You can configure a group of Layer 4 and Layer 7 health checks as a health-check policy and associate the group with a specific application port on a real server.
1 Health-check policies enable you to assess the health of any application port using the health-check mechanisms for ports well-known to the ServerIron ADX. In addition, health-check policies enable you to use multiple checks with different parameters, and base a port’s health on successful completion of all or any one of the individual checks in the policy.
When you attach a health-check policy to a real server’s application port, the ServerIron ADX uses the health-check policy for periodic health checks and also for the next initial bringup of the server. When a health-check policy is attached, the ServerIron ADX no longer uses the default health check methods for initial bringup and periodic health checks.
For the ServerIron ADX to use a health-check policy, you must enable health checking (keepalive) at either the port profile level or the real server level for the server port. Otherwise, the state of the policy is FALSE and the state of the server port remains the state that it was before you attached the policy.
NOTE: Use the show healthck command to display the policy state. Use the
show server real-name <name> command to show the real server port state.
If health checking for a server port is disabled at the port profile level and also at the real server level, the ServerIron ADX will continue to use the state that is based on the health check during the initial server bringup. The ServerIron ADX will not be able to update the port’s state if the state changes.
You can enable health checking at the port profile level, at the real server level, or both. Health checking must be enabled on at least one of these levels for the ServerIron ADX to use the health-check policy you attach to the port.
|
•
|
An Element-action expression consists of the IP address of the server, the Layer 4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action expression can also include Layer 7 application-specific health check information.
|
|
•
|
A Logical expression is a set of element-action expressions joined by the Boolean operators OR, AND or NOT.
|
An element-action expression contains the IP address, protocol (TCP or UDP), and application port number for an application on an individual real server. If the ServerIron ADX allows you to customize Layer 7 information for the application, then the element-action expression also can contain the customized Layer 7 information.
|
•
|
Health check type – For application types that are well-known to the ServerIron ADX, you can specify whether you want to use the Layer 4 health check or the Layer 7 health check for the port. By default, the ServerIron ADX uses the Layer 7 health check if the port is one of the types well-known to the ServerIron ADX.
|
|
•
|
Health check interval – By default, the ServerIron ADX performs the health checks every 5 seconds. You can change the interval to a value from 2 – 120 seconds.
|
|
•
|
Health retries – By default, if a reply to a heath check is not received, the ServerIron ADX will attempt the health check two more times before concluding that the application has failed the health check. You can change the number of retries to a value from 1 – 5 retries.
|
|
•
|
Health check state – By default, the health check is enabled as soon as you configure it. You can disable or re-enable the health check from within the element-action expression for the check.
|
These commands change the CLI to the configuration level for an element-action expression, then specify the IP address of the real server and the application port on the server. Since the specified application is well-known to the ServerIron ADX, the ServerIron ADX automatically associates the default health check parameters for the port with the element-action expression. In this example, the port is HTTP (80), so the ServerIron ADX associates the default HTTP health check parameters with the element-action expression. By default, the ServerIron ADX sends a HEAD request for the default page, “1.0”.
These commands configure an element-action expression for unknown port 8080 and associate the default health check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port, add the information with the
protocol command, as in the following example:
The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET request for a page named "sales.html".
This command begins configuration of the element-action expression. The <string> parameter specifies the name for the expression and can be up to 20 characters long. The
tcp | udp parameter specifies whether you are configuring an expression for a TCP application port or a UDP application port. There is no default.
|
•
|
ftp – port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron ADX, the name “ftp” corresponds to port 21.)
|
|
•
|
radius-old – the ServerIron ADX name for UDP port 1645, which is used in some older RADIUS implementations instead of port 1812
|
NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron ADX also removes the
protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron ADX. This is because the ServerIron ADX automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron ADX does not remove the protocol. You must remove it separately.
This command specifies a port whose health-check mechanism you want to use for the port specified by the port command. You need to use this command only if the port specified by the
port command is not one of the ports listed above but the port is the same type as one of the ports listed above. For example, use this command if you want to use the DNS health-check mechanism for a port other than 53.
NOTE: You must specify the port using the port command before you enter the
protocol command. If the
port command specified a port that is well-known to the ServerIron ADX, the ServerIron ADX automatically uses the protocol that matches the port; you do not need to specify it and cannot change it.
NOTE: If you remove the Layer 7 health check information (using a no protocol command), the application will fail the health check. If you want the ServerIron ADX to use a Layer 4 health check instead, enter the
l4-check command to change the health-check type to Layer 4.
If the port is not well-known to the ServerIron ADX and you do not specify a protocol for the Layer 7 health check, but Layer 7 health checking is enabled for the port, the port will fail the health check.
See "Changing the Health-Check Type" below.
