Configuring Probe on ACE
If I need to configure a request method probe for website www.abc.com, should the command be
request method head url /abc.com
OR
request method head url /www.abc.com
OR
request method head url www.abc.com
Regards.
None of the above
www.abc.com is hostname not URL
If you want to probe home page url at www.abc.com the just use
request method head url /
and make sure that you configure
expect status 200 200
under probe definition.
Syed
Similar Messages
-
ACE: Problem configuring probe snmp
Hi,
I have a problem when I configure probe snmp and My Server W2K3 dual core, snmp comunity public has an oid cpu .1.3.6.1.2.1.25.3.3.1.2, the output is:
access-list anyone line 8 extended permit ip any any
probe snmp was
interval 4
faildetect 2
passdetect interval 10
receive 2
community public
oid .1.3.6.1.2.1.25.3.3.1.2
threshold 70
rserver host was1
ip address 10.24.8.200
probe was
inservice
rserver host was2
ip address 10.24.8.201
probe was
inservice
serverfarm host servers
rserver was1
inservice
rserver was2
inservice
class-map type management match-any ADM-CONTEX-SERV1
4 match protocol icmp any
5 match protocol snmp any
class-map type http loadbalance match-all Check-Headers
2 match http url .*
3 match http header Host header-value "10.24.16.*"
4 match http header User-Agent header-value ".*MSIE.*"
class-map match-all VIP-10-HTTP
2 match virtual-address 10.24.16.10 tcp eq www
class-map type http loadbalance match-all other-HTTP
2 match http url .*
policy-map type management first-match ADM-CTX-SERV1
class ADM-CONTEX-SERV1
permit
policy-map type loadbalance first-match L7-logic
class Check-Headers
serverfarm servers
class other-HTTP
serverfarm servers
policy-map type loadbalance first-match lb-logic
class class-default
serverfarm servers
policy-map multi-match client-vips
class VIP-10-HTTP
loadbalance vip inservice
loadbalance policy L7-logic
loadbalance vip icmp-reply active
interface vlan 60
ip address 10.24.8.5 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ADM-CTX-SERV1
no shutdown
interface vlan 233
ip address 10.24.16.5 255.255.255.0
access-group input anyone
access-group output anyone
service-policy input ADM-CTX-SERV1
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 10.24.16.1
sh probe was detail
probe : was
type : SNMP
state : ACTIVE
description :
port : 161 address : 0.0.0.0 addr type : TRANSPARENT
interval : 4 pass intvl : 10 pass count : 3
fail count: 2 recv timeout: 2
version : 1 community : public
oid string #1 : .1.3.6.1.2.1.25.3.3.1.2
type : PERCENTILE max value : 100
weight : 16000 threshold : 70
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
rserver : was1
10.24.8.201 13 13 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply - bad SNMP OID
Last probe time : Tue Feb 24 23:22:41 2009
Last fail time : Tue Feb 24 23:20:47 2009
Last active time : Never
Server load : 16000
rserver : was2
10.24.8.200 12 12 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Server reply timeout (no reply)
Last probe time : Tue Feb 24 23:22:34 2009
Last fail time : Tue Feb 24 23:20:52 2009
Last active time : Never
Server load : 16000Hi,
For a multicore processor you need to make a few changes to get the load on each core/processor. You need to have an instance for each core.
Try adding .1 or .2 to the OID to get the load on each core.
Also try doing an snmpwalk on the OID to see what the real structure is.
HTH
Cathy -
hi,
i need to configure an http probe on ace,
the url is like /zz?/ee/rr.png
the probe is get /zz?/ee/rr.png
pb: i can type this ? ,
how can i do that ?
thanx for your answersThat's just easy. Type CRTL + v and then you can type ?. That's all.
-
Hi,
I am trying to configure proble on ACE device and I have few queries on those:
1. I want to probe 10 different tcp ports for a serverfarm, is there any way i can give the range on probe ? if not and if i have to probe individual port and then configure in a serverfarm, how it would behave i.e. I want to fail the probe only when all the configured ports are failed.
2. I am trying to configure probe for a particular tcp port, but I suppose server is not sending RST to that port, so probe is failing. However if I try to telnet that port from any other location it is getting connected. How can I configure probe in that case for that port ?
Pls. suggest.
