HTTP probe in ACE
we have a simple layer3-4 port 80 app thta is being load balanced by ACE and created an HTTP probe that actually acts more like a TCP probe, since we took a default on just about all the attributes:
probe http WEB_SERVERS
expect status 200 200
Unfortunately, when we activated this probe, we saw the following:
probe : WEB_SERVERS
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 120 pass intvl : 300 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
real : Planview_136.39[0]
167.238.136.39 1 1 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jul 22 15:07:20 2009
Last fail time : Wed Jul 22 15:07:21 2009
Last active time : Never
real : Planview_136.40[0]
167.238.136.40 1 1 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jul 22 15:07:20 2009
Last fail time : Wed Jul 22 15:07:21 2009
Last active time : Never
The obvious culprit here is the return code. How do we assign the correct return code here?
Thanks...
Hi,
I wouldn't just let it default. It is better to probe for a particular page if that is possible. If this is a page you create, then it offers the possibility of being able to take a server out of rotation simply by renaming the page. E.g.
probe http PROBE-iamhere
interval 30
passdetect interval 10
request method head url /serverhere.html
expect status 200 200
Alternatively, it looks like you are getting a 302 response code (a redirect) then you could just change the line in the probe to expect that.
probe http WEB_SERVERS
expect status 302 302.
HTH
Cathy
Similar Messages
-
hi,
i need to configure an http probe on ace,
the url is like /zz?/ee/rr.png
the probe is get /zz?/ee/rr.png
pb: i can type this ? ,
how can i do that ?
thanx for your answersThat's just easy. Type CRTL + v and then you can type ?. That's all.
-
We have some webserver behind our ACE that use SSL certificates that are issued by an internal CA.
Do I need to do anything special in order to probe HTTPS? Does the ACE need the internal CA to be trusted?
Thanks.
JasonHi,
If https server is working properly, only you need to do is configure https probe on ACE like below.
You do not have to anything related certificate on ACE side.
ACE-A327/context02# show running-config
Generating configuration....
probe https HTTPS
interval 15
passdetect interval 60
ssl version all
expect status 200 200
open 1
rserver host S1
ip address 10.1.142.209
inservice
serverfarm host SF
probe HTTPS
rserver S1
inservice
interface vlan 11
ip address 10.1.142.1 255.255.255.0
no shutdown
ACE-A327/context02# show probe detail
probe : HTTPS
type : HTTPS
state : ACTIVE
description :
port : 443 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
SSL version : All
SSL cipher : RSA_ANY
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
regex cache-len : 0
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : SF
real : S1[0]
10.1.142.209 443 DEFAULT 11 0 11 SUCCES
S
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 200
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Thu Apr 14 17:34:02 2011
Last fail time : Thu Apr 14 17:30:42 2011
Last active time : Thu Apr 14 17:30:44 2011
ACE-A327/context02#
Additionaly, you can specify cipher in client hello, also you can select ssl/tls version.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1162289
If you find this helpful, please rate this topic.
Regards,
Kim. -
Using the ACE 4710 for loadbalancing a Sharepoint site.
We currently have a HTTP probe setup to check the port 80 status of the rserver.
Is there anyway to get the HTTP probe to check a DNS entry for each of the application sites? For instance http://info vs http://site are two different web sites running on the same IP. One site could have a problem but the actual port 80 for the IP may be still alive.
Thanks for any information.Has anyone figure this out? I am tring to get healthchecks/probes setup in this same fashion. I have 2 servers with 1 IP but have many sites. I want to probe each side and ensure I get a 200 code. I also have to provide credentials to the site. It seems that if i open IE I can log in just fine to the site with the credentials. However there is an active x control box that is wanting to be installed. When I set this up on my ACE it seems I am getting a http 401 unauthorized error. I have done a wireshark capture while I was browsing and I see the 401 however it also reports a 200 code after that. Do you think this is a problem because of the active x control wanting to be downloaded? Or is this an issue with the first http code that is recieved by the probe, that being the 401 and then the 200? Below is my config (cleaned of course).
probe http HTTP-80-OUR.DOMAIN.COM
interval 15
passdetect interval 60
credentials
request method get url http://our.domain.com/default.aspx
expect status 200 200
header Host header-value "our.domain.com"
open 1
rserver host SERVER-A
ip address X.X.X.47
inservice
rserver host SERVER-B
ip address X.X.X.48
inservice
serverfarm host FARM-AB
predictor leastconns
probe HTTP-80-OUR.DOMAIN.COM
rserver SERVER-A
inservice
rserver SERVER-B
inservice
ACE4710# show probe HTTP-80-OUR.DOMAIN.COM detail
probe : HTTP-80-OUR.DOMAIN.COM
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : http://our.domain.com
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : OUR.DOMAIN.COM-10.25.4.12-L3-FARM
real : SERVER-A[0]
X.X.X.47 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:18 2010
Last fail time : Wed Jun 2 13:37:04 2010
Last active time : Wed Jun 2 13:34:19 2010
real : SERVER-B[0]
X.X.X.48 80 DEFAULT 414 406 8 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 401
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Wed Jun 2 17:44:20 2010
Last fail time : Wed Jun 2 13:37:06 2010
Last active time : Wed Jun 2 13:34:21 2010 -
ACE http probe "request method type" mandatory on A3(2.6)?
Hi people,
I recently upgraded to A3(2.6) from A3(2.0) and I don't see the N/A option on the http probe "request method type".
It also has an asterisk * which means it's mandatory.
I tried to set up a new http probe for another farm I am creating and the probe shows status failed, although I can ping and telnet to the http server on port 80 from the ACE context. My probe is like that:
probe http http_probe_WWW
interval 15
passdetect interval 60
expect status 200 200
open 10
My other http probes for other farms work ok after the upgrade and they are similar.
So my question is: Do I need to set the request method type or something else causes the probe to fail?
thanks a lot.
GeorgeWhat you see is a problem with the GUI.
CSCtg78008 while creating http probe default method slected should be get as in CLI
But the request-method is not required.
So your config should work.
Do a 'show probe detail' to see the failure reason.
Get a sniffer trace as well.
Regards,
Gilles. -
ACE HTTP Probe with regex
Hi,
I'm trying to setup a HTTP probe with expected string rather then a code (config below). I do a GET for the page then a search for a string in the response however it's not working, as probe appears as failed.
I've tested the connection to the server by using telneting and then looking at the page displayed to make sure the string I want to match is in the response.
probe http HTTP-PROBE
port 43050
interval 30
passdetect interval 30
passdetect count 1
request method get url /action=help
open 43050
expect regex action=help
Q. Is there anything wrong with this configuration and what I'm trying to achive?
Thanks,
PriteshUse "expect status" under probe config. expect regex doesnt work if expect status is not configured.
expect regex work flawlessly with static pages. It doesnt work all the time with dynamic pages.
Specially if "content-length" header is missing from Server response.
Hope it helps
Syed Iftekhar Ahmed -
ACE 4710 http probe get url question
I am trying to create a http probe using the request method get url command. My url contains a question mark and the ACE will not accept the url as is and it strips out the question mark character. Is there a way to make the ace accept a url containg a question mark?
probe http HTTP_PROBE
port 9040
interval 10
faildetect 5
passdetect interval 60
expect status 200 200
open 1
The url I am trying to enter is /psp/epprod/?cmd=login
When I enter it the ACE does as shown below
(config-probe-http)# request method get url /psp/epprod/?
<LINE>
ACE-APP-02/vc_peoplesoft(config-probe-http)# request method get url /psp/epprod/cmd=login
It strips out the ? character.Hi Nicholas,
To enter a question mark you need to type ctrl+v prior to entering the ?
You enter the control key then lowercase v, then your question mark.
HTH
Pablo -
Hi,
We would like to see the hash value calculated by the ACE when the HTTP probe hash command configured.
This is possible on CSS via the "sh service" command. We have tried to get it from sh rserver , sh probe XXX detail sh serverfarm XXX det but we do not get it.
