Mailing List Archive

As is usually the case, posting to the list causes a flash of insight.

Can I define an external health check (per server, I suppose) that does
the layer 7 content matching, and then apply it to port ssl?

Will this cause it to mark port 443 as failed if the healthcheck fails
on port 80?

i.e,

healthck rs1-http tcp
dest-ip 10.0.1.11
port http
proto http url "GET /healthcheck.asp"
proto http status-code 200 200
proto http content-match health1

healthck rs2-http tcp
dest-ip 10.0.1.12
port http
proto http url "GET /healthcheck.asp"
proto http status-code 200 200
proto http content-match health1

server real rs1 10.0.1.11
port http
port http healthck rs1-http
port ssl
port ssl healthck rs1-http

server real rs1 10.0.1.12
port http
port http healthck rs2-http
port ssl
port ssl healthck rs2-http

server virtual vs1 10.0.1.10
port http
port ssl
bind http rs1 http rs2 http
bind ssl rs1 ssl rs2 ssl

http match-list health1
default down
up simple everythingsaok

On Fri, 2005-08-19 at 19:21, Matt Stockdale wrote:
> I've checked the archives briefly, and I've been staring at the docs for
> a while, but it's friday and my brain is frazzled. I'm hoping someone
> can take pity on me and answer this -
>
> Can I configure a real server to mark all ports as failed if any one of
> them fails? I've been looking at the port groups, but those seem to be
> more for sticky..
>
> (Specifically, the code we are running on one of our old XL's doesn't
> allow us to do in depth health checks on port 443, I want it to fail
> that port if the content-matching on port 80 fails. I'll upgrade if I
> have to, but it will affect many customers, and I'd rather avoid it)
>
> Thanks in advance,
> Matt
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

(I've tried posting this a couple times but got bounced so forgive any
duplicates)

Here's an example config (with comments):

#first, create a http match list to check a page for a certain string
that shows server is connected to database#

http match-list m1
default down
up simple "Good"

#Then create your healthcheck for the primary port that will bring the
others down in a failure#

healthck policy1 tcp
dest-ip 10.10.10.1
port http
protocol http
protocol http url "GET /test.htm"
protocol http content-match m1
l7-check

#now create a second healthcheck to check the secondary port that will
be brought down when the first one fails#

healthck policy2 tcp
dest-ip 10.10.10.1
port 443
l7-check

#create a boolean for the two ports#

healthck policy3 boolean
and policy1 policy2

#And now your server config#

server real rs1 10.10.10.1
port http
port http keepalive
port http url "GET /test.htm"
port http content-match m1
port 443
port 443 keepalive
port 443 healthck policy3
!

Here is a sample config for a windows media streaming server, that will
check a web page served on port 8080, and then fail http, mms and rtsp
if the page doesn't return the string "OK"

http match-list streamglobal
default down
up simple "OK"
!
healthck stream03policy8080 tcp
dest-ip 10.10.10.2
port 8080
protocol http
protocol http url "GET /servercheck.aspx"
protocol http content-match streamglobal
l7-check
!
healthck stream03policyhttp tcp
dest-ip 10.10.10.2
port http
l4-check
!
healthck stream03policyrtsp tcp
dest-ip 10.10.10.2
port rtsp
l4-check
!
healthck stream03policymms tcp
dest-ip 10.10.10.2
port mms
l4-check
!
healthck stream03httppolicy boolean
and stream03policy8080 stream03policyhttp
!
healthck stream03rtsppolicy boolean
and stream03policy8080 stream03policyrtsp
!
healthck stream03mmspolicy boolean
and stream03policy8080 stream03policymms
!
server real stream03 10.10.10.2
port default disable
weight 1 0
port 8080
port 8080 keepalive
port 8080 url "GET /servercheck.aspx"
port 8080 content-match m1
port http
port http keepalive
port http healthck stream03httppolicy
port rtsp
port rtsp keepalive
port rtsp healthck stream03rtsppolicy
port mms
port mms keepalive
port mms healthck stream03mmspolicy
!