Thanks
PawanYou will need to configure a probe for each port.
Add all the probes to the serverfarm.
Use the command "fail-on-all" under the serverfarm.
http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/command/reference/servfarm.html#wp1106543
Gilles. -
We have some webserver behind our ACE that use SSL certificates that are issued by an internal CA.
Do I need to do anything special in order to probe HTTPS? Does the ACE need the internal CA to be trusted?
Thanks.
JasonHi,
If https server is working properly, only you need to do is configure https probe on ACE like below.
You do not have to anything related certificate on ACE side.
ACE-A327/context02# show running-config
Generating configuration....
probe https HTTPS
interval 15
passdetect interval 60
ssl version all
expect status 200 200
open 1
rserver host S1
ip address 10.1.142.209
inservice
serverfarm host SF
probe HTTPS
rserver S1
inservice
interface vlan 11
ip address 10.1.142.1 255.255.255.0
no shutdown
ACE-A327/context02# show probe detail
probe : HTTPS
type : HTTPS
state : ACTIVE
description :
port : 443 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
SSL version : All
SSL cipher : RSA_ANY
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
regex cache-len : 0
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : SF
real : S1[0]
10.1.142.209 443 DEFAULT 11 0 11 SUCCES
S
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 200
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Thu Apr 14 17:34:02 2011
Last fail time : Thu Apr 14 17:30:42 2011
Last active time : Thu Apr 14 17:30:44 2011
ACE-A327/context02#
Additionaly, you can specify cipher in client hello, also you can select ssl/tls version.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1162289
If you find this helpful, please rate this topic.
Regards,
Kim. -
Hi,
I am trying to configure FT on ACE modules, with the following commands
ft interface vlan 20
ip address 172.16.20.1 255.255.255.252
peer ip address 172.16.20.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 20
ft group 1
peer 1
priority 150
associate-context Admin
inservice
The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?Hi have the following config which seems to be working fine for me... check your vlan20 interface is up
ft interface vlan 212
ip address 172.31.1.221 255.255.255.252
peer ip address 172.31.1.222 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 212
ft group 2
peer 1
priority 50
peer priority 150
associate-context Admin
inservice
HQ-ACE1/Admin# sh int
vlan212 is up, administratively up
Hardware type is VLAN
MAC address is 00:23:5e:25:72:f1
Mode : routed
IP address is 172.31.1.221 netmask is 255.255.255.252
FT status is standby
Description:not set
MTU: 1500 bytes
Last cleared: never
Last Changed: Tue Sep 6 12:46:06 2011
No of transitions: 1
Alias IP address not set
Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
Assigned from the Supervisor, up on Supervisor
8654909 unicast packets input, 735611030 bytes
1151150 multicast, 161 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
13020418 unicast packets output, 1672055521 bytes
0 multicast, 163 broadcast
0 output errors, 0 ignored -
Issue with regexes in http health probes on ACE 4710
Folks,
We're currently experiencing fairly bizarre behavior when attempting to set up http probes that expect a regexp. Namely, if we specify a regexp, the probe *always* passes, regardless of status code and regardless of whether or not the message actually matches the pattern. Doing 'no expect regexp' fixes this behavior (by which I mean that the 'expect status' rules work again).
We haven't noticed until now because this is the first time we've tried to set up a probe that does this. Are we missing something? Is this a known issue with our current firmware version?
Sincerely,
Patrick T. Ramsey
# show run probe | begin HTTP-nfscheck | end regex
Generating configuration....
probe http HTTP-nfscheck
description Simple HTTP probe to check nfs mount health
port 80
interval 15
passdetect interval 20
request method head url /nfs-health-check/
open 1
expect regex "^ureytgraeuikghfdjg$"
# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95.1
system: Version A3(2.4) [build 3.0(0)A3(2.4) adbuild_11:46:02-2009/09/27_/auto/adbu-rel2/rel_a3_2_3_throttle/REL_3_0_0_A3_2
_4]
system image file: (hd0,1)/c4710ace-mz.A3_2_4.bin
Device Manager version 1.2 (0) 20090925:1550
installed license: no feature license is installed
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226388 kB, free: 3972668 kB
shared: 0 kB, buffers: 22020 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 728656 kB, available: 89240 kB
last boot reason: Unknown
configuration register: 0x1
ldbottom kernel uptime is 325 days 3 hours 46 minute(s) 43 second(s)I also went through a similar issue in which we need to probe the real server PESERVER01 and if the real server replies with the keyword "PE Server" in the HTTP content then the probe should be passed successful.
