CSM Health Probe source IP
Can anyone tell me what IP address health probes are sourced from on the CSM? I've got a simple ICMP health probe setup but I'm trying to figure out what the source of those probes will be.
Is it the Vlan IP or maybe the VIP or possibily the router interface IP?
Thanks,
Bob
this is the vlan ip.
Gilles.
Similar Messages
-
CSM health probe for server farm with multiple vservers
Is there a way to specify the vserver port that a health probe monitors when multiple vservers are configured for the same serverfarm? Let's say I have a serverfarm named farm1. farm1 services two ports www and https so two vservers vserver_www and vserver_https are configured and bound to farm1. I would like to enable http health probe on farm1 with the intention of only monitoring vserver_www http port but, instead, the health probe monitors both www and https and since a http probe on https fails it takes farm1 reals and both vservers vserver_www and vserver_https out-of-service. Is there a way to configure a health probe to monitor a specific port? Or, should I create two duplicate serverfarms farm1 bound to vserver_www and farm2 bound to vserver_https and only enable http health probe on farm1? Any other ideas welcomed.
Appreciate the feedback. I also found what I was looking for in configuration examples. To summarize I've borrowed the comment from the URL below:
# The port for the probe is inherited from the vservers.
# The port is necessary in this case, since the same farm
# is serving a vserver on port 80 and one on port 23.
# If the "port 80" parameter is removed, the HTTP probe
# will be sent out on both ports 80 and 23, thus failing
# on port 23 which does not serve HTTP requests.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csm_4_2/config/cfgxpls.htm -
CSM 4.2(5): Reoccuring failed health probes
Hi all
I've finally started to investigate an issue I have with our CSM setup. Several times a day I get the below syslog message from the 6500
10:49:11: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: TCP health probe failed for server
Then a few seconds later
10:49:41: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: TCP health probe re-activated server
I never seems to catch the event in action and can never verify if the real server is indeed failed or if this is only a probe timeout. I have both layer 2 and layer 3 server farms in operation and this problem occurs on all of my server farms a few times a day.
No pattern and I have no other indications of any problems. I have most of the probes set on 1 repeat and 30sec timeout. Increase the probe timeouts perhaps?
Regards
FredrikThose error messages are related to probing the CSM does when determining server health. For a TCP probe, this means that the CSM either gets a TCP RST from the server or it does not see a SYN-ACK coming from the server.
-
We have a CSM blade in a 6509, IOS 12.2(18)SXF7, CSM softvare version 4.2(7);
We'd like to create a serverfarm, where servers are checked for several ports and only considered as working when all probes succeed.
Although Cisco docs state that there should be a possibility to associate multiple probes with a serverfarm, I haven't managed to do so.
Here's what I've tried:
probe PING icmp
interval 5
failed 10
receive 4
probe TCP-1234 tcp
interval 10
retries 2
failed 25
port 1234
real PROBE-TEST-R
address 1.2.3.4
serverfarm PROBE-TEST-SF
real name PROBE-TEST-R
health probe PING
health probe TCP-1234
but when trying to add the second probe, I get:
% You must first disassociate from probe PING.
Any ideas, how multiple probes could be implemented?Configure them as probe under the serverfarm..not health probe.
serverfarm PROBE-TEST-SF
probe PING
probe TCP-1234
Gilles. -
Is there any way to configure an HTTP health probe that will test a web page and fail if it takes too long for the server to respond. I have attempted to do this (see below) but the "receive" parameter doesn't seem to help. We are currently having a problem where one of the web servers for whatever reason gets really slow, while the other works fine with about the same number of users, I'd like to fail the slow when this occurrs.
Here is my probe config:
probe HTTP-SERVERASP http
request method get url /server.asp
expect status 200 299
interval 5
failed 30
receive 5
Thanks...JeffJeff,
receive seems to be the solution for what you need.
Did you verify how fast/slow the server is responding.
Currently you allow 5 sec for the response to come back and 3 consecutives must fail before the server is brought down, so if your server resond 1 time fast enough, the server stays up.
So, use a sniffer trace to verify the response time.
Send me the trace if you want.
Gilles. -
I have a (2) 6509's, each with a CSM and SSLM. One CSM is active and both SSLM's are active. I load balance encrypted requests to the SSLM's.
The SSLM decrypts the incoming HTTPS requests and sends the request back to the CSM using HTTP (clear text). The CSM serverfarm then load balances the session to one of the web servers. Because the web server responds back in clear text, I have implemented a health probe to monitor the web page for a specific string of characters within the serverfarm. If a web page displays the page incorrectly, the probe fails for that server.
Now I have a new requirement, where I must re-encrypt the traffic (backend encryption) and send the requests to the server encrypted (HTTPS).