> -----Original Message-----
> From: foundry-nsp-bounces at puck.nether.net
> [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of
> Matt Stockdale
> Sent: Friday, August 19, 2005 4:22 PM
> To: foundry-nsp at puck.nether.net
> Subject: [f-nsp] configuring port groups for health checks
>
> I've checked the archives briefly, and I've been staring at
> the docs for a while, but it's friday and my brain is
> frazzled. I'm hoping someone can take pity on me and answer this -
>
> Can I configure a real server to mark all ports as failed if
> any one of them fails? I've been looking at the port groups,
> but those seem to be more for sticky..
>
> (Specifically, the code we are running on one of our old XL's
> doesn't allow us to do in depth health checks on port 443, I
> want it to fail that port if the content-matching on port 80
> fails. I'll upgrade if I have to, but it will affect many
> customers, and I'd rather avoid it)
>
> Thanks in advance,
> Matt
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp



> -----Original Message-----
> From: foundry-nsp-bounces at puck.nether.net
> [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of
> Matt Stockdale
> Sent: Friday, August 19, 2005 4:30 PM
> To: foundry-nsp at puck.nether.net
> Subject: Re: [f-nsp] configuring port groups for health checks
>
> As is usually the case, posting to the list causes a flash of insight.
>
> Can I define an external health check (per server, I suppose)
> that does the layer 7 content matching, and then apply it to port ssl?
>
> Will this cause it to mark port 443 as failed if the
> healthcheck fails on port 80?
>
> i.e,
>
> healthck rs1-http tcp
> dest-ip 10.0.1.11
> port http
> proto http url "GET /healthcheck.asp"
> proto http status-code 200 200
> proto http content-match health1
>
> healthck rs2-http tcp
> dest-ip 10.0.1.12
> port http
> proto http url "GET /healthcheck.asp"
> proto http status-code 200 200
> proto http content-match health1
>
> server real rs1 10.0.1.11
> port http
> port http healthck rs1-http
> port ssl
> port ssl healthck rs1-http
>
> server real rs1 10.0.1.12
> port http
> port http healthck rs2-http
> port ssl
> port ssl healthck rs2-http
>
> server virtual vs1 10.0.1.10
> port http
> port ssl
> bind http rs1 http rs2 http
> bind ssl rs1 ssl rs2 ssl
>
> http match-list health1
> default down
> up simple everythingsaok
>
> On Fri, 2005-08-19 at 19:21, Matt Stockdale wrote:
> > I've checked the archives briefly, and I've been staring at
> the docs
> > for a while, but it's friday and my brain is frazzled. I'm hoping
> > someone can take pity on me and answer this -
> >
> > Can I configure a real server to mark all ports as failed
> if any one
> > of them fails? I've been looking at the port groups, but
> those seem to
> > be more for sticky..
> >
> > (Specifically, the code we are running on one of our old
> XL's doesn't
> > allow us to do in depth health checks on port 443, I want
> it to fail
> > that port if the content-matching on port 80 fails. I'll
> upgrade if I
> > have to, but it will affect many customers, and I'd rather avoid it)
> >
> > Thanks in advance,
> > Matt
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp
> >
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

Sweet - thanks.

Question - in policy1 you applying content-match m1 to port http, but
you also do so in the real server. Does it need to be duplicated? could
I just do port http healthck policy1 on it?

