ServerIron ADX Server Load Balancing Guide
Release 12.0.00
June 15, 2009

Table of Contents Previous Next Print


Health Checks > Boolean Health-Check Policies

Boolean Health-Check Policies
You can configure a group of Layer 4 and Layer 7 health checks as a health-check policy and associate the group with a specific application port on a real server.1 Health-check policies enable you to assess the health of any application port using the health-check mechanisms for ports well-known to the ServerIron ADX. In addition, health-check policies enable you to use multiple checks with different parameters, and base a port’s health on successful completion of all or any one of the individual checks in the policy.
Depending on the conditions you specify when you configure a health-check policy, the ServerIron ADX will bring the application port on a server down in one of the following cases:
Any one of the servers fails its health check (individual health checks combined using AND condition) – In this case, all servers in the policy must pass their health checks. Otherwise, the ServerIron ADX considers all of the servers to have failed the health checks and brings down the application on all servers that are checked by the policy.
All of the servers fail their health checks (individual health checks combined using OR condition) – In this case, an application port remains up as long as at least one of the servers checked by the policy passes its health check.
For finer control, you can combine OR and AND conditions.
Health-Check State
When you attach a health-check policy to a real server’s application port, the ServerIron ADX uses the health-check policy for periodic health checks and also for the next initial bringup of the server. When a health-check policy is attached, the ServerIron ADX no longer uses the default health check methods for initial bringup and periodic health checks.
For the ServerIron ADX to use a health-check policy, you must enable health checking (keepalive) at either the port profile level or the real server level for the server port. Otherwise, the state of the policy is FALSE and the state of the server port remains the state that it was before you attached the policy.
NOTE: Use the show healthck command to display the policy state. Use the show server real-name <name> command to show the real server port state.
If health checking for a server port is disabled at the port profile level and also at the real server level, the ServerIron ADX will continue to use the state that is based on the health check during the initial server bringup. The ServerIron ADX will not be able to update the port’s state if the state changes.
To enable health checking at the port profile level, enter commands such as the following:
ServerIron(config)# server port 80
ServerIron(config-port-80)# tcp keepalive enable
The commands enable health checking for TCP port 80.
For a UDP port, enter commands such as the following:
ServerIron(config)# server port 53
ServerIron(config-port-53)# udp keepalive enable
To enable health checking at the real server level, enter commands such as the following:
ServerIron(config)# server real-name R1 10.10.10.10
ServerIron(config-rs-R1)# port 80 keepalive
You can enable health checking at the port profile level, at the real server level, or both. Health checking must be enabled on at least one of these levels for the ServerIron ADX to use the health-check policy you attach to the port.
Health-Check Policy
Health-check policies consist of element-action expressions and logical expressions.
An Element-action expression consists of the IP address of the server, the Layer 4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action expression can also include Layer 7 application-specific health check information.
A Logical expression is a set of element-action expressions joined by the Boolean operators OR, AND or NOT.
To configure a health-check policy that is successful only if the ServerIron ADX receives a successful reply from all servers and application ports in the policy, use the operator AND.
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up to 254 health-check policies.
To use a health-check policy:
1.
2.
3.
NOTE: A health-check policy does not take effect (begin sending health check packets) until you attach the policy to an application port on a real server.
Configuring Element-Action Expressions
An element-action expression contains the IP address, protocol (TCP or UDP), and application port number for an application on an individual real server. If the ServerIron ADX allows you to customize Layer 7 information for the application, then the element-action expression also can contain the customized Layer 7 information.
You also can change the following parameters for an application port when configuring an element-action expression:
Health check type – For application types that are well-known to the ServerIron ADX, you can specify whether you want to use the Layer 4 health check or the Layer 7 health check for the port. By default, the ServerIron ADX uses the Layer 7 health check if the port is one of the types well-known to the ServerIron ADX.
Health check interval – By default, the ServerIron ADX performs the health checks every 5 seconds. You can change the interval to a value from 2 – 120 seconds.
Health retries – By default, if a reply to a heath check is not received, the ServerIron ADX will attempt the health check two more times before concluding that the application has failed the health check. You can change the number of retries to a value from 1 – 5 retries.
Health check state – By default, the health check is enabled as soon as you configure it. You can disable or re-enable the health check from within the element-action expression for the check.
Specifying the IP Address and Application Port Parameters
To configure an element-action expression, enter commands such as the following. The commands in this example specify the IP address of the real server and the application port on the server.
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port http
These commands change the CLI to the configuration level for an element-action expression, then specify the IP address of the real server and the application port on the server. Since the specified application is well-known to the ServerIron ADX, the ServerIron ADX automatically associates the default health check parameters for the port with the element-action expression. In this example, the port is HTTP (80), so the ServerIron ADX associates the default HTTP health check parameters with the element-action expression. By default, the ServerIron ADX sends a HEAD request for the default page, “1.0”.
NOTE: You must specify the destination IP address before you can specify other health check parameters. The software creates the health check policy only after you specify the destination IP address. If you try to specify another parameter before the destination IP address, the CLI displays an error message such as the following: Error - check1: Health-check element is undefined.
NOTE: If you do not specify the application port, the ServerIron ADX will list the status of the health check as FALSE (failed).
To configure an element-action expression for a port number that is not well-known to the ServerIron ADX, enter commands such as the following:
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port 8080
ServerIron(config-hc-check1)# protocol http
These commands configure an element-action expression for unknown port 8080 and associate the default health check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port, add the information with the protocol command, as in the following example:
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port 8080
ServerIron(config-hc-check1)# protocol http url "GET/sales.html"
The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET request for a page named "sales.html".
Syntax: [no] healthck <string> tcp | udp
This command begins configuration of the element-action expression. The <string> parameter specifies the name for the expression and can be up to 20 characters long. The tcp | udp parameter specifies whether you are configuring an expression for a TCP application port or a UDP application port. There is no default.
Syntax: [no] dest-ip <ip-addr>
This command specifies the IP address of the real server.
Syntax: [no] port <tcp/udp-port>
This command specifies the application port number.
NOTE: If you do not specify the server IP address and the application port, the ServerIron ADX will list the status of the health check as FALSE (failed).
You can specify any valid number, or one of the following port names well-known to the ServerIron ADX:
dns – port 53
ftp – port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron ADX, the name “ftp” corresponds to port 21.)
http – port 80
imap4 – port 143
ldap – port 389
nntp – port 119
ntp – port 123
pop2 – port 109
pop3 – port 110
radius – port 1812
radius-old – the ServerIron ADX name for UDP port 1645, which is used in some older RADIUS implementations instead of port 1812
smtp – port 25
snmp – port 161
ssl – port 443
telnet – port 23
tftp – port 69
NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron ADX also removes the protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron ADX. This is because the ServerIron ADX automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron ADX does not remove the protocol. You must remove it separately.
Syntax: [no] protocol <tcp/udp-port>
This command specifies a port whose health-check mechanism you want to use for the port specified by the port command. You need to use this command only if the port specified by the port command is not one of the ports listed above but the port is the same type as one of the ports listed above. For example, use this command if you want to use the DNS health-check mechanism for a port other than 53.
NOTE: You must specify the port using the port command before you enter the protocol command. If the port command specified a port that is well-known to the ServerIron ADX, the ServerIron ADX automatically uses the protocol that matches the port; you do not need to specify it and cannot change it.
NOTE: If you remove the Layer 7 health check information (using a no protocol command), the application will fail the health check. If you want the ServerIron ADX to use a Layer 4 health check instead, enter the l4-check command to change the health-check type to Layer 4.

