CSM HTTPS or SSL Health Probe

Similar Messages

• CSM HTTP Health Probe

  Is there any way to configure an HTTP health probe that will test a web page and fail if it takes too long for the server to respond. I have attempted to do this (see below) but the "receive" parameter doesn't seem to help. We are currently having a problem where one of the web servers for whatever reason gets really slow, while the other works fine with about the same number of users, I'd like to fail the slow when this occurrs.
  Here is my probe config:
  probe HTTP-SERVERASP http
  request method get url /server.asp
  expect status 200 299
  interval 5
  failed 30
  receive 5
  Thanks...Jeff

  Jeff,
  receive seems to be the solution for what you need.
  Did you verify how fast/slow the server is responding.
  Currently you allow 5 sec for the response to come back and 3 consecutives must fail before the server is brought down, so if your server resond 1 time fast enough, the server stays up.
  So, use a sniffer trace to verify the response time.
  Send me the trace if you want.
  Gilles.

• CSM health probe for server farm with multiple vservers

  Is there a way to specify the vserver port that a health probe monitors when multiple vservers are configured for the same serverfarm? Let's say I have a serverfarm named farm1. farm1 services two ports www and https so two vservers vserver_www and vserver_https are configured and bound to farm1. I would like to enable http health probe on farm1 with the intention of only monitoring vserver_www http port but, instead, the health probe monitors both www and https and since a http probe on https fails it takes farm1 reals and both vservers vserver_www and vserver_https out-of-service. Is there a way to configure a health probe to monitor a specific port? Or, should I create two duplicate serverfarms farm1 bound to vserver_www and farm2 bound to vserver_https and only enable http health probe on farm1? Any other ideas welcomed.

  Appreciate the feedback. I also found what I was looking for in configuration examples. To summarize I've borrowed the comment from the URL below:
  # The port for the probe is inherited from the vservers.
  # The port is necessary in this case, since the same farm
  # is serving a vserver on port 80 and one on port 23.
  # If the "port 80" parameter is removed, the HTTP probe
  # will be sent out on both ports 80 and 23, thus failing
  # on port 23 which does not serve HTTP requests.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/csm/csm_4_2/config/cfgxpls.htm

• Issue with regexes in http health probes on ACE 4710

  Folks,
  We're currently experiencing fairly bizarre behavior when attempting to set up http probes that expect a regexp.  Namely, if we specify a regexp, the probe *always* passes, regardless of status code and regardless of whether or not the message actually matches the pattern.  Doing 'no expect regexp' fixes this behavior (by which I mean that the 'expect status' rules work again). 
  We haven't noticed until now because this is the first time we've tried to set up a probe that does this.  Are we missing something?  Is this a known issue with our current firmware version?
  Sincerely,
  Patrick T. Ramsey
  # show run probe | begin HTTP-nfscheck | end regex
  Generating configuration....
  probe http HTTP-nfscheck
    description Simple HTTP probe to check nfs mount health
    port 80
    interval 15
    passdetect interval 20
    request method head url /nfs-health-check/
    open 1
    expect regex "^ureytgraeuikghfdjg$"
  # sh ver
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
    loader:    Version 0.95.1
    system:    Version A3(2.4) [build 3.0(0)A3(2.4) adbuild_11:46:02-2009/09/27_/auto/adbu-rel2/rel_a3_2_3_throttle/REL_3_0_0_A3_2
  _4]
    system image file: (hd0,1)/c4710ace-mz.A3_2_4.bin
    Device Manager version 1.2 (0) 20090925:1550
    installed license: no feature license is installed
  Hardware
    cpu info:
      Motherboard:
          number of cpu(s): 2
      Daughtercard:
          number of cpu(s): 16
    memory info:
      total: 6226388 kB, free: 3972668 kB
      shared: 0 kB, buffers: 22020 kB, cached 0 kB
    cf info:
      filesystem: /dev/hdb2
      total: 861668 kB, used: 728656 kB, available: 89240 kB
  last boot reason:  Unknown
  configuration register:  0x1
  ldbottom kernel uptime is 325 days 3 hours 46 minute(s) 43 second(s)

  I also went through a similar issue in which we need to probe the real server PESERVER01 and if the real server replies with the keyword "PE Server" in the HTTP content then the probe should be passed successful.
  In my case the real server was listening on port 32776 for HTTP service so we configured the serverfarm as below,
  serverfarm host SF-TEST-32776
    description SF-TEST-32776
    failaction purge
    probe PE-SERVER-STRING
    rserver PESERVER01 32776
      inservice
  And the TCP probe as below,
  probe tcp PE-SERVER-STRING
    port 32776
    send-data GET /IOR/ping HTTP/1.1      <<== command should not be in inverted  commas
    expect regex "PE Server"
  The above probe worked really well and when we checked the probe status it was marking as success. I also tried changing the regex from "PE Server" to "Vishal12345" and it was failing as expected because there was no such keyword in the HTTP content.
  ==================================================================================
  T2-LB02# sh probe PE-SERVER-STRING
  probe       : PE-SERVER-STRING
  type        : TCP
  state       : ACTIVE
     port      : 32776   address     : 0.0.0.0         addr type  : -
     interval  : 15      pass intvl  : 60              pass count : 3
     fail count: 3       recv timeout: 10
                  ------------------ probe results ------------------
     associations ip-address      port  porttype probes   failed   passed   health
     ------------ ---------------+-----+--------+--------+--------+--------+------
     serverfarm  : SF-TEST-32776
       real      : PESERVER01[32776]
                  10.10.10.1    32776 PROBE    105      0        105      SUCCESS
  ==================================================================================
  I was struggling with this issue from long time. Even raised couple of Cisco TAC cases with no luck. The most important thing here is to identify the exact command to be send to real server like GET /IOR/ping HTTP/1.1 that we used here.
  To collect this command I did packet capture on one of the client machine and then tried to open the URL from real server which can return the string "PE Server". Then analyzed the captures in Wireshark and checked the HTTP data with follow the TCP stream option in which I seen the below data, which gives the command to be send in probe as well as the string we should expect.
  ==================================================================================
  GET /IOR/ping HTTP/1.1
  User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
  Host: 10.144.70.85:32776
  Accept: */*
  HTTP/1.0 200 OK
  Content-type: text/html
  Ping
  PE Server
  WRVFKO11 [Win32 Server Production (3 silos) (Oracle Blob 512 MB) -- {dap451.007.028 dap451.004.002 pe451.003.010x pui451.003.010  pui451.001.004} Mar  9 2012 15:07:53 en ]
  ===================================================================================
  Please try this and see if it helps you.
  Thanks,
  Vishal Babrekar

• ACE http health probes - best practice for interval and passdetect interval?

  Hi,
  Is there a recommended standard for http health probes in terms of interval and passdetect interval timings, i.e. should the passdetect interval always be less than the interval or visa versa? Can a http probe be 'mis-configured', i.e. return a 'false positive' by configuring an interval timeout thats 'incompatible' with the device it's polling?
  I have a http probe for a serverfarm consisting of two Apache http servers and get intermittent 'server reply timeout' probe failures. I'm keen to ensure that the configuration of the probe isn't at fault so I can be confident that a failed probe indicates a problem with the server and not my configuration.
  The probe is currently configured as below:-
  probe http http-apache
    interval 30
    passdetect interval 15
    passdetect count 6
    request method get url /cs/images/ACE.html
    expect status 200 304
  Any advice on the subject woud be gratefully received.
  thanks
  Matthew

  Hi Gilles,
  Thanks for the advice. In another dicussion (found here https://supportforums.cisco.com/message/462397#462397) a poster has stated that:-
  "(The) "Probe interval" should always be less then (open+recieve) timeout  value. Default open & receive timeouts are 10 seconds."
  Are you able to advise on whether the above is correct and if so, why? I currently have an interval value of 30 that obviously goes against the advice above (which I've interpretted to mean that if you leave the open & receive timeouts at their default settings your probe interval should be less than 20 seconds?).
  thanks
  Matthew

• CSM 4.2(5): Reoccuring failed health probes

  Hi all
  I've finally started to investigate an issue I have with our CSM setup. Several times a day I get the below syslog message from the 6500
  10:49:11: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: TCP health probe failed for server
  Then a few seconds later
  10:49:41: %CSM_SLB-6-RSERVERSTATE: Module 4 server state changed: SLB-NETMGT: TCP health probe re-activated server
  I never seems to catch the event in action and can never verify if the real server is indeed failed or if this is only a probe timeout. I have both layer 2 and layer 3 server farms in operation and this problem occurs on all of my server farms a few times a day.
  No pattern and I have no other indications of any problems. I have most of the probes set on 1 repeat and 30sec timeout. Increase the probe timeouts perhaps?
  Regards
  Fredrik

  Those error messages are related to probing the CSM does when determining server health. For a TCP probe, this means that the CSM either gets a TCP RST from the server or it does not see a SYN-ACK coming from the server.

• CSM Health Probe source IP

  Can anyone tell me what IP address health probes are sourced from on the CSM? I've got a simple ICMP health probe setup but I'm trying to figure out what the source of those probes will be.
  Is it the Vlan IP or maybe the VIP or possibily the router interface IP?
  Thanks,
  Bob

  this is the vlan ip.
  Gilles.

• Multiple health probes on CSM

  We have a CSM blade in a 6509, IOS 12.2(18)SXF7, CSM softvare version 4.2(7);
  We'd like to create a serverfarm, where servers are checked for several ports and only considered as working when all probes succeed.
  Although Cisco docs state that there should be a possibility to associate multiple probes with a serverfarm, I haven't managed to do so.
  Here's what I've tried:
  probe PING icmp
  interval 5
  failed 10
  receive 4
  probe TCP-1234 tcp
  interval 10
  retries 2
  failed 25
  port 1234
  real PROBE-TEST-R
  address 1.2.3.4
  serverfarm PROBE-TEST-SF
  real name PROBE-TEST-R
    health probe PING
    health probe TCP-1234
  but when trying to add the second probe, I get:
  % You must first disassociate from probe PING.
  Any ideas, how multiple probes could be implemented?

  Configure them as probe under the serverfarm..not health probe.
  serverfarm PROBE-TEST-SF
     probe PING
    probe  TCP-1234
  Gilles.

• SSLM Health Probe?

  I have a (2) 6509's, each with a CSM and SSLM. One CSM is active and both SSLM's are active. I load balance encrypted requests to the SSLM's.
  The SSLM decrypts the incoming HTTPS requests and sends the request back to the CSM using HTTP (clear text). The CSM serverfarm then load balances the session to one of the web servers. Because the web server responds back in clear text, I have implemented a health probe to monitor the web page for a specific string of characters within the serverfarm. If a web page displays the page incorrectly, the probe fails for that server.
  Now I have a new requirement, where I must re-encrypt the traffic (backend encryption) and send the requests to the server encrypted (HTTPS).
  My question are:
  1. Can I implement health probes on the SSLM?
  2. Can I implement an effective health probe from the CSM so that I can still poll for a string of characters?
  Thank you.

  SSLM should only be probed with ICMP

• Configuring Health Probe for Server Farm

  If I have a server farm with real servers listening on port 8888 and I apply an HTTP-type health probe with no port number specified, will the ACE know to probe the servers at 8888 or will it try to probe port 80?

  Hi,
  Yes it should inherit the port from the real servers defined in the serverfarm. This gives you the flexibility to associate same probe with different serverfarms probing different servers on different ports. This is probe port inheritance feature which is there in ACE.
  Regards,
  Kanwal

• Health probe for RDP farm

  I have an RDP server farm that lost a disk. The RDP service was still running but users were unable to log in. I'd like to create a health probe that does maybe a combination of TCP probe for port 3389 and something that can determine if the drive that stores user profiles is available.
  I cannot add any new service (http or ftp) to the server.
  Can anyone think of another way to do this? Is there any way I can check SNMP mibs on the windows server or maybe WMI through TCL?
  Thanks.

  Can you drop me a mail offline ([email protected]) and I can share what I have. Matthew

• CSM HTTP return code checking

  Hey again.
  I have been looking into the CSM return code checking feature as suggested by this forum. This is a little closer to what I am looking for but I have question about what happens when there is a failure.
  If a 500 code for HTTP is seen three times, for example, and the server is removed from the farm, is the original request from the client tried on the next server? Or is a reset sent back to the client, or the original code, and the client must try again.
  I am trying to understand if the client will notice if the CSM noticed X number of a particular error and removed the server from the farm.
  Thanks for any help!
  /ahuffer/

  I think you are mixing two things up(Inband health monitoring & HTTP return code checking).
  The "Inband health monitoring" feature checks for both RSTs from a server and the failure of the server to respond to a SYN. If a SYN ACK response to a SYN is not received,the TCP portion of the code will perform several retries of a SYN before timing it out.
  It is configured as follows
  CSM(config-module-csm)# serverfarm xyz
  CSM(config-slb-sfarm)# health retries 10 failed 50
  (Retries are the number of abnormal end sessions that the CSM will tolerate before removing a real server from service. The failed time is the number of seconds that the CSM waits before reattempting a connection to a real server that was removed from service by inband health checking.)
  "HTTP Return Code checking" is the CSM feature that can be configured to take a server out of use in response to receiving specific return codes.
  When HTTP return code checking is configured, the CSM monitors HTTP responses from all balanced HTTP connections and logs the occurrence of the return code for each real server. The CSM stores return code counts. When a threshold for a return code is reached, the CSM may send syslog messages or remove the server from service.
  Unlike "Inband Health monitoring", "Http Return code checking" feature has a small (estimated in 10-15%) impact on CPS setup rate, since it requires parsing L5 information in the server-to-client direction.
  If the server is taken out of service, Client's request will be loadbalanced among available servers.
  Syed
  Syed

• Error in scenario "FILE to HTTP(with SSL)" - HTTP client code 110 reason.

  Hi friends,
  Our scenario is as follows:
  We are trying to send XML file from our SAP-XI to external tool "COMMunix XC" (a multi-protocol EDI platform tool).
  We have configured " FILE TO HTTP(with SSL)" scenario (trying to connect HTTPS/port)
  1. We have created RFC destination of type G and refered the same RFC in Communication channel (Adapter type: HTTP)
  2. We have send the SSL Server certificate to other party and ensure that they have imported at thier end.
  3. We have included the certificates from other party in our SAP XI STRUST under SSL Client (Standard) node.
  4. We have tried " CONNECTION TEST " in the RFC destination created in type G (in STEP 1) and it shows the GREEN TICK at bottom, no other message nor any error message
  When we trigger the communication we recieve the error: HTTP client code 110 reason in SXMB_MONI.
  Please let us know if we have missed out some step.
  What does error message indicate,
  Regards,
  Rehan

  Hi Rehan,
  I see that the PROCTIMEOUT was already at a very high value.
  Does this occur for messages of a particularly large size?  If yes, you could increase the parameter
     icm/HTTP/max_request_size_KB = 2097152
  This would need to be done in the sender/receiver system as well as XI.
  Otherwise you could try reproducing the issue and checking the dev_icm log in the work directory, or go to SMICM -> Goto -> Display trace file
  check for errors like NIECONN_REFUSED or "no service for protocol HTTPS" which can often be related to this type of issue.
  Kind regards,
  Sarah

• Http client------ XI  (via HTTP with SSL),

  hi forum,
  we have a http client that sends a http erquest to XI, by using sap/xi/adapter_plain
  service,  i mean plain http adapter
  but for scurity reasons i need HTTPS communication,
  can u tell me how to enable HTTPS (HTTP with SSL) communiaction in the same scenario,
  http client------>XI  (via HTTP with SSL)

  hi sudeep,
  u need to create a comm ch of adapter type http n set the security level there.
  refer this for help:
  http://help.sap.com/saphelp_nw04/helpdata/en/14/80243b4a66ae0ce10000000a11402f/frameset.htm
  [reward if helpful]
  regards,
  latika.

• ACE failing server out using TCP health probe

  We have a mix of ACE20s and ACE30s currently and I am seeing the ACE in both HW platforms failing out our servers sporadically after a sucessful TCP handshake.  Here is the configuration:
  probe tcp TCP-25
     port 25
     interval 25
     faildetect 2
     passdetect interval 90
     open 10
  When I do a show probe TCP-25 detail I see the default recv timeout is 10.
  I captured a trace between the ACE and the server.  When the health probes pass I see a good 3 way TCP handshake, then 50ms later the server sends a SMTP 220 then ace from ace, fin ack from ace and graceful TCP termination occurs.  When the probe fails I see a sucessful TCP handshake but the ACE sends FIN ACK 47ms after it sends ACK for the TCP connection.  Server then sends ACK and ACE sends RST.
  Shouldn't ACE wait 10 seconds in this example for server to respond after TCP handshake?

  TAC/Martin Nash was very helpful in explaining this.  The TCP 3 way handshake was sucessful, but the ACE sent a FIN ACK as expected, but after the server sent an ACK the server did not send a FIN ACK so the ACE marked it down.  The health check not only requires a 3 way handshake, but a clean teardown of the TCP session.