In my case the real server was listening on port 32776 for HTTP service so we configured the serverfarm as below,
serverfarm host SF-TEST-32776
description SF-TEST-32776
failaction purge
probe PE-SERVER-STRING
rserver PESERVER01 32776
inservice
And the TCP probe as below,
probe tcp PE-SERVER-STRING
port 32776
send-data GET /IOR/ping HTTP/1.1 <<== command should not be in inverted commas
expect regex "PE Server"
The above probe worked really well and when we checked the probe status it was marking as success. I also tried changing the regex from "PE Server" to "Vishal12345" and it was failing as expected because there was no such keyword in the HTTP content.
==================================================================================
T2-LB02# sh probe PE-SERVER-STRING
probe : PE-SERVER-STRING
type : TCP
state : ACTIVE
port : 32776 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : SF-TEST-32776
real : PESERVER01[32776]
10.10.10.1 32776 PROBE 105 0 105 SUCCESS
==================================================================================
I was struggling with this issue from long time. Even raised couple of Cisco TAC cases with no luck. The most important thing here is to identify the exact command to be send to real server like GET /IOR/ping HTTP/1.1 that we used here.
To collect this command I did packet capture on one of the client machine and then tried to open the URL from real server which can return the string "PE Server". Then analyzed the captures in Wireshark and checked the HTTP data with follow the TCP stream option in which I seen the below data, which gives the command to be send in probe as well as the string we should expect.
==================================================================================
GET /IOR/ping HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
Host: 10.144.70.85:32776
Accept: */*
HTTP/1.0 200 OK
Content-type: text/html
Ping
PE Server
WRVFKO11 [Win32 Server Production (3 silos) (Oracle Blob 512 MB) -- {dap451.007.028 dap451.004.002 pe451.003.010x pui451.003.010 pui451.001.004} Mar 9 2012 15:07:53 en ]
===================================================================================
Please try this and see if it helps you.
Thanks,
Vishal Babrekar -
we have a simple layer3-4 port 80 app thta is being load balanced by ACE and created an HTTP probe that actually acts more like a TCP probe, since we took a default on just about all the attributes:
probe http WEB_SERVERS
expect status 200 200
Unfortunately, when we activated this probe, we saw the following:
probe : WEB_SERVERS
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 120 pass intvl : 300 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
real : Planview_136.39[0]
167.238.136.39 1 1 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jul 22 15:07:20 2009
Last fail time : Wed Jul 22 15:07:21 2009
Last active time : Never
real : Planview_136.40[0]
167.238.136.40 1 1 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jul 22 15:07:20 2009
Last fail time : Wed Jul 22 15:07:21 2009
Last active time : Never
The obvious culprit here is the return code. How do we assign the correct return code here?
Thanks...Hi,
I wouldn't just let it default. It is better to probe for a particular page if that is possible. If this is a page you create, then it offers the possibility of being able to take a server out of rotation simply by renaming the page. E.g.
probe http PROBE-iamhere
interval 30
passdetect interval 10
request method head url /serverhere.html
expect status 200 200
Alternatively, it looks like you are getting a 302 response code (a redirect) then you could just change the line in the probe to expect that.
probe http WEB_SERVERS
expect status 302 302.
HTH
Cathy -
VMs change OID and fails SNMP probe on ACE module
I am setting up least loaded load-balancing on a serverfarm. It seems to work fine when all servers have the same OIDs, but the VMs change OIDs for the CPU utilization every time they vMotion or reboot, and that causes the SNMP probe to fail.
Is there any known solution to fix that problem?
Thank you,
MarkHi Mark,
If the OID's change itself on servers then this is expected. I am aware of anything that we can do on ACE to update the OID's automatically.
Regards,
Kanwal -
Does anyone have a good health check for SIP?
Currently ACE is not SIP aware.
ACE will support SIP with version 2.0. It will support SIP load-balancing over TCP and UDP, it can load-balance based upon the SIP header i.e. can load balance based upon the Call-ID (even though information for many calls are in the same TCP connection). It
can also do stickiness based upon Call-ID.