Is this possible to get it on the ACE as we do on the CSS?
We need this to manually configure it via the hash <value> command because if the ACE probe is reseted for any reason, the probe http hash will be re-calculated based on the first http response of the server and we can not predict that the server will give the expected web page at this time.
A // question is: on what the md5 value is calculated? HTTP header + payload or only http object payload? We have calculated the md5 hash value by ourselves but the probe is still failing whatever the http portion used for the calculation is.
Many thanks for your help.
Regards/ludovic.probe http MD5-HTTP
interval 15
passdetect interval 15
request method get url /index.html
expect status 200 200
hash 2441DA7F68A265F8CFB4426B6897CE33
And here is how I computed the hash on the server itself [linux machine]
md5sum /var/www/HTML/index.html
2441da7f68a265f8cfb4426b6897ce33 /var/www/HTML/index.html
[root@linux-1 tftpboot]#
The probe is UP
switch/Admin# sho probe MD5-HTTP detail
probe : MD5-HTTP
type : HTTP
state : ACTIVE
description :
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 15 pass count : 3
fail count: 3 recv timeout: 10
http method : GET
http url : /index.html
Hash-value : 2441da7f68a265f8cfb4426b6897ce33
conn termination : GRACEFUL
expect offset : 0 , open timeout : 10
expect regex : -
send data : -
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : linux1
real : linux1[0]
192.168.30.27 13 4 9 SUCCESS
md5sum is a standard tool.
Nothing fancy about it.
Gilles. -
ACE Module - HTTP Probe failure
Hi,
I have configured the http probe with expect status 200 202, but the probe fails despite availability of the port on rserver.
I tried head/get method to see the return code, and it came back with HTTP1.1/302. How can I configure an http probe to understand HTTP 302 code as success return.
Thanks.I changed the expect status value as below
probe http TEST-HTTP
interval 30
passdetect interval 10
request method head
expect status 302 302
The probe is still failing with the log message
Apr 20 2009 12:04:35 : %ACE-3-251010: Health probe failed for server 192.168.1.10 on port 80, received invalid status code
On 'show probe detail' it shows the last status code as 400 which means Bad Request
--------------------- probe results --------------------
probe association probed-address probes failed passed health
------------------- ---------------+----------+----------+----------+-------
serverfarm : TEST-APP
real : TEST-SERVER1[80]
192.168.1.10 27 27 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 400
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Mon Apr 20 12:05:33 2009
Last fail time : Mon Apr 20 12:00:53 2009
Last active time : Never
The http page is showing perfectly on the web browser. Also, using the http head/get tool, I can see that 302 is returned.
What could be the problem.
Regards. -
Team,
Below is a snapshot of the HTTP Probe that I currently have confgured:
probe http http-probe
interval 10
passdetect interval 3
request method head
expect status 200 200
My question is, what if one of my reservers has a bad URL but the subsystem in IIS is responding with a 200 status? How do I protect myself from this situation and have the ACE module take this rserver out of rotation?
Thank you,
John...For example instead of root url you can probe a specific url pointing to the app like
probe http http-probe
interval 10
passdetect interval 3
request method head
request method get url /testpage.html
expect status 200 200
Where tespage.html is the app specific page.
There could also be situations where requirement would be to keep track of the backend server along with the front end/Web server and mark the Web server down if a backend server (like application /database server is down).
This can be achieved by if APP can be tweaked by developers such that it make calls to backend servers (like DB server) and populate a page with some value from the database. In http probe you can look for that value and if that value doesnt exist then you can mark the server down.
for e.g in following example if ACE will mark the server down if it gets 200 ok but doesnt get "DBISUP" in response
probe http http-probe
interval 10
passdetect interval 3
request method head
request method get url /checkdbpage.html
expect status 200 200
expect regex DBISUP
HTH
Syed Iftekhar Ahmed -
ACE HTTP Probe Question (HTTP Version)
Hello, I am wondering what HTTP version ACE uses when sending HTTP/HTTPS probes to a web server. I am currently running A2(3.3) if that has any bearing. TIA
Hi,
The default get request method is HTTP/1.1 when the ACE is sending the probe and i dont
think there is a way to change this default behavior.
Regards,
Siva -
Hi,
This is the current probe that I am using:
probe http http-probe
interval 3
passdetect interval 3
passdetect count 3
request method head
expect status 200 200
Someone told me that I should be using a more sophisticated web page to probe. If you agree with that statement, could someone please provide a sample config?
Thank you...Hi,
I'm not sure what your colleague meant by more sophisticated. When I've set up an HTTP probe I've asked that the server management team set up a simple static page on the server that can be tested. So in my probe I'd specify something like:
request method head url /serverhere.html
This enables the team to take a server out of service by renaming the page (e.g. to servernothere.html) without having to ask me to modify the ACE configuration. The server can then be tested without real users having access and brought back in when they're happy.
HTH
Cathy -
ACE Appliance HTTP Probe with "POST" query
Does the ACE support HTTP Probe with a "POST" query?
Thanks
JoeHi Joe,
The ACE only supports GET and HEAD
Here is the documentation related to this:
http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/probe.html#wp1031485
Cesar R -
Cisco ACE Mod 30 - HTTPS probes are failing after hardware replacement.
We recently had a hardware failure on ACE Mod30. The replacement went in relatively painless (except for having to import about 100 SSL Certificates and Private Keys).
However, on the new ACE, the HTTPS probes are failing for all contexts using them. We can work around this by using TCP-443 probe, but the customer prefers that we actually request a logon page to ensure that the application is running properly.
Here are the probe stats for one context (THIS ONE IS ACTIVE)
BRTDCSCRTR2/INTRA-DEV-TST# sho stats probe type https
+------------------------------------------+
+----------- Probe statistics -------------+
+------------------------------------------+
----- https probe ----
Total probes sent : 52422 Total send failures : 0
Total probes passed : 0 Total probes failed : 52422
Total connect errors : 0 Total conns refused : 0
Total RST received : 0 Total open timeouts : 52422
Total receive timeout : 0 Total active sockets : 0
Here are the probe stats for one context (THIS ONE IS HOT_STANDBY)
BRTDCSCRTR2/INTRA-PROD# sho stats probe type https
+------------------------------------------+
+----------- Probe statistics -------------+
+------------------------------------------+
----- https probe ----
Total probes sent : 69398 Total send failures : 0
Total probes passed : 0 Total probes failed : 69398
Total connect errors : 0 Total conns refused : 0
Total RST received : 0 Total open timeouts : 69398
Total receive timeout : 0 Total active sockets : 0
Everything else appears to be working properly, except for the HTTPS probes.Hi,
For HTTS Probes to be successful, you don't need to have SSL Certs/Private keys on ACE, unless servers are doing client authentication. When ACE sends HTTS Probes to servers, it acts as a client.
Here are few things that can be tried:
- Test HTTS probe with only one server. Reload the server to clear any SSL cache on it.
- check SSL probe detail to verify the error code received
- Take captures between ACE and that server to find at what stage of the probe packet exchange flow is failing.
Here is a good link to troubleshoot HTTPS probe issues:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_ACE_Health_Monitoring#Troubleshooting_an_HTTPS_Probe_Error
Regards,
Hasham -
Issue with regexes in http health probes on ACE 4710
Folks,
We're currently experiencing fairly bizarre behavior when attempting to set up http probes that expect a regexp. Namely, if we specify a regexp, the probe *always* passes, regardless of status code and regardless of whether or not the message actually matches the pattern. Doing 'no expect regexp' fixes this behavior (by which I mean that the 'expect status' rules work again).
We haven't noticed until now because this is the first time we've tried to set up a probe that does this. Are we missing something? Is this a known issue with our current firmware version?
Sincerely,
Patrick T. Ramsey
# show run probe | begin HTTP-nfscheck | end regex
Generating configuration....
probe http HTTP-nfscheck
description Simple HTTP probe to check nfs mount health
port 80
interval 15
passdetect interval 20
request method head url /nfs-health-check/
open 1
expect regex "^ureytgraeuikghfdjg$"
# sh ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2009 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95.1
system: Version A3(2.4) [build 3.0(0)A3(2.4) adbuild_11:46:02-2009/09/27_/auto/adbu-rel2/rel_a3_2_3_throttle/REL_3_0_0_A3_2
_4]
system image file: (hd0,1)/c4710ace-mz.A3_2_4.bin
Device Manager version 1.2 (0) 20090925:1550
installed license: no feature license is installed
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226388 kB, free: 3972668 kB
shared: 0 kB, buffers: 22020 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 728656 kB, available: 89240 kB
last boot reason: Unknown
configuration register: 0x1
ldbottom kernel uptime is 325 days 3 hours 46 minute(s) 43 second(s)I also went through a similar issue in which we need to probe the real server PESERVER01 and if the real server replies with the keyword "PE Server" in the HTTP content then the probe should be passed successful.
In my case the real server was listening on port 32776 for HTTP service so we configured the serverfarm as below,
serverfarm host SF-TEST-32776
description SF-TEST-32776
failaction purge
probe PE-SERVER-STRING
rserver PESERVER01 32776
inservice
And the TCP probe as below,
probe tcp PE-SERVER-STRING
port 32776
send-data GET /IOR/ping HTTP/1.1 <<== command should not be in inverted commas
expect regex "PE Server"
The above probe worked really well and when we checked the probe status it was marking as success. I also tried changing the regex from "PE Server" to "Vishal12345" and it was failing as expected because there was no such keyword in the HTTP content.
==================================================================================
T2-LB02# sh probe PE-SERVER-STRING
probe : PE-SERVER-STRING
type : TCP
state : ACTIVE
port : 32776 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : SF-TEST-32776
real : PESERVER01[32776]
10.10.10.1 32776 PROBE 105 0 105 SUCCESS
==================================================================================
I was struggling with this issue from long time. Even raised couple of Cisco TAC cases with no luck. The most important thing here is to identify the exact command to be send to real server like GET /IOR/ping HTTP/1.1 that we used here.
To collect this command I did packet capture on one of the client machine and then tried to open the URL from real server which can return the string "PE Server". Then analyzed the captures in Wireshark and checked the HTTP data with follow the TCP stream option in which I seen the below data, which gives the command to be send in probe as well as the string we should expect.
==================================================================================
GET /IOR/ping HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.12.9.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
Host: 10.144.70.85:32776
Accept: */*
HTTP/1.0 200 OK
Content-type: text/html
Ping
PE Server
WRVFKO11 [Win32 Server Production (3 silos) (Oracle Blob 512 MB) -- {dap451.007.028 dap451.004.002 pe451.003.010x pui451.003.010 pui451.001.004} Mar 9 2012 15:07:53 en ]
===================================================================================
Please try this and see if it helps you.
Thanks,
Vishal Babrekar
Maybe you are looking for
-
HT4235 having a problem syncing my new ipod
having a problem syncing up my new ipod, any suggestions?
-
Migration problem in Mavericks
In Mavericks, Migration Assistant not recognize my Time Machine disk. Time Machine is OK, see the disk, but Migration Assistant not.
-
Hi, The pdf file that I am converting has multiple pages but the conversion only exports the 1st page into excel. How do i get the product to include all pages on multiple sheets?
-
How do I connect to an OCE 300 plotwave?
I downloaded the OCPW3005.ppd diver. It shows up with a grey icon featuring the word exec in bright green. My computer does not have an application to open this appropriately. I was told by the OCE tech that when adding the printer, and choosing t
-
I can't install my itunes. why is that?
when i'm half through my installing the itunes on my laptop, a pop-up appears that says: Error writing to file:C:\Program files(x86)\iTunes\iTunes Resources\nl.proj\DevicePrefsRentalItem.itxib. Verify you have access to that directory." What should i