On Fri, 2005-08-19 at 19:49, Dan Norton wrote:
> Here's an example config (with comments):
>
> #first, create a http match list to check a page for a certain string
> that shows server is connected to database#
>
> http match-list m1
> default down
> up simple "Good"
>
> #Then create your healthcheck for the primary port that will bring the
> others down in a failure#
>
> healthck policy1 tcp
> dest-ip 10.10.10.1
> port http
> protocol http
> protocol http url "GET /test.htm"
> protocol http content-match m1
> l7-check
>
> #now create a second healthcheck to check the secondary port that will
> be brought down when the first one fails#
>
> healthck policy2 tcp
> dest-ip 10.10.10.1
> port 443
> l7-check
>
> #create a boolean for the two ports#
>
> healthck policy3 boolean
> and policy1 policy2
>
> #And now your server config#
>
> server real rs1 10.10.10.1
> port http
> port http keepalive
> port http url "GET /test.htm"
> port http content-match m1
> port 443
> port 443 keepalive
> port 443 healthck policy3
> !
>
> Here is a sample config for a windows media streaming server, that
> will check a web page served on port 8080, and then fail http, mms and
> rtsp if the page doesn't return the string "OK"
>
> http match-list streamglobal
> default down
> up simple "OK"
> !
> healthck stream03policy8080 tcp
> dest-ip 10.10.10.2
> port 8080
> protocol http
> protocol http url "GET /servercheck.aspx"
> protocol http content-match streamglobal
> l7-check
> !
> healthck stream03policyhttp tcp
> dest-ip 10.10.10.2
> port http
> l4-check
> !
> healthck stream03policyrtsp tcp
> dest-ip 10.10.10.2
> port rtsp
> l4-check
> !
> healthck stream03policymms tcp
> dest-ip 10.10.10.2
> port mms
> l4-check
> !
> healthck stream03httppolicy boolean
> and stream03policy8080 stream03policyhttp
> !
> healthck stream03rtsppolicy boolean
> and stream03policy8080 stream03policyrtsp
> !
> healthck stream03mmspolicy boolean
> and stream03policy8080 stream03policymms
> !
> server real stream03 10.10.10.2
> port default disable
> weight 1 0
> port 8080
> port 8080 keepalive
> port 8080 url "GET /servercheck.aspx"
> port 8080 content-match m1
> port http
> port http keepalive
> port http healthck stream03httppolicy
> port rtsp
> port rtsp keepalive
> port rtsp healthck stream03rtsppolicy
> port mms
> port mms keepalive
> port mms healthck stream03mmspolicy
> !
>
>
>
>
> > -----Original Message-----
> > From: foundry-nsp-bounces at puck.nether.net
> > [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of
> > Matt Stockdale
> > Sent: Friday, August 19, 2005 4:22 PM
> > To: foundry-nsp at puck.nether.net
> > Subject: [f-nsp] configuring port groups for health checks
> >
> > I've checked the archives briefly, and I've been staring at
> > the docs for a while, but it's friday and my brain is
> > frazzled. I'm hoping someone can take pity on me and answer this -
> >
> > Can I configure a real server to mark all ports as failed if
> > any one of them fails? I've been looking at the port groups,
> > but those seem to be more for sticky..
> >
> > (Specifically, the code we are running on one of our old XL's
> > doesn't allow us to do in depth health checks on port 443, I
> > want it to fail that port if the content-matching on port 80
> > fails. I'll upgrade if I have to, but it will affect many
> > customers, and I'd rather avoid it)
> >
> > Thanks in advance,
> > Matt
> > _______________________________________________
> > foundry-nsp mailing list
> > foundry-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/foundry-nsp

The first example is direct from Foundry support. The second is our
version of it.

It does need to be duplicated according to them.