Additionally, ACE 2.0 supports SIP probes.
Currently you can only use udp probes
probe UDP5060 udp
interval 1
faildetect 2
passdetect interval 60
passdetect count 2
port 5060
probe ICMP icmp
interval 1
faildetect 2
passdetect interval 60
passdetect count 2
serverfarm SIP
rserver 192.160.246.147
inservice
rserver 192.160.246.148
inservice
probe ICMP
probe UDP5060
Syed Iftekhar Ahmed -
Hi,
I have two questions about TCP scripts on ACE :
1. TCP source code
How can I browse the TCL source code of predefined probe scripts on the ACE (for instance HTTPCONTENT_PROBE) '
2. Script parameters
How do I retrieve in the TCL script the parameters passed to the script in the command < script script_name [script_arguments] > ?
Thank you,
YvesYves,
you can download all the scripts from the download software page.
http://tools.cisco.com/support/downloads/go/ImageList.x?relVer=A2%283.2%29&mdfid=280557289&sftType=Application+Control+Software+Scripts&optPlat=&nodecount=2&edesignator=null&modelName=Cisco+ACE+Application+Control+Engine+Module&treeMdfId=268437639&treeName=Application+Networking+Services&modifmdfid=null&imname=&hybrid=Y&imst=N&lr=Y
# Copyright (c) 2005-2008 by Cisco Systems, Inc.
# debug procedure
# set the EXIT_MSG environment variable to help debug
# also print the debug message when debug flag is on
proc set_exit_msg { msg } {
global debug ip port EXIT_MSG
set EXIT_MSG $msg
if { [ info exists ip ] && [ info exists port ] } {
set EXIT_MSG "[ info script ]:$ip:$port: $EXIT_MSG "
if { [ info exists debug ] && $debug } {
puts $EXIT_MSG
# main
# Parse cmd line args and initialize variables
set_exit_msg "initializing variable"
if { $argc < 2 } {
set_exit_msg "[ info script ] parameters :
exit 30002
set ip $scriptprobe_env(realIP)
set port $scriptprobe_env(realPort)
# If port is zero then use well known HTTP port 80
if { $port == 0} {
set port 80
set requestHeader [ lindex $argv 0 ]
set expectFileType [ lindex $argv 1 ]
set debug [ lindex $argv 2 ]
if { $debug == "" } {
set debug 0
# Open connection
set_exit_msg "opening socket"
set sock [ socket $ip $port ]
# Send HTTP request to server
set_exit_msg "sending request : $requestHeader"
puts -nonewline $sock "$requestHeader\n\n"
flush $sock
# Read string back from server
set_exit_msg "receiving response"
set lines [ read $sock ]
# Close connection
set_exit_msg "closing socket"
close $sock
# Parse the HTTP response
# All the following conditions cause probe failure, returning exit code 30002
# Unable to recognize the HTTP response
if { ![ regexp -nocase "^HTTP/1\.\[0-9\] (\[0-9\]\[0-9\]\[0-9\])" $lines match s
tatuscode ] } {
set_exit_msg "probe fail : can't find status code"
exit 30002
# HTTP response is not 200 OK
if { $statuscode != "200" } {
set_exit_msg "probe fail : status code is $statuscode"
exit 30002
# Unable to find Content-type header
if { ![ regexp -nocase "Content-Type *:(.*)\n" $lines match foundContentType]
set_exit_msg "probe fail : can't find \'Content-Type\' header"
exit 30002
# Content-type value does not contain the requested string
if { ![ regexp "$expectFileType" $foundContentType] } {
set_exit_msg "probe fail : expect content-type \'$expectFileType\', but got
\'$foundContentType\'"
exit 30002
# Indicate probe success with exit code 30001
set_exit_msg "probe success"
exit 30001 -
Configuring AAA in ACE using ANM
Hi guys
Is there a way to do this? I cant find anywhere how to configure the AAA parameters for the ACE CLI access using the ANM. I know where to configure AAA for the ANM access, but not for the ACE devices.
thx in advance!
Omar MHi Omar,
Is there a way to change the interface that the ACE uses for TACACSs requests?
The interface to be used for the AAA request is chosen based on the routing table, so, unless the server is in a vlan directly connected to the ACE, you can define which interface to be used by configuring a static route towards the server.
Also, there's gonna be a request for each context right?