My question are:
1. Can I implement health probes on the SSLM?
2. Can I implement an effective health probe from the CSM so that I can still poll for a string of characters?
Thank you.SSLM should only be probed with ICMP
-
When configuring GSLB on the CSM a probe on the GSLB real is needed. When using the 'predictor leastload' this probe has to be a 'kal-ap-udp' probe, even if the GSLB real is referring to a vserver configurred locally on the CSM.
I am unable to make it work. Below my configuration and debug output from which it is clear, that no load is reported. Can anyone help me out, or point me to relevant documentation (have been unable to find full configuration examples) to make GSLB probing work:
Regards Peter
2w2d: CSM8: SLB-GSLB[aCR] Request from 1.1.1.3 for telnet.tdk.dk, type is T_A
2w2d: CSM8: SLB-GSLB[aCR] Located:telnet.tdk.dk in HdTbl.
2w2d: CSM8: SLB-GSLB[aCR] Matched rule:8:DNSPOLICY
2w2d: CSM8: SLB-GSLB[aCR] No Agroup members reporting load!
2w2d: CSM8: SLB-GSLB[aCR] No members reporting load Agroup:GSLBTELNET
2w2d: CSM8: SLB-GSLB[aCR] Request from 1.1.1.3 for telnet.tdk.dk, type is T_A
2w2d: CSM8: SLB-GSLB[aCR] Located:telnet.tdk.dk in HdTbl.
2w2d: CSM8: SLB-GSLB[aCR] Matched rule:8:DNSPOLICY
2w2d: CSM8: SLB-GSLB[aCR] No Agroup members reporting load!
2w2d: CSM8: SLB-GSLB[aCR] No members reporting load Agroup:GSLBTELNET
module ContentSwitchingModule 8
vlan 201 client
ip address 172.22.201.10 255.255.255.0 alt 172.22.201.11 255.255.255.0
gateway 172.22.201.1
vlan 2010 server
ip address 172.22.201.10 255.255.255.0 alt 172.22.201.11 255.255.255.0
probe TELNET tcp
interval 10
port 23
probe TEST kal-ap-udp
address 172.22.201.10 routed
map DNSMAP dns
match protocol dns domain telnet.tdk.dk
serverfarm GSLBTELNET dns-vip
predictor leastload
real 172.22.201.222
health probe TEST
inservice
serverfarm TELNET-ROUTERS
nat server
no nat client
predictor leastconns
real 172.22.201.200
inservice
probe TELNET
policy DNSPOLICY dns
dns map DNSMAP
serverfarm primary GSLBTELNET ttl 5 responses 1
vserver DNSSERVER dns
dns-policy DNSPOLICY
inservice
vserver TELNETVIP
virtual 172.22.201.222 tcp telnet
serverfarm TELNET-ROUTERS
inserviceJust tried same command as you, and actually a load is being displayed at the bottom, so it might not be the probing that is the problem.
Still when trying to resolve telnet.tdk.dk I get:
2w2d: CSM8: SLB-GSLB[aCR] Request from 1.1.1.3 for telnet.tdk.dk, type is T_A
2w2d: CSM8: SLB-GSLB[aCR] Located:telnet.tdk.dk in HdTbl.
2w2d: CSM8: SLB-GSLB[aCR] Matched rule:8:DNSPOLICY
2w2d: CSM8: SLB-GSLB[aCR] No Agroup members reporting load!
2w2d: CSM8: SLB-GSLB[aCR] No members reporting load Agroup:GSLBTELNET
From the debug it seems that probing does return something (load 2):
2w2d: CSM8: SLB-GSLB[aCR] Calculated Freq: 45 Total KALs: 1 Wait-time 45000ms
2w2d: CSM8: SLB-GSLB[aCR] KAL-AP (seq# 59830)=> Host 172.22.201.10
2w2d: CSM8: SLB-GSLB[aCR] Respond to [172.22.201.10] for [172.22.201.222] with load=2
2w2d: CSM8: SLB-GSLB[aCR] NO Encryption set for ac16c90a
2w2d: CSM8: SLB-GSLB[aCR] Response from CAPP-ID 0x199 [src: 172.22.201.10]
2w2d: CSM8: SLB-GSLB[aCR] Received from [172.22.201.10] sequence#: 59830
2w2d: CSM8: SLB-GSLB[aCR] Checking SN 59830 vs. 59830
2w2d: CSM8: SLB-GSLB[aCR] ParsePkt type is 10
2w2d: CSM8: SLB-GSLB[aCR] pEntry->kalSpec.kalAp.uLoad is 2
2w2d: CSM8: SLB-GSLB[aCR] uLoad is 2
2w2d: CSM8: SLB-GSLB[aCR] (*itKalAp)->kalStat.eKalState is 1
2w2d: CSM8: SLB-GSLB[aCR] ParsePkt type is 255h
MH2142#sho mod csm 8 server name gslbtelnet det
GSLBTELNET, type = DNS-VIP, predictor = LeastLoad
nat = None
hit count = 0, reals = 1
Real servers:
172.22.201.222, weight = 8, OPERATIONAL, hit count = 8, load = 2 -
ACE http health probes - best practice for interval and passdetect interval?
Hi,
Is there a recommended standard for http health probes in terms of interval and passdetect interval timings, i.e. should the passdetect interval always be less than the interval or visa versa? Can a http probe be 'mis-configured', i.e. return a 'false positive' by configuring an interval timeout thats 'incompatible' with the device it's polling?
I have a http probe for a serverfarm consisting of two Apache http servers and get intermittent 'server reply timeout' probe failures. I'm keen to ensure that the configuration of the probe isn't at fault so I can be confident that a failed probe indicates a problem with the server and not my configuration.
The probe is currently configured as below:-
probe http http-apache
interval 30
passdetect interval 15
passdetect count 6
request method get url /cs/images/ACE.html
expect status 200 304
Any advice on the subject woud be gratefully received.
thanks
MatthewHi Gilles,
Thanks for the advice. In another dicussion (found here https://supportforums.cisco.com/message/462397#462397) a poster has stated that:-
"(The) "Probe interval" should always be less then (open+recieve) timeout value. Default open & receive timeouts are 10 seconds."
Are you able to advise on whether the above is correct and if so, why? I currently have an interval value of 30 that obviously goes against the advice above (which I've interpretted to mean that if you leave the open & receive timeouts at their default settings your probe interval should be less than 20 seconds?).
thanks
Matthew -
ACE failing server out using TCP health probe
We have a mix of ACE20s and ACE30s currently and I am seeing the ACE in both HW platforms failing out our servers sporadically after a sucessful TCP handshake. Here is the configuration:
probe tcp TCP-25
port 25
interval 25
faildetect 2
passdetect interval 90
open 10
When I do a show probe TCP-25 detail I see the default recv timeout is 10.
I captured a trace between the ACE and the server. When the health probes pass I see a good 3 way TCP handshake, then 50ms later the server sends a SMTP 220 then ace from ace, fin ack from ace and graceful TCP termination occurs. When the probe fails I see a sucessful TCP handshake but the ACE sends FIN ACK 47ms after it sends ACK for the TCP connection. Server then sends ACK and ACE sends RST.
Shouldn't ACE wait 10 seconds in this example for server to respond after TCP handshake?TAC/Martin Nash was very helpful in explaining this. The TCP 3 way handshake was sucessful, but the ACE sent a FIN ACK as expected, but after the server sent an ACK the server did not send a FIN ACK so the ACE marked it down. The health check not only requires a 3 way handshake, but a clean teardown of the TCP session.
-
Configuring Health Probe for Server Farm
If I have a server farm with real servers listening on port 8888 and I apply an HTTP-type health probe with no port number specified, will the ACE know to probe the servers at 8888 or will it try to probe port 80?
Hi,
Yes it should inherit the port from the real servers defined in the serverfarm. This gives you the flexibility to associate same probe with different serverfarms probing different servers on different ports. This is probe port inheritance feature which is there in ACE.
Regards,
Kanwal -
I have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
I cannot add any new service (http or ftp) to the server.
Can anyone think of another way to do this? Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?
Thanks.Can you drop me a mail offline ([email protected]) and I can share what I have. Matthew
-
ACE Health probe using get URL
Hello,
We are trying to create a health probe for our google search appliances and as part of the URL get there is a question mark but the ACE doesn't like that. Is there a way around this or should it be done differently?
request method get url /searchq? (This is what we want the URL to be)
request method get url /searchq (This is where it thinks i'm asking it for help)
Thanks in Advance.Hello,
You need to typ CRTL+v prior to entering the ?
That's the Control key then lowercase v, then your question mark.
Hope this helps,
Sean -
Probe Interval: 5
Pass Detect (Seconds): 60
Fail Detect: 3
Please can someone explain the above settings that are configured for a health probe? am I correct in thinking the probe is sent every 5 seconds, and must fail 3 times in order to failover? Does the "Pass Detect" indicate that the server must be back online for 60 seconds before being placed back into the server farm?
Also if we have a primary server and a back up server (used if primary fails), if the primary fails and the backup server becomes active, will the primary server become available again when it comes back online, or will all connections continue to go to the backup? Is there anyway to make the old primary the new backup when it comes back online?Hi,
You are right about Probe interval and fail detect, but Pass detect has two parameters:-interval and count, where interval defines the amount of time to wait for sending the probe back to failed server where as count paramater will control the minimum succefullt probe return from server for making it active again.
Regarding the backup server, once the prmary server comes online again all new connection will be redirected to it, while all existing connection will continue on existing one. I guess "inservice standby" will be the command of your interest in gracefully removing the primary and bringing the backup active. -
I am using the HTTP probe shown below. When we shutdown our backend application the server is returning a 500 response code to the client but the CSM does not remove it from service.
probe TEST http
request method get url /test/engine
expect status 0 499
interval 10
failed 10
port 8001
What if any difference is there between
request method get url and
request url
Is there any way that I can see the last response code that the CSM received?
It looked like it wanted to fail but didn't:
CSM#sh mod csm 8 probe real 10.10.63.18
real = 10.10.63.18:8001, probe = TEST, type = http,
vserver = D-TESTVIP, sfarm = D-TESTSERVER
status = OPERABLE, current = 16:44:21 EDT 07/22/08,
successes = 1714, last success = 16:44:16 EDT 07/22/08,
failures = 35, last failure = 16:33:55 EDT 07/22/08,
state = Waiting for server to reply
CSM#sh mod csm 8 probe name TEST
type port interval retries failed open receive
http 8001 10 3 10 10 10
Thank you,
DaveOk thanks. I had never seen anything on this venus mode before. It doesn't accept the command though. I get Symbol 'testhttp' not found! when I enter the command. I have version 4.2(3a) of the CSM code running.
VENUS# ?
usage
upgrade slot0:|server-ip-addr filename
create virtual ...
destroy virtual ...
rename virtual ...
add pool ...
remove pool ...
bind virtual-name ...
unbind virtual-name rule-id
reorder virtual-name ...
set balancer ...
classify acl ...
address system ...
show virtual ...
load cfg-filename
restore config defaults|flash|backup
debug ixp rd|wr chip addr #dwords
stats real [rserver-name]
script [file [slot0:script_file|tftp_addr script_file]]
capture [on|off]
venus
tftp core_dump tftp-ip-addr [filename]
exit -
We are currently using TCP probe for HTTPS webServer health checking. Is there a HTTPS or SSL probe available on CSM to send a url to detect if the HTTPS Apache WebServer is up or not?
Many Thx, Q.XieYou can download the TCL script file from the same locstion as the CSM software.
In this TCL file you should find the following scripts
[root@linux-1 cisco]# cat /tftpboot/c6slb-apc.4-2-1.tcl | grep -i "name ="
#!name = CHECKPORT_STD_SCRIPT
#!name = ECHO_PROBE_SCRIPT
#!name = FINGER_PROBE_SCRIPT
#!name = FTP_PROBE_SCRIPT
#!name = HTTPCONTENT_PROBE
#!name = HTTPHEADER_PROBE
#!name = HTTPPROXY_PROBE
#!name = HTTP_PROBE_SCRIPT
#!name = IMAP_PROBE
#!name = LDAP_PROBE
#!name = MAIL_PROBE
#!name = POP3_PROBE
#!name = PROBENOTICE_PROBE
#!name = RTSP_PROBE
#!name = SSL_PROBE_SCRIPT
#!name = TFTP_PROBE
There is a SSL_PROBE_SCRIPT that will verify that the SSL server respond to a client SSL HELLO message.
It does not verify if you can send an HTTP request.
It only sends a HELLO as a client and wait for the server HELLO.
With the SSLM for the CSM, there might be a way to achieve HTTPS probe.
I never tried it, but the solution I see would be to create an HTTP probe on the CSM and direct to the SSLM which will do the encryption and forward it to the server.
Regards,
Gilles
Maybe you are looking for
-
My iTunes won't open after last update.
My iTunes won't open after last update. Can anybody help me?
-
Recently my 5th gen video stop pushing sound through the headphone jack. i thought it just might be a problem with that but i put it on my ihome and it still did nothing. the screen works and it says its playing. even when i hook it up to my computer
-
Using SAP BEx to create query error
After query creation in excel, shown 'No Applicable Data Found'. Who can help to solve this problem. Thanks in advance.
-
Installing iTunes on Faculty/Staff XP computers
As preparation for joining iTunesU, we will be needing to install iTunes on our faculty/staff computers. We're running Windows XP and users do not have administrator privileges. We do not want to have to install the software on the computers individu
-
Seeking a DVR Recommendation that I can use with FCP 5!!
I am looking to purchase a DVR, not a Tivo!! I was looking for someone who is currently using a DVR, that has Firewire out, that they are using in FCP to edit content to send to DVD. I am open to any any all suggestions!! As always thanks in advance