If the port is not well-known to the ServerIron ADX and you do not specify a protocol for the Layer 7 health check, but Layer 7 health checking is enabled for the port, the port will fail the health check.

See "Changing the Health-Check Type" below.
For some ports, you also can customize the Layer 7 information sent with the health check. Here is the syntax.
Syntax: [no] protocol http | 80
[url “[GET | HEAD] [/]<URL-page-name>” |
port http status_code <range> [<range>[<range>[<range>]]] |
content-match <matching-list-name>]
This command changes one of the following HTTP health-check parameters. To change more than one of these parameters, enter a separate protocol http or protocol 80 command for each parameter.
url “[GET | HEAD] [/]<URL-page-name>” – This parameter specifies whether the HTTP health check performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested. By default, a GET request asks for page “1.0”.
port http status_code <range> [<range>[<range>[<range>]]] – This parameter changes the HTTP status codes that the ServerIron ADX will accept as valid responses. Each <range> specifies the low number and high number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a single message code for a range, enter the code twice. For example to specify 200 only, enter the following command: port http status_code 200 200. For SLB, the default status code range is 200 – 299. If the server’s reply to the health check contains a status code within this range, the ServerIron ADX considers the HTTP application to be healthy.
content-match <matching-list-name> – This parameter attaches a match list for an HTTP content verification health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in which the ServerIron ADX examines text in an HTML file sent by a real server in response to an HTTP keepalive request. The ServerIron ADX searches the text in the HTML file for user-specified selection criteria and determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria used in HTTP content verification is contained in a matching list that is attached to one or more real servers. The following is an example of the commands used to set up a matching list. For information on how to configure the match lists, see “Configuring HTTP Content Matching Lists”.
Syntax: [no] protocol dns | 53 [addr_query "<name>" | zone <zone-name>]
This command changes one of the following DNS health-check parameters. To change more than one of these parameters, enter a separate protocol dns or protocol 53 command for each parameter.
addr_query "<name>" – This parameter specifies a domain name to be requested from the real server by the ServerIron ADX. If the server successfully responds with the IP address for the domain name, the server passes the health check. There is no default.
zone <zone-name> – This parameter specifies a DNS zone name. The ServerIron ADX sends a Source-of-Authority (SOA) request for the zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check. There is no default.
NOTE: If you do not configure one of these parameters, the DNS port will fail the health check.
Syntax: [no] protocol radius | 1812 [username <string>] | [password <string>] | [key <string>]
This command changes one of the following RADIUS health-check parameters. The health check requests values that are configured on the RADIOS server. To change more than one of these parameters, enter a separate protocol radius or protocol 1812 command for each parameter.
username <string> – This parameter specifies an authentication username on the server.
password <string> – This parameter specifies an authentication password on the server.
key <string> – This parameter specifies an authentication key on the server.
Syntax: [no] protocol ldap | 389 [<num>]
This command changes the LDAP version. The health check sent by the ServerIron ADX differs depending on the version. You can specify 2 or 3. The default is 3.
Using SSL Health Checks in a Health Check Policy
When SSL health checks are used in a health check policy, by default the simple SSL health check is used: The ServerIron ADX sends the server an SSL client hello with the SSL SID set to 0; if the server responds, it passes the health check. However, if you use the protocol ssl use-complete command in a health check policy, it causes the ServerIron ADX to negotiate an SSL connection and send a GET or HEAD request to the server.
For example, the following commands create a health check policy to test IP address 10.10.10.50, using SSL health checks.
ServerIron(config)# healthck check4 tcp
ServerIron(config-hc-check4)# dest-ip 10.10.10.50
ServerIron(config-hc-check4)# port ssl
ServerIron(config-hc-check4)# protocol ssl use-complete
ServerIron(config-hc-check4)# protocol ssl url "GET /secure.htm"
ServerIron(config-hc-check4)# protocol ssl status-code 200 200
ServerIron(config-hc-check4)# protocol ssl content-match m1
ServerIron(config-hc-check4)# l7-check
ServerIron(config-hc-check4)# enable
ServerIron(config-hc-check4)# exit
Syntax: [no] protocol ssl use-complete