The AAA configuration is done on a per-context basis, so, each context will handle connections arriving to it following its own configuration settings. -
LSMW : Urgent SO - DI - Material Configuration Prob
Hello all,
[Direct Input Approach]
In my quest for uploading Legacy system SO through LSMW . I have reached at the stage where I am able to create Sales Order successfully but only 1 problem is..
Our client has customization done where by selecting a perticular value, the SO Item level table control shows few extra detail columns [extra charstics of material]. This is customized by Material Classification view.
My LSMW script is creating Order Correctly but for each item it displays the Configuration Screen and I asks for manual intervation[say pressing F3].
In my LSMW script if I programmatically supress this screen. Then those value doesn't apear in SO when we access it through VA02.
has any one come accross this kind of prblem ? Please help me as this seems to be only hurdle in my SO upload.Hi!
I think, you need two different alternatives:
- You suppress the screen in LSMW -> no configuration data is filled -> later no configuration is available (columns missing). Do this for materials without configuration data.
- You handle the additional screen and fill (at least one) configuration data. Later view and changing (maybe adding the rest of values) should be possible.
Sales orders with configuration would be better created by BAPI - but this would be hard work to change right now (and this BAPI is not easy to handle in case of configuration).
Regards,
Christian -
SMTP and IMAP ACE Probe configuration Example
Hi,
Could someone share he SMTPS and IMAPS probe setting configuration in CISCO ACE 4710 for my reference.
I have two server 10.1.1.58 and 10.1.1.59 which supposed to be load balaced for the service 993 and 465.
Regards
BRHello There,
The ACE has built-in scripted probes in order to check connectivity beyond layer 4 with these kinds of mail servers but only for the unencrypted versions SMTP/IMAP.
In your case since you're working with these protocols over SSL/TLS, you'll need to configure regular TCP probes for each serverfarm so reachability will be test'd based on TCP port.
probe tcp IMAPS-993
port 993
interval 5
faildetect 2
passdetect interval 3
passdetect count 1
open 1
probe tcp SMTPS-464
port 465
interval 5
faildetect 2
passdetect interval 3
passdetect count 1
open 1
HTH
Pablo -
ACE failing server out using TCP health probe
We have a mix of ACE20s and ACE30s currently and I am seeing the ACE in both HW platforms failing out our servers sporadically after a sucessful TCP handshake. Here is the configuration:
probe tcp TCP-25
port 25
interval 25
faildetect 2
passdetect interval 90
open 10
When I do a show probe TCP-25 detail I see the default recv timeout is 10.
I captured a trace between the ACE and the server. When the health probes pass I see a good 3 way TCP handshake, then 50ms later the server sends a SMTP 220 then ace from ace, fin ack from ace and graceful TCP termination occurs. When the probe fails I see a sucessful TCP handshake but the ACE sends FIN ACK 47ms after it sends ACK for the TCP connection. Server then sends ACK and ACE sends RST.
Shouldn't ACE wait 10 seconds in this example for server to respond after TCP handshake?TAC/Martin Nash was very helpful in explaining this. The TCP 3 way handshake was sucessful, but the ACE sent a FIN ACK as expected, but after the server sent an ACK the server did not send a FIN ACK so the ACE marked it down. The health check not only requires a 3 way handshake, but a clean teardown of the TCP session.
Maybe you are looking for
-
I installed elements 12 on a Win 8.1 computer and moved all my photos from my old XP machine. I updated to elements 12.1. Now, many/most of my photos will not open because I do not have "permission" to open the files. How do I fix this so I can wo
-
I cannot open Firefox at all... receive "Profile Missing" -- what next?
MAC desktop being used. When I click on my Firefox app it looks and looks then brings up a window: Profile Missing. Obviously, I cannot do much without opening Firefox. What do I do next?
-
My iPhone 5 was defective & all info backed up to my cloud. Teamlava/ storm 8 dragon story was lost with new phone :-( app developer refuses to replace original game because I have no idea where original download receipt is!
-
ORA-00978 without group function
I've experienced a strange problem with oracle 11g. I've retrieved the oracle exception ORA-00978 even if there was no group function in my query. I supposed was a problem in the optimizer so I rebuild the tables statistics, after that the query was
-
Error when trying to save the business group information for a newly created business group , it says a duplicate record