IOS SLB HTTP Probe
Hi, I have a simple SLB setup with two servers running in directed mode and two 6509's running IOS SLB to balance between the two. The two servers are web servers and require authentication when hit so I am just testing using a http probe and searching for the 401 code. Is there any gotcha's with configuring the credentials on the 6509 to log onto the webpage? Cheers, Brian
Can you post the following:
1. debug ip slb probe
2. debug ip slb probe conn
3. debug rtr error
4. debug rtr trace
Similar Messages
-
Hi,
I'm trying to configure a DNS probe using IOS SLB, but it's not working.
I followed the manual on how to configure a DNS probe, but it just doesn't make any sense.
When using DNS probes on an ACE, you give a hostname which the DNS server should resolve to a configured IP Address.and configure an ip address, which makes sense.
On the IOS SLB, it is not the case. Two variables can be configured:
Router(config-slb-probe)# address ip-address]
(Optional) Configures an IP address to which to send the Domain Name System (DNS) probe.
Router(config-slb-probe)# lookup [ip-address]
(Optional) Configures an IP address of a real server that a Domain Name System (DNS) server should supply in response to a domain name resolve request.
What am I missing. Could someone please clearify??
Tnx!To verify that a probe is configured correctly, use the show ip slb probe command:
Router# show ip slb probe
It may help you in troubleshooting purpose
For the further description for configuration for the DNS Probe following guide may help you
http://www.cisco.com/en/US/docs/ios/12_2/12_2z/12_2za/feature/guide/slbza5.html#wp2434837 -
Hello,
we use server-load-balancing with IOS 12.1(19)E1
We have a problem if the server receives more connections following error messages REAL 192.168.197.8 (HSSAT1-LX) has changed to PROBE_FAILED and few seconds later REAL 192.168.197.8 (HSSAT1-LX) has changed to OPERATIONAL appears and so on.
We checked the server and they works proper.
What could be the reason for probe failed?
My configuration:
ip slb probe HS-PROBE tcp
interval 5
ip slb serverfarm HSSAT1-LX
nat server
predictor leastconns
failaction purge
probe HS-PROBE
real 192.168.197.8 99
reassign 2
inservice
real 192.168.197.9 99
reassign 2
inservice
ip slb vserver HS.SAT1.DE
virtual xxx.xxx.xxx.xxx tcp www
serverfarm HSSAT1-LX
advertise active
inservice standby allvips
How does a TCP probe works? I could not find more exact information in the documents to configure probes.
Is it better to use another probe (icmp)? or without any probe?
When does it make sense to use probes?
Best regards
StefanHI Stefan,
tcp probes do a complete TCP 3-way handshake and normaly terminate the session. A problem which I had some times timeout for a session to be established might be to short if the server is "heavy" loaded.
Probing on a specific method (TCP HTTP ...) is most of the times the better solution. Imagine a WEB-Server which is properly pingable but the httpd died due to some internal error. If you would probe on a per ping basis the loadbalancer will never notice this but if you monitor tcp-port 80 by a tcp probe or better a http probe you will notice this and the server would be taken out of the serverfarm. Even better but afaik not possible in IOS SLB is to probe a certain page e.g. index.html. As you know that the httpd is up and running and pages can be displayed.
Regarding the probing issue it might be usefull to read the follwing link describing healthmonitoring with the CSM
http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_guide_chapter09186a00801c5899.html#1024967
Hope that helped.
Best Regards,
Joerg -
Hi,
trying to figure out a possible solution for a 6500 and got a bit confused. According to my knowledge, IOS SLB is working either in L2 (MAC) or L3/4 (NAT), to ensure load balancing. CSM comes in the game, but offers much more, extending to L4/7. Are the two solutions substitude or complementary? Is it true that only with an CSM can you get HTTP probes to check your load balanced server farm? What other differences do you know about these two solutions?
In the paper http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a0080094066.shtml
it is stated that "To run Cisco IOS SLB software, you must configure the mode using the show ip slb mode [csm | rp] command before any configuration. In the show ip slb mode command, the rp argument is default. You can only configure csm argument if you have the Content Switching Module (CSM)."
While in
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_configuration_example09186a008009452d.shtml
cisco states that "You cannot run Cisco IOS® SLB software on the same switch as the CSM."
Any ideas on that?