Changing the Health-Check Interval and Retries
By default, the ServerIron ADX performs a health check every 5 seconds. If a reply is not received, the ServerIron ADX will attempt the health check two more times before concluding that the application has failed the health check. You can change the number of seconds the ServerIron ADX will wait for a reply to a health check and the number of retries.
NOTE: The number of retries is the total number of attempts the ServerIron ADX will make. Thus, if you use the default interval and retries values, the ServerIron ADX will send up to three health-check packets, at 5-second intervals. If a server does not respond within 15 seconds of the time the ServerIron ADX sent the first health-check packet, the server fails the health check and the ServerIron ADX concludes that the server is not available.
To change the interval for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check:
ServerIron(config-hc-check1)# interval 30
Syntax: [no] interval <secs>
You can specify from 2 – 120 seconds. The default is 5 seconds.
To change the number of retries for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check:
ServerIron(config-hc-check1)# retries 4
Syntax: [no] retries <num>
You can specify from 1 – 5 retries. The default is 3 retries.
NOTE: You also can globally change the interval and retries for a an application port by editing its port profile. See “Configuring a Port Profile”.
Changing the Health-Check Type
For TCP application ports, you can change the health-check type between Layer 4 and Layer 7. By default, the ServerIron ADX performs a Layer 7 health check in the following cases:
FTP – port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron ADX, the name “FTP” corresponds to port 21.)
HTTP – port 80
IMAP4 – port 143
LDAP – port 389
MMS – port 1755
NNTP – port 119
PNM – port 7070
POP3 – port 110
RTSP – port 554
SMTP – port 25
SSL – port 443
TELNET – port 23
The port is not well-known to the ServerIron ADX but you used the protocol command to specify the protocol of one of the well-known ports. By specifying the protocol, you configure the ServerIron ADX to use the protocol’s Layer 7 health-check method for the port.
If the TCP port is not one of the ports above or you did not specify a Layer 7 health-check method (using the protocol command), the ServerIron ADX uses the Layer 4 health check for TCP.
NOTE: Changing the health-check type for UDP application ports has no effect. If the application port is RADIUS (1812) or DNS (53) or uses the health-check method of one of these ports, the ServerIron ADX uses a Layer 7 health check. Otherwise, the ServerIron ADX uses the Layer 4 health check for UDP.
The Layer 7 health-check methods differ depending on the application:
TCP – The ServerIron ADX attempts to engage in a normal three-way TCP handshake with the port on the real server:
UDP – The ServerIron ADX sends a UDP packet with garbage (meaningless) data to the UDP port.
If the server does not respond at all, the ServerIron ADX assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron ADX and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
ServerIron(config-hc-check1)# l4-check
The command in this example configures the ServerIron ADX to use the Layer 4 health check for the application port in the element-action expression. Since the application port in this element-action expression is HTTP, the ServerIron ADX will use the Layer 4 health check for TCP.
Syntax: [no] l4-check | l7-check
Changing the Health-Check State
Once you configure an element-action expression, the health check in the expression is enabled by default. To disable the health check, enter the following command at the configuration level for the element-action expression:
ServerIron(config-hc-check1)# disable
Syntax: [no] disable | enable
NOTE: Health checking (keepalive) also must be enabled on the port profile level or the real server level. Otherwise, the health-check policy is used during initial bringup of the server but is not used for periodic health checks after the server is brought up.
NOTE: If the health check for an application on a server is disabled, the ServerIron ADX assumes that the server and application are healthy and continues to send client requests to the server.
NOTE: If you change the health-check state from within the element-action expression, this state overrides the health-check state configured in the port profile for the application port or in the real server configuration.
NOTE: You can globally enable or disable all health-check policies. See “Globally Disabling All Health-Check Policies”.
Configuring a Health-Check Policy
A health-check policy consists of one or more element-action expressions. When a logical expression contains multiple element-action expressions, the policy also contains the logical operator AND or OR or NOT.
You can use a health-check policy as an element-action expression in another policy.
To configure a health-check policy, enter commands such as the following:
ServerIron(config)# healthck "httpsrvr" boolean