> -----Original Message-----
> From: foundry-nsp-bounces at puck.nether.net
> [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of
> Matt Stockdale
> Sent: Friday, August 19, 2005 5:03 PM
> To: Dan Norton
> Cc: foundry-nsp at puck.nether.net
> Subject: Re: [f-nsp] configuring port groups for health checks
>
> Sweet - thanks.
>
> Question - in policy1 you applying content-match m1 to port
> http, but you also do so in the real server. Does it need to
> be duplicated? could I just do port http healthck policy1 on it?
>
> On Fri, 2005-08-19 at 19:49, Dan Norton wrote:
> > Here's an example config (with comments):
> >
> > #first, create a http match list to check a page for a
> certain string
> > that shows server is connected to database#
> >
> > http match-list m1
> > default down
> > up simple "Good"
> >
> > #Then create your healthcheck for the primary port that
> will bring the
> > others down in a failure#
> >
> > healthck policy1 tcp
> > dest-ip 10.10.10.1
> > port http
> > protocol http
> > protocol http url "GET /test.htm"
> > protocol http content-match m1
> > l7-check
> >
> > #now create a second healthcheck to check the secondary
> port that will
> > be brought down when the first one fails#
> >
> > healthck policy2 tcp
> > dest-ip 10.10.10.1
> > port 443
> > l7-check
> >
> > #create a boolean for the two ports#
> >
> > healthck policy3 boolean
> > and policy1 policy2
> >
> > #And now your server config#
> >
> > server real rs1 10.10.10.1
> > port http
> > port http keepalive
> > port http url "GET /test.htm"
> > port http content-match m1
> > port 443
> > port 443 keepalive
> > port 443 healthck policy3
> > !
> >
> > Here is a sample config for a windows media streaming server, that
> > will check a web page served on port 8080, and then fail
> http, mms and
> > rtsp if the page doesn't return the string "OK"
> >
> > http match-list streamglobal
> > default down
> > up simple "OK"
> > !
> > healthck stream03policy8080 tcp
> > dest-ip 10.10.10.2
> > port 8080
> > protocol http
> > protocol http url "GET /servercheck.aspx"
> > protocol http content-match streamglobal l7-check !
> > healthck stream03policyhttp tcp
> > dest-ip 10.10.10.2
> > port http
> > l4-check
> > !
> > healthck stream03policyrtsp tcp
> > dest-ip 10.10.10.2
> > port rtsp
> > l4-check
> > !
> > healthck stream03policymms tcp
> > dest-ip 10.10.10.2
> > port mms
> > l4-check
> > !
> > healthck stream03httppolicy boolean
> > and stream03policy8080 stream03policyhttp !
> > healthck stream03rtsppolicy boolean
> > and stream03policy8080 stream03policyrtsp !
> > healthck stream03mmspolicy boolean
> > and stream03policy8080 stream03policymms !
> > server real stream03 10.10.10.2
> > port default disable
> > weight 1 0
> > port 8080
> > port 8080 keepalive
> > port 8080 url "GET /servercheck.aspx"
> > port 8080 content-match m1
> > port http
> > port http keepalive
> > port http healthck stream03httppolicy port rtsp port
> rtsp keepalive
> > port rtsp healthck stream03rtsppolicy port mms port mms
> keepalive
> > port mms healthck stream03mmspolicy !
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: foundry-nsp-bounces at puck.nether.net
> > > [mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of Matt
> > > Stockdale
> > > Sent: Friday, August 19, 2005 4:22 PM
> > > To: foundry-nsp at puck.nether.net
> > > Subject: [f-nsp] configuring port groups for health checks
> > >
> > > I've checked the archives briefly, and I've been staring
> at the docs
> > > for a while, but it's friday and my brain is frazzled. I'm hoping
> > > someone can take pity on me and answer this -
> > >
> > > Can I configure a real server to mark all ports as failed
> if any one
> > > of them fails? I've been looking at the port groups, but
> those seem
> > > to be more for sticky..
> > >
> > > (Specifically, the code we are running on one of our old XL's
> > > doesn't allow us to do in depth health checks on port
> 443, I want it
> > > to fail that port if the content-matching on port 80 fails. I'll
> > > upgrade if I have to, but it will affect many customers, and I'd
> > > rather avoid it)
> > >
> > > Thanks in advance,
> > > Matt
> > > _______________________________________________
> > > foundry-nsp mailing list
> > > foundry-nsp at puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/foundry-nsp
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>

We have accomplished this using Track groups in the past. Group port 80 as
the primary and 443 as the grouped service. If port 80 should fail its
healtcheck, all the rest of the ports that are in the same group will also
be taken out of service. Yes it is more for sticky but it does exactly
what you want in a fairly easy to configure fashion.

"

track

You can configure the SI to send all client requests for a specific set of
TCP/UDP ports to the same real server as a "primary" TCP/UDP port grouped
with the other ports. You can group a primary TCP/UDP port with up to four
additional TCP/UDP ports. After the SI sends a client request for the
primary port to a real server, subsequent requests from the client for
ports grouped with the primary port go to the same real server. See
<http://www.foundrynet.com/services/documentation/sichassis/slb.html#wp105437>"TCP/UDP
Application Groups" for an example of application grouping.

Note that if any service port is down for a real server, any track ports on
that real server are not considered for load balancing.
"

http://www.foundrynet.com/services/documentation/sichassis/slb.html#wp105437

That link is for chassis but the config should be the same on the
stackables. Give it a shot.