Syntax: [no] protocol http | 80 [url “[GET | HEAD] [/]<URL-page-name>” |
port http status_code <range> [<range>[<range>[<range>]]] |
content-match <matching-list-name>]
|
•
|
url “[ GET | HEAD] [ /]<URL-page-name>” – This parameter specifies whether the HTTP health check performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested. By default, a GET request asks for page “1.0”.
|
|
•
|
port http status_code <range> [<range>[<range>[<range>]]] – This parameter changes the HTTP status codes that the ServerIron ADX will accept as valid responses. Each <range> specifies the low number and high number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a single message code for a range, enter the code twice. For example to specify 200 only, enter the following command: port http status_code 200 200. For SLB, the default status code range is 200 – 299. If the server’s reply to the health check contains a status code within this range, the ServerIron ADX considers the HTTP application to be healthy.
|
|
•
|
content-match <matching-list-name> – This parameter attaches a match list for an HTTP content verification health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in which the ServerIron ADX examines text in an HTML file sent by a real server in response to an HTTP keepalive request. The ServerIron ADX searches the text in the HTML file for user-specified selection criteria and determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria used in HTTP content verification is contained in a matching list that is attached to one or more real servers. The following is an example of the commands used to set up a matching list. For information on how to configure the match lists, see “Configuring HTTP Content Matching Lists”.
|
|
•
|
addr_query "<name> " – This parameter specifies a domain name to be requested from the real server by the ServerIron ADX. If the server successfully responds with the IP address for the domain name, the server passes the health check. There is no default.
|
|
•
|
zone <zone-name> – This parameter specifies a DNS zone name. The ServerIron ADX sends a Source-of-Authority (SOA) request for the zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check. There is no default.
|
This command changes one of the following RADIUS health-check parameters. The health check requests values that are configured on the RADIOS server. To change more than one of these parameters, enter a separate
protocol radius or
protocol 1812 command for each parameter.
|
•
|
username <string> – This parameter specifies an authentication username on the server.
|
|
•
|
password <string> – This parameter specifies an authentication password on the server.
|
|
•
|
key <string> – This parameter specifies an authentication key on the server.
|
When SSL health checks are used in a health check policy, by default the simple SSL health check is used: The ServerIron ADX sends the server an SSL client hello with the SSL SID set to 0; if the server responds, it passes the health check. However, if you use the
protocol ssl use-complete command in a health check policy, it causes the ServerIron ADX to negotiate an SSL connection and send a GET or HEAD request to the server.
ServerIron(config)# healthck check4 tcpServerIron(config-hc-check4)# dest-ip 10.10.10.50
ServerIron(config-hc-check4)# port ssl
ServerIron(config-hc-check4)# protocol ssl use-complete
ServerIron(config-hc-check4)# protocol ssl url "GET /secure.htm"
ServerIron(config-hc-check4)# protocol ssl status-code 200 200
ServerIron(config-hc-check4)# protocol ssl content-match m1
ServerIron(config-hc-check4)# l7-check
ServerIron(config-hc-check4)# enable
ServerIron(config-hc-check4)# exit
By default, the ServerIron ADX performs a health check every 5 seconds. If a reply is not received, the ServerIron ADX will attempt the health check two more times before concluding that the application has failed the health check. You can change the number of seconds the ServerIron ADX will wait for a reply to a health check and the number of retries.
You can specify from 2 – 120 seconds. The default is 5 seconds.
You can specify from 1 – 5 retries. The default is 3 retries.
|
•
|
FTP – port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron ADX, the name “FTP” corresponds to port 21.)
|
|
•
|
TCP – The ServerIron ADX attempts to engage in a normal three-way TCP handshake with the port on the real server:
|
|
•
|
UDP – The ServerIron ADX sends a UDP packet with garbage (meaningless) data to the UDP port.
|
The command in this example configures the ServerIron ADX to use the Layer 4 health check for the application port in the element-action expression. Since the application port in this element-action expression is HTTP, the ServerIron ADX will use the Layer 4 health check for TCP.
Once you configure an element-action expression, the health check in the expression is enabled by default. To disable the health check, enter the following command at the configuration level for the element-action expression:
These commands configure a health-check policy that uses the element-action expressions "check1" and "check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the ServerIron ADX stops using all the server application ports in the health-check policy "httpsrvr".
The and | or | not parameter specifies a logical operator in the health-check policy. You can enter two element-action expressions along with the logical operator
and or
or or
not.
|
•
|
If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.
|
|
•
|
If you specify or, the policy is true if at least one of the elements responds to the health check.
|
|
•
|
If you specify not, the policy is true if none of the elements responds to the health check.
|
If you are configuring a boolean UDP health check policy a link, define the static next hop MAC address along with a VLAN ID for on that link; otherwise, the ServerIron ADX cannot learn the
next-hop-mac-address of that link. Enter commands such as the following to define a static
next-hop-mac-address and a
vlan-id:
If you want to use a single health-check policy to test more than two IP addresses, configure health-check policies for all the IP addresses, and use them in another health-check policy. For example, to create a health-check policy that tests four IP addresses, enter commands such as the following:
ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port http
ServerIron(config-hc-check1)# healthck check2 tcp
ServerIron(config-hc-check2)# dest-ip 10.10.10.20
ServerIron(config-hc-check2)# port http
ServerIron(config-hc-check2)# healthck check3 tcp
ServerIron(config-hc-check3)# dest-ip 10.10.10.30
ServerIron(config-hc-check3)# port http
ServerIron(config-hc-check3)# healthck check4 tcp
ServerIron(config-hc-check4)# dest-ip 10.10.10.40
ServerIron(config-hc-check4)# port http
The commands above configure four element-action expressions, one for each of four servers. The following commands configure two health-check policies, each of which contains two of the element-action expressions.
In this example, the OR logical operator is used in all the policies. Thus, the "checkall" health check is successful if at least one of the four servers responds. To create more restrictive policies, you can use the AND logical operator. For example, if the AND operator is used in this configuration instead of OR, the health check is successful only if all four servers respond.
NOTE: The server l4-check command does not enable a policy if its element-action expressions contain the
disable command. In this case, the policy remains disabled.
Copyright © 2009 Brocade Communications Systems, Inc.