ServerIron(config-hc-httpsrvr)# and "check1" "check2"
These commands configure a health-check policy that uses the element-action expressions "check1" and "check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the ServerIron ADX stops using all the server application ports in the health-check policy "httpsrvr".
Syntax: [no] healthck "<policy-name>" boolean
Syntax: and | or "<element-name>" "<element-name>"
The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20 characters long. The name cannot contain blanks.
The and | or | not parameter specifies a logical operator in the health-check policy. You can enter two element-action expressions along with the logical operator and or or or not.
If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.
If you specify or, the policy is true if at least one of the elements responds to the health check.
If you specify not, the policy is true if none of the elements responds to the health check.
If you are configuring a boolean UDP health check policy a link, define the static next hop MAC address along with a VLAN ID for on that link; otherwise, the ServerIron ADX cannot learn the next-hop-mac-address of that link. Enter commands such as the following to define a static next-hop-mac-address and a vlan-id:
ServerIron(config-link-link3)# next-hop-mac-address 00e0.5208.dd8e vlan-id 40
The address 00e0.5208.dd8e is the MAC address of Link3's access router interface. Vlan-id 40 is the ServerIron ADXs interface that is used to connect Link3's access router is in vlan 40
Syntax: next-hop-mac-address <mac-address> vlan-id <vlan#>
Using a Nested Health-Check Policy
If you want to use a single health-check policy to test more than two IP addresses, configure health-check policies for all the IP addresses, and use them in another health-check policy. For example, to create a health-check policy that tests four IP addresses, enter commands such as the following:
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port http
ServerIron(config-hc-check1)# healthck check2 tcp
ServerIron(config-hc-check2)# dest-ip 10.10.10.20
ServerIron(config-hc-check2)# port http
ServerIron(config-hc-check2)# healthck check3 tcp
ServerIron(config-hc-check3)# dest-ip 10.10.10.30
ServerIron(config-hc-check3)# port http
ServerIron(config-hc-check3)# healthck check4 tcp
ServerIron(config-hc-check4)# dest-ip 10.10.10.40
ServerIron(config-hc-check4)# port http
The commands above configure four element-action expressions, one for each of four servers. The following commands configure two health-check policies, each of which contains two of the element-action expressions.
ServerIron(config-hc-check4)# healthck nested1 boolean
ServerIron(config-hc-nested1)# or check1 check2
ServerIron(config-hc-nested1)# healthck nested2 boolean
ServerIron(config-hc-nested2)# or check3 check4
The following command creates a health-check policy that contains the two policies configured above. The result is a single health-check policy for all four IP servers.
ServerIron(config-hc-nested2)# healthck checkall boolean
ServerIron(config-hc-checkall)# or nested1 nested2
In this example, the OR logical operator is used in all the policies. Thus, the "checkall" health check is successful if at least one of the four servers responds. To create more restrictive policies, you can use the AND logical operator. For example, if the AND operator is used in this configuration instead of OR, the health check is successful only if all four servers respond.
You also can combine policies that use AND with policies that use OR in nested health-check policies.
Attaching a Health-Check Policy to an Application Port on a Server
After you configure logical expressions, you can attach them to application ports on real servers. The ServerIron ADX does not begin sending health-check packets until you attach the policy to a real server port.
To attach a health-check policy to an application port on a server, enter commands such as the following:
ServerIron(config)# server real-name R1 10.10.10.50
ServerIron(config-rs-R1)# port 80 healthck “check1”
This command configures the ServerIron ADX to base the health of application port 80 on real server R1 on the results of the check1 health-check policy.
Globally Disabling All Health-Check Policies
You can easily disable all the health-check policies configured on the ServerIron ADX. To do so, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# no server l4-check
NOTE: This command also disables the TCP and UDP Layer 4 health checks for all applications that are not associated with a health-check policy.
Syntax: [no] server l4-check
To re-enable the health-check policies, enter the following command:
ServerIron(config)# server l4-check
NOTE: The server l4-check command does not enable a policy if its element-action expressions contain the disable command. In this case, the policy remains disabled.
Displaying Health Check Policies and Their Status
To display a list of the configured health-check policies and their current status, enter the following command:
Syntax: show healthck
 
TRUE – The most recent health check performed using this policy was successful. The ServerIron ADX received a valid reply to the health check.
FALSE – The most recent health check performed using this policy was unsuccessful.
N/B – The health check is not bound to any VIP and thus is not in use.
N/A (Not Attached) – The policy is not attached to a real server.
NOTE: If the policy is disabled, the value is always TRUE. This is because the ServerIron ADX assumes a server is healthy unless its health check is enabled and the server has not responded appropriately to the health check.
YES – The policy is enabled.
NO – The policy is disabled.
na (not applicable) – This field does not apply to the policy. This value indicates that the policy is not attached to a real server.
The element-action expression or policy type. For Layer 3 health checks, this information consists of ICMP and the IP address tested by the health check.
tcp – An element-action expression for a TCP application port.
udp – An element-action expression for a UDP application port.
and – A policy containing element-action expressions joined by AND.
or – A policy containing element-action expressions joined by OR.
Note: If the value is " - ", the protocol has not been specified and the port is not well-known to the ServerIron ADX.
l4-chk – Layer 4 TCP or UDP health check.
l7-chk – Layer 7 application-specific health check.
Displaying Health Check Policy Statistics
To display health-check policy statistics, enter the following command:
ServerIron(config)# show healthck statistics
Ping Statistics:
Sent: 1524 Received: 1524
Invalid Replies: 0 Dropped Replies: 0
 
Syntax: show healthck statistics
Note: Since the ServerIron ADX retries a health check if a reply is not received, a higher sent count than receive count does not necessarily indicate a problem.
The number of replies that were received that had an invalid ID. The ServerIron ADX is sometimes able to resolve an invalid ID. If the ServerIron ADX cannot resolve the invalid ID, the device drops the reply and increments the Dropped Replies counter.
Clearing Health Check Policy Statistics
To clear health-check policy statistics, enter the following command:
ServerIron(config)# clear healthck statistics
Syntax: clear healthck statistics

1
Real servers include those added using the server real-name command and those added using the server remote-name command. Generally, both types of servers are referred to as real servers. An application port is a port that uses the TCP or UDP protocol. You associate health-check policies with TCP or UDP ports on the real servers (not with physical ports on the servers).


Health Checks > Boolean Health-Check Policies

Table of Contents Previous Next Print
Copyright © 2009 Brocade Communications Systems, Inc.