11-11-2013 04:08 AM
Hello Guys,
Hope you are all doing well, i need some help in setting up my https health monitor for real servers.
I am configuring it on ACE appliance 4710 but the probe appears failing.
The VIP is listening on port 443 and 8080, the cert is not uploaded to ACE but eventually it will be on ACE so SSL will terminate on ACE but not at the minute.
The user don't want to enable port 80 on server so will need https health probe configuring. Following is my config for https health probe but it is failing.
probe https SSDSD-ServerAvailability-443
interval 5
passdetect interval 5
ssl version all
request method head url //ssdsd/servlet/SDLogin
expect status 200 200
As per my knowledge https is also an http probe but encrypted. Please see the detailed output below and let me know if i am missing anything.
probe : SSDSD-ServerAvailability-443
type : HTTPS
state : ACTIVE
description :
----------------------------------------------
port : 443 address : 0.0.0.0
addr type : - interval : 5 pass intvl : 5
pass count: 3 fail count: 3 recv timeout: 10
SSL version : All
SSL cipher : RSA_ANY
http method : HEAD
http url : //ssdsd/servlet/SDLogin
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
regex cache-len : 0
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
serverfarm : SSDSD_SF
real : SSDSD-AL2[0]
192.168.225.26 443 VIP 48611 1834 46777 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 1 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Mon Nov 11 04:05:10 2013
Last fail time : Mon Nov 11 02:10:00 2013
Last active time : Fri Nov 8 09:09:31 2013
192.168.225.26 8080 VIP 48613 48613 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connection reset by server
Last probe time : Mon Nov 11 04:05:14 2013
Last fail time : Fri Nov 8 08:34:10 2013
Last active time : Never
real : SSDSD-AL3[0]
192.168.225.27 443 VIP 48612 1817 46795 FAILED
Socket state : CLOSED
No. Passed states : 1 No. Failed states : 2
No. Probes skipped : 0 Last status code : 302
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Received invalid status code
Last probe time : Mon Nov 11 04:05:10 2013
Last fail time : Mon Nov 11 02:10:00 2013
Last active time : Fri Nov 8 09:09:31 2013
192.168.225.27 8080 VIP 48613 48613 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connection reset by server
Last probe time : Mon Nov 11 04:05:12 2013
Last fail time : Fri Nov 8 08:34:08 2013
Last active time : Never
PHH104-N3-ACE-1/N3#
I am confused with the last status code which shows 302 any help from your side will be a life line for me.
Regards,
Amjad Hashim.
11-11-2013 04:51 AM
Hi Amjad,
I see the last disconnect err: "Received invalid status code" which means that ACE is not getting what is expected (code 200) for it to mark the server as passed.
Also, i see you have configured url "request method head url //ssdsd/servlet/SDLogin", why are you using two slashes "//", can you try with only one?
Also, if you configure probe on TCP PORT 443 does it pass? I see last disconnect err: connection reset by server as well and that could be due to the fact that service was there on server. Looks unlikely since above probes failed due to wrong status code which means that SSL handshake happened.
You can take a pcap on server as well as ACE to see what is going on. You might need to use private key to decrypt the captures if the failure is after SSL handshake has completed to see what status code server is sending. You can also use TCP 443 based probe as workaround till you can arrange pcaps and figure out what is wrong.
Regards,
Kanwal
11-11-2013 05:48 AM
Hi Kanwaljeet,
Thanks for your quick reply, i have changed the double slash to single but of no vain .
When you said tcp port 443 do you mean http on port 443?? I have tried and it is not receiving any response at all.
One more question 200 response code is it the correct response code for https header??
Regards,
Amjad Hashim.
11-11-2013 05:57 AM
Hi Amjad,
By TCP PORT porbe i mean you use TCP based probe not http. So ACE will probe the server on TCP PORT 443 on which SSL service is running on server.
Regarding the response code, it is HTTP response code. HTTPS as you know secure HTTP. You should know if the above configured URL will get the 200 response OK or not.
You can take a pcap on client itself to see what is going on or on ACE itself as well.
Regards,
Kanwal
11-11-2013 07:29 AM
Hello Kanwaljeet,
Thanks once again for your quick reply, it was somesort of redirect that user was using to redirect clients to login page. We were trying to monitor the same login page and were getting 302.
We changed the monitoring to a different static page in root and same https monitor probe started working. Thanks for your help, take care.
Regards,
Amjad Hashim.
11-11-2013 07:31 AM
Hi Amjad,
Sounds good. I could figure from last status code 302 that there was a redirect but somehow didn't mention it.
But i am glad it is resolved and working.
Regards,
Kanwal
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: