CSM HTTPS or SSL Health Probe
We are currently using TCP probe for HTTPS webServer health checking. Is there a HTTPS or SSL probe available on CSM to send a url to detect if the HTTPS Apache WebServer is up or not?
Many Thx, Q.Xie
You can download the TCL script file from the same locstion as the CSM software.
In this TCL file you should find the following scripts
[root@linux-1 cisco]# cat /tftpboot/c6slb-apc.4-2-1.tcl | grep -i "name ="
#!name = CHECKPORT_STD_SCRIPT
#!name = ECHO_PROBE_SCRIPT
#!name = FINGER_PROBE_SCRIPT
#!name = FTP_PROBE_SCRIPT
#!name = HTTPCONTENT_PROBE
#!name = HTTPHEADER_PROBE
#!name = HTTPPROXY_PROBE
#!name = HTTP_PROBE_SCRIPT
#!name = IMAP_PROBE
#!name = LDAP_PROBE
#!name = MAIL_PROBE
#!name = POP3_PROBE
#!name = PROBENOTICE_PROBE
#!name = RTSP_PROBE
#!name = SSL_PROBE_SCRIPT
#!name = TFTP_PROBE
There is a SSL_PROBE_SCRIPT that will verify that the SSL server respond to a client SSL HELLO message.
It does not verify if you can send an HTTP request.
It only sends a HELLO as a client and wait for the server HELLO.
With the SSLM for the CSM, there might be a way to achieve HTTPS probe.
I never tried it, but the solution I see would be to create an HTTP probe on the CSM and direct to the SSLM which will do the encryption and forward it to the server.
Regards,
Gilles
Similar Messages
-
Is there any way to configure an HTTP health probe that will test a web page and fail if it takes too long for the server to respond. I have attempted to do this (see below) but the "receive" parameter doesn't seem to help. We are currently having a problem where one of the web servers for whatever reason gets really slow, while the other works fine with about the same number of users, I'd like to fail the slow when this occurrs.
Here is my probe config:
probe HTTP-SERVERASP http
request method get url /server.asp
expect status 200 299
interval 5
failed 30
receive 5
Thanks...JeffJeff,
receive seems to be the solution for what you need.
Did you verify how fast/slow the server is responding.
Currently you allow 5 sec for the response to come back and 3 consecutives must fail before the server is brought down, so if your server resond 1 time fast enough, the server stays up.
So, use a sniffer trace to verify the response time.
Send me the trace if you want.
Gilles. -
CSM health probe for server farm with multiple vservers
Is there a way to specify the vserver port that a health probe monitors when multiple vservers are configured for the same serverfarm? Let's say I have a serverfarm named farm1. farm1 services two ports www and https so two vservers vserver_www and vserver_https are configured and bound to farm1. I would like to enable http health probe on farm1 with the intention of only monitoring vserver_www http port but, instead, the health probe monitors both www and https and since a http probe on https fails it takes farm1 reals and both vservers vserver_www and vserver_https out-of-service. Is there a way to configure a health probe to monitor a specific port? Or, should I create two duplicate serverfarms farm1 bound to vserver_www and farm2 bound to vserver_https and only enable http health probe on farm1? Any other ideas welcomed.
Appreciate the feedback. I also found what I was looking for in configuration examples. To summarize I've borrowed the comment from the URL below:
# The port for the probe is inherited from the vservers.
# The port is necessary in this case, since the same farm
# is serving a vserver on port 80 and one on port 23.
# If the "port 80" parameter is removed, the HTTP probe
# will be sent out on both ports 80 and 23, thus failing
# on port 23 which does not serve HTTP requests.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csm_4_2/config/cfgxpls.htm -
Issue with regexes in http health probes on ACE 4710
Folks,
We're currently experiencing fairly bizarre behavior when attempting to set up http probes that expect a regexp. Namely, if we specify a regexp, the probe *always* passes, regardless of status code and regardless of whether or not the message actually matches the pattern. Doing 'no expect regexp' fixes this behavior (by which I mean that the 'expect status' rules work again).
We haven't noticed until now because this is the first time we've tried to set up a probe that does this. Are we missing something? Is this a known issue with our current firmware version?