-Brent

At 04:21 PM 8/19/2005, Matt Stockdale wrote:
>I've checked the archives briefly, and I've been staring at the docs for
>a while, but it's friday and my brain is frazzled. I'm hoping someone
>can take pity on me and answer this -
>
>Can I configure a real server to mark all ports as failed if any one of
>them fails? I've been looking at the port groups, but those seem to be
>more for sticky..
>
>(Specifically, the code we are running on one of our old XL's doesn't
>allow us to do in depth health checks on port 443, I want it to fail
>that port if the content-matching on port 80 fails. I'll upgrade if I
>have to, but it will affect many customers, and I'd rather avoid it)
>
>Thanks in advance,
> Matt
>_______________________________________________
>foundry-nsp mailing list
>foundry-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/foundry-nsp

We've been using the "track-group" command on the stackables for years
without any issues. Here's a sample config...


server no-fast-bringup
server sticky-age 30
server tcp-age 2

server port 80
tcp

server port 443
session-sync
tcp
!
!
!
!
!
!
!
!
server real web1-0.net1 x.x.x.x
port ssl
port ssl keepalive
port http
port http keepalive
port http url "HEAD /HealthCheck.html"
!
server real web1-0.net2 x.x.x.x
port ssl
port ssl keepalive
port http
port http keepalive
port http url "HEAD /HealthCheck.html"
!
server real web2-0.net1 x.x.x.x
port http
port http keepalive
port http url "HEAD /HealthCheck.html"
port ssl
port ssl keepalive
!
server real web2-0.net2 x.x.x.x
port http
port http keepalive
port http url "HEAD /HealthCheck.html"
port ssl
port ssl keepalive
!
server virtual webvip1 z.z.z.z
sym-priority 10
predictor round-robin
port ssl sticky
port ssl dsr
port http sticky
port http dsr
track-group http 443
bind ssl web1-0.net1 ssl web1-0.net2 ssl web2-0.net1 ssl web2-0.net2
ssl
bind http web1-0.net1 http web1-0.net2 http web2-0.net1 http
web2-0.net2 http




-----Original Message-----
From: foundry-nsp-bounces@puck.nether.net
[mailto:foundry-nsp-bounces at puck.nether.net] On Behalf Of Brent Van
Dussen
Sent: Saturday, August 20, 2005 10:50 AM
To: Matt Stockdale; foundry-nsp at puck.nether.net
Subject: Re: [f-nsp] configuring port groups for health checks

We have accomplished this using Track groups in the past. Group port 80
as the primary and 443 as the grouped service. If port 80 should fail
its healtcheck, all the rest of the ports that are in the same group
will also be taken out of service. Yes it is more for sticky but it
does exactly what you want in a fairly easy to configure fashion.

"

track

You can configure the SI to send all client requests for a specific set
of TCP/UDP ports to the same real server as a "primary" TCP/UDP port
grouped with the other ports. You can group a primary TCP/UDP port with
up to four additional TCP/UDP ports. After the SI sends a client request
for the primary port to a real server, subsequent requests from the
client for ports grouped with the primary port go to the same real
server. See
<http://www.foundrynet.com/services/documentation/sichassis/slb.html#wp1
05437>"TCP/UDP
Application Groups" for an example of application grouping.

Note that if any service port is down for a real server, any track ports
on that real server are not considered for load balancing.
"

http://www.foundrynet.com/services/documentation/sichassis/slb.html#wp10
5437

That link is for chassis but the config should be the same on the
stackables. Give it a shot.

-Brent

At 04:21 PM 8/19/2005, Matt Stockdale wrote:
>I've checked the archives briefly, and I've been staring at the docs
>for a while, but it's friday and my brain is frazzled. I'm hoping
>someone can take pity on me and answer this -
>
>Can I configure a real server to mark all ports as failed if any one of

>them fails? I've been looking at the port groups, but those seem to be
>more for sticky..
>
>(Specifically, the code we are running on one of our old XL's doesn't
>allow us to do in depth health checks on port 443, I want it to fail
>that port if the content-matching on port 80 fails. I'll upgrade if I
>have to, but it will affect many customers, and I'd rather avoid it)
>
>Thanks in advance,
> Matt
>_______________________________________________
>foundry-nsp mailing list
>foundry-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/foundry-nsp

_______________________________________________
foundry-nsp mailing list
foundry-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp