Content status

jenssri · ‎03-01-2005

I have a content rule on a CSS 11501 running version 07.40.1.03 that has two services assigned to it. If both of these services are down the content rule still shows as alive on the css. What I would like the ability to do is to either use snmp to monitor a content rule for being down or be able to create an rmon event to generate a trap as I have not been able to find a useful OID for a content rule status.

So a twofold question.

First off, should the content rule show as down (or dead) when all of the service's that are attached to it are down? If so what might I be missing?

Secondly (if there is a method to show the rule as being down, is there an OID that will show a status change for a content rule?

Copy of one of my two services, the other being the same except for on a different address.

service testhearcimportservice591

ip address 172.25.6.33

keepalive frequency 20

keepalive retryperiod 20

keepalive method get

keepalive type http

active

Copy of the content rule

content testarcimportservice

vip address 172.16.5.211

add service testhearcimportservice591

add service testhearcimportservice592

protocol tcp

port 80

url "/*"

balance leastconn

advanced-balance sticky-srcip-dstport

active

Any assitance in this matter is greatly appreciated.

Zach Seils · ‎03-01-2005

L5 content rules (which you have configured) stay active regardless of the status of the underlying services. This is done because the tcp session must be spoofed and the first http 'get' received to determine if there is a match against the rule.

With L3/4 content rules, the rule will go down if all of the services are unavailable. In that case, you can obtain the content rule status from the apCntStatus variable in the cntExt.mib.

~Zach

jenssri · ‎03-02-2005

I have changed my content rule to the following which I believe changes this to no longer being a L5 rule.

content testarcimportservice

vip address 172.16.5.211

add service testhearcimportservice591

add service testhearcimportservice592

balance leastconn

active

Still when the services are both down, the content rule shows as being alive. Is this content rule moved into an L5 due to the keepalive type which I have? The problem is if I change keepalive to icmp or tcp and the web service goes down the server will still do either a icmp reply or a three way handshake so this is why I am doing the keepalive the way I am. Any suggestions?

Zach Seils · ‎03-02-2005

The keepalive type should not affect this. Can you post the output from:

show rule owner_name rule_name

as well as the WebNS version you are running?

Thanks,

Zach

jenssri · ‎03-02-2005

Here is the info you are looking for. The show rule was done while both services (web services stopped) were in a down state. WebNS version is 07.40.1.03

Name: testarcimportservice Owner: GBHEtest

State: Active Type: HTTP

Balance: Round Robin Failover: N/A

Persistence: Enabled Param-Bypass: Disabled

Session Redundancy: Disabled

IP Redundancy: Not Redundant

L3: 172.16.5.211

L4: Any/Any

Url:

Redirect: ""

TCP RST client if service unreachable: Disabled

Rule Services & Weights:

1: testhearcimportservice591-Down, S-1

2: testhearcimportservice592-Down, S-1

Zach Seils · ‎03-02-2005

After doing some testing in the lab, I found that the service state actually does *not* change when all of the underlying services are down. However, the L3/4 rules, the CSS will not accept incoming connections on that content rule -- it will simply drop the packets.

~Zach

jenssri · ‎03-02-2005

So from what it seems like, there is no way to create an alert for the content rule as there is no method of determining internal to the CSS that the content rule is down. Kind of what I was beginning to think. Any thoughts in regards to something else that I can use internal to the CSS to determine that a content rule is no longer accepting connections in order to generate an alert? Trying to avoid having to use an external service to monitor the VIP address.

Zach Seils · ‎03-03-2005

A couple of things come to mind:

1. You can monitor the status of the individual services (which I assume you would want to do anyway).

2. You can monitor how many connections are rejected by the content rule because no services were available. The object in the cntext.mib is called 'apCntRejNoServices'. This is a count, so you would need to generate an alert if the delta between two (2) samples was >0.

~Zach