Sincerely,
Patrick T. Ramsey
# show run probe | begin HTTP-nfscheck | end regex
Generating configuration....
probe http HTTP-nfscheck
description Simple HTTP probe to check nfs mount health
port 80
interval 15
passdetect interval 20
request method head url /nfs-health-check/
open 1
expect regex "^ureytgraeuikghfdjg$"
# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95.1
system: Version A3(2.4) [build 3.0(0)A3(2.4) adbuild_11:46:02-2009/09/27_/auto/adbu-rel2/rel_a3_2_3_throttle/REL_3_0_0_A3_2
_4]
system image file: (hd0,1)/c4710ace-mz.A3_2_4.bin
Device Manager version 1.2 (0) 20090925:1550
installed license: no feature license is installed
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226388 kB, free: 3972668 kB
shared: 0 kB, buffers: 22020 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 728656 kB, available: 89240 kB
last boot reason: Unknown
configuration register: 0x1
ldbottom kernel uptime is 325 days 3 hours 46 minute(s) 43 second(s)I also went through a similar issue in which we need to probe the real server PESERVER01 and if the real server replies with the keyword "PE Server" in the HTTP content then the probe should be passed successful.
In my case the real server was listening on port 32776 for HTTP service so we configured the serverfarm as below,
serverfarm host SF-TEST-32776
description SF-TEST-32776
failaction purge
probe PE-SERVER-STRING
rserver PESERVER01 32776
inservice
And the TCP probe as below,
probe tcp PE-SERVER-STRING
port 32776
send-data GET /IOR/ping HTTP/1.1 <<== command should not be in inverted commas
expect regex "PE Server"
The above probe worked really well and when we checked the probe status it was marking as success. I also tried changing the regex from "PE Server" to "Vishal12345" and it was failing as expected because there was no such keyword in the HTTP content.
==================================================================================
T2-LB02# sh probe PE-SERVER-STRING
probe : PE-SERVER-STRING
type : TCP
state : ACTIVE
port : 32776 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : SF-TEST-32776
real : PESERVER01[32776]
10.10.10.1 32776 PROBE 105 0 105 SUCCESS
==================================================================================
I was struggling with this issue from long time. Even raised couple of Cisco TAC cases with no luck. The most important thing here is to identify the exact command to be send to real server like GET /IOR/ping HTTP/1.1 that we used here.
To collect this command I did packet capture on one of the client machine and then tried to open the URL from real server which can return the string "PE Server". Then analyzed the captures in Wireshark and checked the HTTP data with follow the TCP stream option in which I seen the below data, which gives the command to be send in probe as well as the string we should expect.
==================================================================================
GET /IOR/ping HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
Host: 10.144.70.85:32776
Accept: */*
HTTP/1.0 200 OK
Content-type: text/html
Ping
PE Server
WRVFKO11 [Win32 Server Production (3 silos) (Oracle Blob 512 MB) -- {dap451.007.028 dap451.004.002 pe451.003.010x pui451.003.010 pui451.001.004} Mar 9 2012 15:07:53 en ]
===================================================================================
Please try this and see if it helps you.
Thanks,
Vishal Babrekar -
ACE http health probes - best practice for interval and passdetect interval?
Hi,
Is there a recommended standard for http health probes in terms of interval and passdetect interval timings, i.e. should the passdetect interval always be less than the interval or visa versa? Can a http probe be 'mis-configured', i.e. return a 'false positive' by configuring an interval timeout thats 'incompatible' with the device it's polling?
I have a http probe for a serverfarm consisting of two Apache http servers and get intermittent 'server reply timeout' probe failures. I'm keen to ensure that the configuration of the probe isn't at fault so I can be confident that a failed probe indicates a problem with the server and not my configuration.
The probe is currently configured as below:-
probe http http-apache
interval 30
passdetect interval 15
passdetect count 6
request method get url /cs/images/ACE.html
expect status 200 304
Any advice on the subject woud be gratefully received.
thanks
MatthewHi Gilles,
Thanks for the advice. In another dicussion (found here https://supportforums.cisco.com/message/462397#462397) a poster has stated that:-
"(The) "Probe interval" should always be less then (open+recieve) timeout value. Default open & receive timeouts are 10 seconds."
