Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2249
Views
0
Helpful
5
Replies

Https health monitor not working on ACE.

Amjad Hashim
Level 1
Level 1

‎11-11-2013 04:08 AM

Hello Guys,

Hope you are all doing well, i need some help in setting up my https health monitor for real servers.

I am configuring it on ACE appliance 4710 but the probe appears failing.

The VIP is listening on port 443 and 8080, the cert is not uploaded to ACE but eventually it will be on ACE so SSL will terminate on ACE but not at the minute.

The user don't want to enable port 80 on server so will need https health probe configuring. Following is my config for https health probe but it is failing.

probe https SSDSD-ServerAvailability-443

  interval 5

  passdetect interval 5

  ssl version all

  request method head url //ssdsd/servlet/SDLogin

  expect status 200 200

As per my knowledge https is also an http probe but encrypted. Please see the detailed output below and let me know if i am missing anything.

probe       : SSDSD-ServerAvailability-443

type        : HTTPS

state       : ACTIVE

description :

----------------------------------------------

   port      : 443          address   : 0.0.0.0

   addr type : -            interval  : 5       pass intvl  : 5   

   pass count: 3            fail count: 3       recv timeout: 10  

   SSL version      : All

   SSL cipher       : RSA_ANY

   http method      : HEAD

   http url         : //ssdsd/servlet/SDLogin

   conn termination : GRACEFUL 

   expect offset    : 0         , open timeout     : 1        

   regex cache-len  : 0        

   expect regex     : -

   send data        : -

                ------------------ probe results ------------------

   associations     ip-address         port porttype probes failed passed health

   ------------ ----------------------+----+--------+------+------+------+------

   serverfarm  : SSDSD_SF

     real      : SSDSD-AL2[0]

                        192.168.225.26  443 VIP     48611  1834   46777  FAILED

   Socket state        : CLOSED

   No. Passed states   : 1         No. Failed states : 2

   No. Probes skipped  : 1         Last status code  : 302

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Received invalid status code

   Last probe time     : Mon Nov 11 04:05:10 2013

   Last fail time      : Mon Nov 11 02:10:00 2013

   Last active time    : Fri Nov  8 09:09:31 2013

                        192.168.225.26 8080 VIP     48613  48613  0      FAILED

   Socket state        : CLOSED

   No. Passed states   : 0         No. Failed states : 1

   No. Probes skipped  : 0         Last status code  : 0

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Connection reset by server

   Last probe time     : Mon Nov 11 04:05:14 2013

   Last fail time      : Fri Nov  8 08:34:10 2013

   Last active time    : Never

     real      : SSDSD-AL3[0]

                        192.168.225.27  443 VIP     48612  1817   46795  FAILED

   Socket state        : CLOSED

   No. Passed states   : 1         No. Failed states : 2

   No. Probes skipped  : 0         Last status code  : 302

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Received invalid status code

   Last probe time     : Mon Nov 11 04:05:10 2013

   Last fail time      : Mon Nov 11 02:10:00 2013

   Last active time    : Fri Nov  8 09:09:31 2013

                        192.168.225.27 8080 VIP     48613  48613  0      FAILED

   Socket state        : CLOSED

   No. Passed states   : 0         No. Failed states : 1

   No. Probes skipped  : 0         Last status code  : 0

   No. Out of Sockets  : 0         No. Internal error: 0

   Last disconnect err : Connection reset by server

   Last probe time     : Mon Nov 11 04:05:12 2013

   Last fail time      : Fri Nov  8 08:34:08 2013

   Last active time    : Never

PHH104-N3-ACE-1/N3#

I am confused with the last status code which shows 302 any help from your side will be a life line for me.

Regards,

Amjad Hashim.

Labels:
0 Helpful
5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-11-2013 04:51 AM

Hi Amjad,

I see the last disconnect err: "Received invalid status code" which means that ACE is not getting what is  expected (code 200) for it to mark the server as passed.

Also, i see you have configured url "request method head url //ssdsd/servlet/SDLogin", why are you using two slashes "//", can you try with only one?

Also, if you configure probe on TCP PORT 443 does  it pass? I see last disconnect err: connection reset by server as well and that could be due to the fact that service was there on  server. Looks unlikely since above probes failed due to wrong status code which means that SSL handshake happened.

You can take a pcap on server as well as ACE to see what is going on. You might need to use private key to decrypt the captures if the failure is after SSL handshake has completed to see what status code server is sending. You can also use TCP 443 based probe as workaround till you can arrange pcaps and figure out what is wrong.

Regards,

Kanwal

0 Helpful

Amjad Hashim
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-11-2013 05:48 AM

Hi Kanwaljeet,

Thanks for your quick reply, i have changed the double slash to single but of no vain .

When you said tcp port 443 do you mean http on port 443?? I have tried and it is not receiving any response at all.

One more question 200 response code is it the correct response code for https header??

Regards,

Amjad Hashim.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Amjad Hashim

‎11-11-2013 05:57 AM

Hi Amjad,

By TCP PORT porbe i mean you use TCP based probe not http. So ACE will probe the server on TCP PORT 443 on which SSL service is running on server.

Regarding the response code, it is HTTP response code. HTTPS as you know secure HTTP. You should know if the above configured URL will get the 200 response OK or not.

You can take a pcap on client itself to see what is going on or on ACE itself as well.

Regards,

Kanwal

0 Helpful

Amjad Hashim
Level 1
Level 1
In response to Kanwaljeet Singh

‎11-11-2013 07:29 AM

Hello Kanwaljeet,

Thanks once again for your quick reply, it was somesort of redirect that user was using to redirect clients to login page. We were trying to monitor the same login page and were getting 302.

We changed the monitoring to a different static page in root and same https monitor probe started working. Thanks for your help, take care.

Regards,

Amjad Hashim.

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to Amjad Hashim

‎11-11-2013 07:31 AM

Hi Amjad,

Sounds good. I could figure from last status code 302 that there was a redirect but somehow didn't mention it.

But i am glad it is resolved and working.

Regards,

Kanwal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents