarded into the ACE PO.
So, what is the the ethernet hardware module type ? 'show mod'.
Could you also give us the trace so we can look at the icmp packet.
Thanks,
Gilles.

ACE TCP probe

Similar Messages

Maybe you are looking for