Thanks in advancethere are 2 ways to configure the csm.
You can use the same ios slb command and just tell the switch that there is a csm with the command 'ip slb mode'.
Or you can use the 'module contentswitching ' command.
If you use the first method, you can't use both a CSM and ios slb on the same switch.
If you use the second method, it is ok to have both ios slb and csm.
IOS SLB offers L4-7 loadbalancing solution.
Just be aware that as soon as you do L7 or do some nating, you poor performance with ios slb compare to a CSM.
One advantage of ios slb is the capacity to do radius loadbalancing [inspecting radius packet to identify framed ip, ...]
This is why in CMX solution we combine both ios slb and csm.
IOS SLB is used to loadbalance radius and the CSM is used to loadbalance the rest of the traffic.
Personally, I would say if you just need some vpn or firewall loadbalancing, ios slb is enough.
If you need HTTP or any other traffic wthe CSM is a better choice.
Regards,
Gilles. -
Hi Guys,
can anyone confirm or point out errors in this config that I wish to pop on our 6509. We don't have a test environment, so I need to get as much feedback as I can on this.
Thanks in advance,
James
no natpool WSB_RADIUS 10.176.57.115 10.176.57.115 netmask 255.255.255.128
no serverfarm WSB_RADIUS
no serverfarm WSB_RADIUS_NAT
no policy WSB_RADIUS_NAT
no vserver WSB_RADIUS
no probe WSB_RADIUS_AUTH udp
ip slb serverfarm WSB_RADIUS
nat server
real 10.176.57.38
faildetect numconns 8 numclients 1
inservice
real 10.176.57.39
faildetect numconns 8 numclients 1
inservice
real 10.176.57.40
faildetect numconns 8 numclients 1
inservice
real 10.176.57.41
faildetect numconns 8 numclients 1
inservice
ip slb vserver WSB_RADIUS
virtual 10.176.57.115 udp 1813 service radius
serverfarm WSB_RADIUS
idle radius request 2
inservice standby WSB
interface Vlan130
standby 130 name WSBIOS SLB provides RADIUS load-balancing capabilities for RADIUS servers. In addition, IOS SLB can load-balance devices that proxy the RADIUS Authorization and Accounting flows in both traditional and mobile wireless networks, if desired. IOS SLB does this by correlating data flows to the same proxy that processed the RADIUS for that subscriber flow.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1833/products_feature_guide09186a00802081ce.html#wp2889077 -
Hi,
1. It is true that ip slb probe http is not working on 6509 without CSM card?
2. Did someone had tested how many IOS SLB client connections can support a 6509 with SUP1A /MSFC2 without CSM card?
Thanks,
YutiThe Cisco CSM accommodates a wide range of common IP protocols?including TCP and User Datagram Protocol (UDP). Additionally, the Cisco CSM supports higher-level protocols, including HTTP, FTP, Telnet, Real Time Streaming Protocol (RTSP), Domain Name System (DNS), and Simple Mail Transfer Protocol (SMTP).
The Cisco CSM allows full regular expression pattern matching for policies based on URLs, cookies, and HTTP header fields. The Cisco CSM supports any URL or cookie format?allowing it to load balance existing Web content without requiring URL or cookie format changes. -
Http probe on non-standard tcp port 8021
I've configured http probe on standard port 80 with no issue. I'm now trying http probe on non-standard tcp port 8021, confirmed with packet capture to confirm that the CSM is indeed probing, status code 403 is returned but the reals are showing "probe failed". Am I missing something? Thank you in advance.
CSM v2.3(3)2
probe 8021 http
request method head
interval 2
retries 2
failed 4
port 8021
serverfarm TEST
nat server
no nat client
real 10.1.2.101
inservice
real 10.1.2.102
inservice
probe 8021
vserver TEST
virtual 10.1.2.100 tcp 8021
serverfarm TEST
replicate csrp connection
persistent rebalance
inservice
VIP and real status:
vserver type prot virtual vlan state conns
Q_MAS_8021 SLB TCP 10.1.2.100/32:8021 ALL OUTOFSERVICE 0
real server farm weight state conns/hits
10.1.2.101 TEST 8 PROBE_FAILED 0
10.1.2.102 TEST 8 PROBE_FAILED 0you need to specify what HTTP response code you expect.
The command is :
gdufour-cat6k-2(config-slb-probe-http)#expect status ?