Are you able to advise on whether the above is correct and if so, why? I currently have an interval value of 30 that obviously goes against the advice above (which I've interpretted to mean that if you leave the open & receive timeouts at their default settings your probe interval should be less than 20 seconds?).
thanks
Matthew -
CSM 4.2(5): Reoccuring failed health probes
Hi all
I've finally started to investigate an issue I have with our CSM setup. Several times a day I get the below syslog message from the 6500
10:49:11: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: TCP health probe failed for server
Then a few seconds later
10:49:41: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: TCP health probe re-activated server
I never seems to catch the event in action and can never verify if the real server is indeed failed or if this is only a probe timeout. I have both layer 2 and layer 3 server farms in operation and this problem occurs on all of my server farms a few times a day.
No pattern and I have no other indications of any problems. I have most of the probes set on 1 repeat and 30sec timeout. Increase the probe timeouts perhaps?
Regards
FredrikThose error messages are related to probing the CSM does when determining server health. For a TCP probe, this means that the CSM either gets a TCP RST from the server or it does not see a SYN-ACK coming from the server.
-
Can anyone tell me what IP address health probes are sourced from on the CSM? I've got a simple ICMP health probe setup but I'm trying to figure out what the source of those probes will be.
Is it the Vlan IP or maybe the VIP or possibily the router interface IP?
Thanks,
Bobthis is the vlan ip.
Gilles. -
We have a CSM blade in a 6509, IOS 12.2(18)SXF7, CSM softvare version 4.2(7);
We'd like to create a serverfarm, where servers are checked for several ports and only considered as working when all probes succeed.
Although Cisco docs state that there should be a possibility to associate multiple probes with a serverfarm, I haven't managed to do so.
Here's what I've tried:
probe PING icmp
interval 5
failed 10
receive 4
probe TCP-1234 tcp
interval 10
retries 2
failed 25
port 1234
real PROBE-TEST-R
address 1.2.3.4
serverfarm PROBE-TEST-SF
real name PROBE-TEST-R
health probe PING
health probe TCP-1234
but when trying to add the second probe, I get:
% You must first disassociate from probe PING.
Any ideas, how multiple probes could be implemented?Configure them as probe under the serverfarm..not health probe.
serverfarm PROBE-TEST-SF
probe PING
probe TCP-1234
Gilles. -
I have a (2) 6509's, each with a CSM and SSLM. One CSM is active and both SSLM's are active. I load balance encrypted requests to the SSLM's.
The SSLM decrypts the incoming HTTPS requests and sends the request back to the CSM using HTTP (clear text). The CSM serverfarm then load balances the session to one of the web servers. Because the web server responds back in clear text, I have implemented a health probe to monitor the web page for a specific string of characters within the serverfarm. If a web page displays the page incorrectly, the probe fails for that server.
Now I have a new requirement, where I must re-encrypt the traffic (backend encryption) and send the requests to the server encrypted (HTTPS).
My question are:
1. Can I implement health probes on the SSLM?
2. Can I implement an effective health probe from the CSM so that I can still poll for a string of characters?
Thank you.SSLM should only be probed with ICMP
-
Configuring Health Probe for Server Farm
If I have a server farm with real servers listening on port 8888 and I apply an HTTP-type health probe with no port number specified, will the ACE know to probe the servers at 8888 or will it try to probe port 80?
Hi,
Yes it should inherit the port from the real servers defined in the serverfarm. This gives you the flexibility to associate same probe with different serverfarms probing different servers on different ports. This is probe port inheritance feature which is there in ACE.
Regards,
Kanwal -
I have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
I cannot add any new service (http or ftp) to the server.
Can anyone think of another way to do this? Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?
Thanks.Can you drop me a mail offline ([email protected]) and I can share what I have. Matthew
-
Hey again.
I have been looking into the CSM return code checking feature as suggested by this forum. This is a little closer to what I am looking for but I have question about what happens when there is a failure.
If a 500 code for HTTP is seen three times, for example, and the server is removed from the farm, is the original request from the client tried on the next server? Or is a reset sent back to the client, or the original code, and the client must try again.
I am trying to understand if the client will notice if the CSM noticed X number of a particular error and removed the server from the farm.
Thanks for any help!
/ahuffer/I think you are mixing two things up(Inband health monitoring & HTTP return code checking).
The "Inband health monitoring" feature checks for both RSTs from a server and the failure of the server to respond to a SYN. If a SYN ACK response to a SYN is not received,the TCP portion of the code will perform several retries of a SYN before timing it out.
It is configured as follows
CSM(config-module-csm)# serverfarm xyz
CSM(config-slb-sfarm)# health retries 10 failed 50
(Retries are the number of abnormal end sessions that the CSM will tolerate before removing a real server from service. The failed time is the number of seconds that the CSM waits before reattempting a connection to a real server that was removed from service by inband health checking.)
"HTTP Return Code checking" is the CSM feature that can be configured to take a server out of use in response to receiving specific return codes.
When HTTP return code checking is configured, the CSM monitors HTTP responses from all balanced HTTP connections and logs the occurrence of the return code for each real server. The CSM stores return code counts. When a threshold for a return code is reached, the CSM may send syslog messages or remove the server from service.
Unlike "Inband Health monitoring", "Http Return code checking" feature has a small (estimated in 10-15%) impact on CPS setup rate, since it requires parsing L5 information in the server-to-client direction.
If the server is taken out of service, Client's request will be loadbalanced among available servers.
Syed
Syed -
Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.
Hi friends,
Our scenario is as follows:
We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
Please let us know if we have missed out some step.
What does error message indicate,
Regards,
RehanHi Rehan,
I see that the PROCTIMEOUT was already at a very high value.
Does this occur for messages of a particularly large size? If yes, you could increase the parameter
icm/HTTP/max_request_size_KB = 2097152
This would need to be done in the sender/receiver system as well as XI.
Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
Kind regards,
Sarah -
Http client------ XI (via HTTP with SSL),
hi forum,
we have a http client that sends a http erquest to XI, by using sap/xi/adapter_plain
service, i mean plain http adapter
but for scurity reasons i need HTTPS communication,
can u tell me how to enable HTTPS (HTTP with SSL) communiaction in the same scenario,
http client------>XI (via HTTP with SSL)hi sudeep,
u need to create a comm ch of adapter type http n set the security level there.
refer this for help:
http://help.sap.com/saphelp_nw04/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
[reward if helpful]
regards,
latika. -
ACE failing server out using TCP health probe
We have a mix of ACE20s and ACE30s currently and I am seeing the ACE in both HW platforms failing out our servers sporadically after a sucessful TCP handshake. Here is the configuration:
probe tcp TCP-25
port 25
interval 25
faildetect 2
passdetect interval 90
open 10
When I do a show probe TCP-25 detail I see the default recv timeout is 10.
I captured a trace between the ACE and the server. When the health probes pass I see a good 3 way TCP handshake, then 50ms later the server sends a SMTP 220 then ace from ace, fin ack from ace and graceful TCP termination occurs. When the probe fails I see a sucessful TCP handshake but the ACE sends FIN ACK 47ms after it sends ACK for the TCP connection. Server then sends ACK and ACE sends RST.
Shouldn't ACE wait 10 seconds in this example for server to respond after TCP handshake?TAC/Martin Nash was very helpful in explaining this. The TCP 3 way handshake was sucessful, but the ACE sent a FIN ACK as expected, but after the server sent an ACK the server did not send a FIN ACK so the ACE marked it down. The health check not only requires a 3 way handshake, but a clean teardown of the TCP session.
Maybe you are looking for
-
I have a Macbook Air 2011. Can i run Bit-locker in Windows 7 Ultimate without any problems?
-
I tried to upgrade my early 2011 mac book pro to mountain lion so I can use airplay. purchased it from apple store got a license with a contend code. when to the app store and tried to redeem the upgrade. put in the code but nothing happen...
-
hi, 1)I want know what is the time required to take 20GB database cold backup. What are critiria depends on the same? 2)If I export same 20GB db to dumb file - by what is % reduce the data? Thanks in advance... By Mahi B'lore
-
I have a C3PO that works off of the email send button. It seems to work fine for all users except one. For that user, it works fine most of the time but sometimes GroupWise spell checker returns an error: "Error - A valid dialect is required to spell
-
D610 still doesn't tether in LR 5.7
Still failing with no camera being detected using LR5.7 on MacOS Yosemite. Does Adobe even test these things? iPhoto and ImageCapture both detect the D610.