×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Https health monitor not working on ACE.

Unanswered Question
Nov 11th, 2013
User Badges:

Hello Guys,


Hope you are all doing well, i need some help in setting up my https health monitor for real servers.


I am configuring it on ACE appliance 4710 but the probe appears failing.


The VIP is listening on port 443 and 8080, the cert is not uploaded to ACE but eventually it will be on ACE so SSL will terminate on ACE but not at the minute.


The user don't want to enable port 80 on server so will need https health probe configuring. Following is my config for https health probe but it is failing.


probe https SSDSD-ServerAvailability-443

  interval 5

  passdetect interval 5

  ssl version all

  request method head url //ssdsd/servlet/SDLogin

  expect status 200 200


As per my knowledge https is also an http probe but encrypted. Please see the detailed output below and let me know if i am missing anything.




probe       : SSDSD-ServerAvailability-443

type        : HTTPS

state       : ACTIVE

description :

----------------------------------------------

   port      : 443          address   : 0.0.0.0

   addr type : -            interval  : 5       pass intvl  : 5   

   pass count: 3            fail count: 3       recv timeout: 10  

   SSL version      : All

   SSL cipher       : RSA_ANY

   http method      : HEAD

   http url         : //ssdsd/servlet/SDLogin

   conn termination : GRACEFUL 

   expect offset    : 0         , open timeout     : 1        

   regex cache-len  : 0        

   expect regex     : -

   send data        : -

                ------------------ probe results ------------------

   associations     ip-address         port porttype probes failed passed health

   ------------ ----------------------+----+--------+------+------+------+------

   serverfarm  : SSDSD_SF

     real      : SSDSD-AL2[0]

                        192.168.225.26  443 VIP     48611  1834   46777  FAILED



   Socket state        : CLOSED

   No. Passed states   : 1         No. Failed states : 2

   No. Probes skipped  : 1         Last status code  : 302

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Received invalid status code

   Last probe time     : Mon Nov 11 04:05:10 2013

   Last fail time      : Mon Nov 11 02:10:00 2013

   Last active time    : Fri Nov  8 09:09:31 2013



                        192.168.225.26 8080 VIP     48613  48613  0      FAILED



   Socket state        : CLOSED

   No. Passed states   : 0         No. Failed states : 1

   No. Probes skipped  : 0         Last status code  : 0

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Connection reset by server

   Last probe time     : Mon Nov 11 04:05:14 2013

   Last fail time      : Fri Nov  8 08:34:10 2013

   Last active time    : Never



     real      : SSDSD-AL3[0]

                        192.168.225.27  443 VIP     48612  1817   46795  FAILED



   Socket state        : CLOSED

   No. Passed states   : 1         No. Failed states : 2

   No. Probes skipped  : 0         Last status code  : 302

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Received invalid status code

   Last probe time     : Mon Nov 11 04:05:10 2013

   Last fail time      : Mon Nov 11 02:10:00 2013

   Last active time    : Fri Nov  8 09:09:31 2013



                        192.168.225.27 8080 VIP     48613  48613  0      FAILED



   Socket state        : CLOSED

   No. Passed states   : 0         No. Failed states : 1

   No. Probes skipped  : 0         Last status code  : 0

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Connection reset by server

   Last probe time     : Mon Nov 11 04:05:12 2013

   Last fail time      : Fri Nov  8 08:34:08 2013

   Last active time    : Never



PHH104-N3-ACE-1/N3#


I am confused with the last status code which shows 302 any help from your side will be a life line for me.



Regards,


Amjad Hashim.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fnu Kanwaljeet Singh Mon, 11/11/2013 - 04:51
User Badges:
  • Cisco Employee,

Hi Amjad,


I see the last disconnect err: "Received invalid status code" which means that ACE is not getting what is  expected (code 200) for it to mark the server as passed.


Also, i see you have configured url "request method head url //ssdsd/servlet/SDLogin", why are you using two slashes "//", can you try with only one?


Also, if you configure probe on TCP PORT 443 does  it pass? I see last disconnect err: connection reset by server as well and that could be due to the fact that service was there on  server. Looks unlikely since above probes failed due to wrong status code which means that SSL handshake happened.


You can take a pcap on server as well as ACE to see what is going on. You might need to use private key to decrypt the captures if the failure is after SSL handshake has completed to see what status code server is sending. You can also use TCP 443 based probe as workaround till you can arrange pcaps and figure out what is wrong.


Regards,

Kanwal

Amjad Hashim Mon, 11/11/2013 - 05:48
User Badges:

Hi Kanwaljeet,


Thanks for your quick reply, i have changed the double slash to single but of no vain .


When you said tcp port 443 do you mean http on port 443?? I have tried and it is not receiving any response at all.


One more question 200 response code is it the correct response code for https header??



Regards,


Amjad Hashim.

Fnu Kanwaljeet Singh Mon, 11/11/2013 - 05:57
User Badges:
  • Cisco Employee,

Hi Amjad,


By TCP PORT porbe i mean you use TCP based probe not http. So ACE will probe the server on TCP PORT 443 on which SSL service is running on server.


Regarding the response code, it is HTTP response code. HTTPS as you know secure HTTP. You should know if the above configured URL will get the 200 response OK or not.


You can take a pcap on client itself to see what is going on or on ACE itself as well.


Regards,

Kanwal

Amjad Hashim Mon, 11/11/2013 - 07:29
User Badges:

Hello Kanwaljeet,

Thanks once again for your quick reply, it was somesort of redirect that user was using to redirect clients to login page. We were trying to monitor the same login page and were getting 302.


We changed the monitoring to a different static page in root and same https monitor probe started working. Thanks for your help, take care.


Regards,


Amjad Hashim.

Fnu Kanwaljeet Singh Mon, 11/11/2013 - 07:31
User Badges:
  • Cisco Employee,

Hi Amjad,


Sounds good. I could figure from last status code 302 that there was a redirect but somehow didn't mention it.


But i am glad it is resolved and working.


Regards,

Kanwal

Actions

This Discussion