<0-999> expected status - minimum value in a range
The default is to expect only 200.
This is why your 403 is not accepted.
Gilles. -
IOS SLB Loab Balance Questions
Forgive me if this is the wrong forum but it was the closest one I found relating to my issue.
I've trying to load balance four of our radius servers using IOS SLB. The config works well and the radius servers are accepting requests fine. I follow this article which wasn't too bad to follow:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns377/c649/cdccont_0900aecd800eb95f.pdf
My two questions are:
1. Sticky Option
I understand it's used to make sure the client's accounting information
goes to the correct real server, but I'm not sure how it really works
and what's the best time to set it to.
Eg:
ip slb vserver RAD-UDP-1646
virtual 210.x.x.224 udp 1646
serverfarm RADFARM
sticky 86400 group 10
inservice
a/ The documentation says "This configuraion causes the sticky database to store its entries for 86,400 seconds of inactivity". What do they mean by "inactivity" - no radius packets coming through? inactivity from the user's end?
b/ It also says "the client's IP address is added to the IOS SLB database..." - is this the client's framed IP that the ISP assigns to the customer???
c/ And what would be the optimum time to set the sticky timer to be?
2. SLB connection statistics
core1-router#sh ip slb reals
real farm name weight state conns
203.x.x.74 RADFARM 8 OPERATIONAL 0
203.x.x.78 RADFARM 8 OPERATIONAL 0
203.x.x.79 RADFARM 8 OPERATIONAL 0
203.x.x.80 RADFARM 8 OPERATIONAL 2
When you disconnect, the slb stats still show you as being connected to
the real server (and both udp ports) which isn't very accurate. There is a default "delay" time which handles TCP disconnections and after being disconnected for 10 sec, the SLB stats are updated to reflect this (I've verified this works)- but nothing about how it handles UDP disconnections??? This
would skew the stats and give us a very bad misrepresentation of the
number of current and valid connections. Is there anyway to correct this???
Thanks.
AndyInactivity for IOS SLB means that after specified time of inactivity, the client will be free to be load balanced to another server. As long as they remain active without an idle time , they will remain connected to the same real server. For the client's IP address which is added to the IOS SLB database I think it is the frammed IP address which the ISP assigns. The optimum time for the sticky timer will be its default value or say 60 seconds.
-
I am trying to inform myself if Cisco IOS supports Server Load Balancing (SLB) without the CSM. It appears this software has been integrated into a hardware module known as a Content Switching Module. (CSM)
Aside from cost and being a hardware module (faster) in a IOS based Catalyst 6500, Is there a functional advantage / disadvantage of using the Cisco CSM over Cisco IOS Server Load Balancing or vice versa. Any comments would be appreciated. Thanks.
MarkIOS SLB shares the same software code base as Cisco IOS and has all the software features sets of Cisco IOS software. IOS SLB is recommended for customers desiring complete integration of SLB technology into traditional Cisco switches and routers.
The CSM is specifically designed to meet the demands of large Internet service providers (ISPs), Co-location facilities, Application service providers (ASPs), and Enterprise web server farms.
These links might help you gain a better understanding:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e8/iosslb8e.htm#xtocid32
http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item09186a0080092384.shtml
http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/prodlit/ccsm_ds.htm -
ACE Appliance HTTP Probe with "POST" query
Does the ACE support HTTP Probe with a "POST" query?
Thanks
JoeHi Joe,
The ACE only supports GET and HEAD
Here is the documentation related to this:
http://www.cisco.com/en/US/customer/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/probe.html#wp1031485
Cesar R -
Hi All,
I want to configure a new HTTP Probe. The application server was installed with the following URL: http://lta43:8011/HealthApp/health.txt
The goal is ACE can monitor this URL.
What would be the way to configure the Probe in the ACE?
Regards,
Jaime.Hi Jaime,
The minimum configuration you would need is the following:
probe http
port 8011
request method get url /HealthApp/health.txt
expect status 200 200
As you can see, I didn't configure the hostname of the server anywhere. That's because the probe will be associated to a real server, and the IP address will be the one of the server it's checking.
There are also several other parameters you can configure the probe, such as timers or headers to be inserted into the request, so I would recommend you to have a look at the relevant chapter of the configuration guide:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html
Daniel -
Are HTTPS probes supported in Cisco devices ?
Hello,
I am aware Cisco supports HTTP probe types. Are HTTPS (HTTP Secure) probes are supported in Cisco devices too ? If so from which IOS version ?
Your comments are very much appreciated.
Thanks.Hi ,
As per my understanding there is No IOS code which support HTTPS opeartions , Only HTTP operations are supported as of now.
Thakns
Afroz -
We have some webserver behind our ACE that use SSL certificates that are issued by an internal CA.
Do I need to do anything special in order to probe HTTPS? Does the ACE need the internal CA to be trusted?
Thanks.
JasonHi,
If https server is working properly, only you need to do is configure https probe on ACE like below.
You do not have to anything related certificate on ACE side.
ACE-A327/context02# show running-config
Generating configuration....
probe https HTTPS
interval 15
passdetect interval 60
ssl version all
expect status 200 200
open 1
rserver host S1
ip address 10.1.142.209
inservice
serverfarm host SF
probe HTTPS
rserver S1
inservice
interface vlan 11
ip address 10.1.142.1 255.255.255.0
no shutdown
ACE-A327/context02# show probe detail
probe : HTTPS
type : HTTPS
state : ACTIVE
description :
port : 443 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
SSL version : All
SSL cipher : RSA_ANY
http method : GET
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
regex cache-len : 0
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
serverfarm : SF
real : S1[0]
10.1.142.209 443 DEFAULT 11 0 11 SUCCES
S
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 0
No. Probes skipped : 0 Last status code : 200
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : -
Last probe time : Thu Apr 14 17:34:02 2011
Last fail time : Thu Apr 14 17:30:42 2011
Last active time : Thu Apr 14 17:30:44 2011
ACE-A327/context02#
Additionaly, you can specify cipher in client hello, also you can select ssl/tls version.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/probe.html#wp1162289
If you find this helpful, please rate this topic.
Regards,
Kim. -
Cat 6500 SupEng MSFC II IOS SLB performance
Hello,
anyone know which are the current cat 6500 Supervisor Engine II MSFC II IOS SLB performance ? I need to know the max tcp/udp cuncurrent active session and the max tcp/udp setup rate.
Thanks a lot.
Best regards
Fabio Bellinicheck out the following link for the performance details :
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet09186a00800887f3.html -
Hi, this may be a silly question but is there any problem with configuring IOS SLB on a 6509 which also has a FWSM module in it and the Servers being load balanced are behind the FWSM?
The only thing to consider is that by FWSM, you most likely will be running multiple VRFs on the switch and IOS-SLB has some limitations regarding VRF.
IOS-SLB probes are sent to the global routing table (VRF default) and you will need to 'no advertise' and add static routes to null0 to the VRF for the virtual IPs.
Other than that, IOS-SLB works fine with the FWSM and VRF...
Maybe you are looking for
-
Hi When selecting 'Send object with a note' from a purchase order and clicking on the 'Attributes' tab the Sensitivity is set to '502 Confidential'. Can you please advise how to change the sensitivity to '501 Standard'? Thanks
-
Sony: Lens Profile Creator knows the subject distance, ACR does not
When making a lens profile for a Sony alpha DSLR, lens profile creator identifies the focus distance, and processes each distance accordingly. However, when loaded in ACR (or PS lens correction filter), the software does not display the distance. Why
-
Assets = liability + owners equity
Hello GL gurus, Can you help me to find the following entry's fall into to which category? Dr. Receivable (Is it asset or liability or owners equity?) Cr. Unearned (Is it asset or liability or owners equity?) Cr. Revenue (Is it asset or liability or
-
Access replicated DB environment via SQL/sqlite/ODBC/JDBC interfaces
I'm wondering whether replicated DB environments can be also accessd via the SQL (sqlite, ODBC and JDBC) interfaces? How to deal with the DB_ENV->rep...() methods in this case? Is it actually necessary to share my DB_ENV poiner (which I setup for rep
-
Can Premiere Pro 5.5 be that much faster?
I have two identical PCs, purchased and set up at the same time. I'm running Premiere Pro 5.0 on one and Premiere Pro 5.5 on the other. The software preference settings are identical. The newer version smokes the older one for speed. It renders and o