08-14-2012 12:28 AM - edited 08-29-2017 05:26 AM
Health monitoring on the ACE tracks the state of a server by sending out probes. In case of out-of-band health monitoring, the ACE verifies the server response or checks for any network problems that can prevent a client from reaching a server. This is the default method and in this case ACE uses ARP and health probes to monitor the health of all real servers. When you configure the inband health monitoring feature, it informs the ACE load balancer of connection failures on the real servers in a server farm. This method is much faster in determining the failure of real servers. When failure-count threshold is configured and the number of these failures exceeds the threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and removes it from load balancing.
By default, no probes are configured in the ACE. Also referred to as out-of-band (OOB) health monitoring, the ACE verifies the server response to a probe or checks for any network problems that can prevent a client from reaching a server. Based on the server response, the ACE can place the server in or out of service and can make reliable load-balancing decisions. You can also use health monitoring to detect failures for a gateway or a host in high-availability (redundant) configurations.
The ACE evaluates the health of a server by marking the probes as follows:
Passed—The server returns a valid response.
Failed—The server fails to provide a valid response to the ACE and the ACE is unable to reach a server for a specified number of retries.
In case of inband health monitoring the resume-service option affects behavior of real server. In case the state of a real server changes because of inband health monitoring the standby ACE is not made aware of this change. The inband health monitoring and out of band health monitoring can monitor different ports if you configure different port for probes than what is used for traffic forwarding. You need to configure a inactiivty timeout if you are configuring inband health monitoring containing a layer 4 or layer 7 class map.
Once the Cisco ACE is configured for load balancing it is very simple to apply in-band health monitoring to a serverfarm. See the “Basic Load Balancing Using Routed Mode on the Cisco Application Control Engine” document for an example of configuring load balancing.
Inband health monitoring is enabled within the server farm object of the configuration. For TCP connections, inband health monitoring feature monitors connection setup related errors such as TCP RST and SYN timeout. For UDP connections, it monitors the ICMP destination unreachable messages from the server or intermediate routers.
The following configuration will remove a real server from the load-balancing rotation if the number of connection failures in 100 milliseconds interval crosses 500 and again bring the server back to the rotation after 300 sec of it’s removal. In other words, once the connection failure threshold crosses the configured limit (500), the server is removed from the rotation. ACE again starts sending connections to that server after 300 sec.
ACE-1/routed(config-cmap)# serverfarm web
ACE-1/routed(config-sfarm-host)# inband-health check remove 500 resume-service 300
Note: ACE uses reset= 100 milliseconds as the default value. It is recommended to use the default, unless the nominal traffic to the VIP is very low (less than 100 connections per second).
Configuring inband health monitoring for UDP connection is similar to that of TCP connection. When enabled, this feature monitors ICMP related errors from servers or intermediate routers. Follow the steps:
a) Create a new VIP for UDP traffic.
ACE-1/routed(config)# class-map udp-vip
ACE-1/routed(config-cmap)# match virtual-address 172.16.1.101 udp any
b) Make a new serverfarm for the UDP service, and assume it is a low utilization service, requiring the sampling time to be extended.
ACE-1/routed(config)# show run serverfarm
serverfarm udp-svc
rserver lnx1
inservice
rserver lnx2
inservice
rserver lnx3
inservice
<…snip…>
ACE-1/routed(config-sfarm-host)# inband-health check remove 16 reset 2000 resume-service 300
c) Associate the UDP servers to the LB policy, then associate the VIP and LB policy to the existing service policy.
ACE-1/routed(config)# policy-map type loadbalance http first-match slb udp
ACE-1/routed(config-pmap-lb)# class class-default
ACE-1/routed(config-pmap-lb-c)# serverfarm upd-svc
ACE-1/routed(config)# policy-map multi-match client-vips
ACE-1/routed(config-pmap)# class udp-vip
ACE-1/routed(config-pmap-c)# loadbalance policy slb-udp
ACE-1/routed(config-pmap-c)# loadbalance vip inservice
It is important to verify the access-list on the server side interface, allowing the ACE to accept the ICMP error messages from the real servers or intermediate routers. Inband health monitoring with UDP traffic will not work if the ICMP protocol is not allowed in access-list.
ACE-1/routed# show access-list everyone
access-list:everyone, elements: 2, status: ACTIVE
remark :
access-list everyone line 8 extended permit ip any any (hitcount=55)
access-list everyone line 16 extended permit icmp any any (hitcount=20)
Use following commands to check if inband health monitoring is working fine. For TCP connections:
ACE-1/routed# show serverfarm web
serverfarm : web, type: HOST
total rservers : 5
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: lnx1
192.168.1.11:0 8 OPERATIONAL 0 28 0
rserver: lnx2
192.168.1.12:0 8 OPERATIONAL 0 28 0
rserver: lnx3
192.168.1.13:0 8 OPERATIONAL 0 28 0
rserver: lnx4
192.168.1.14:0 8 INBAND-HM-FAILED 0 0 5
ACE-1/routed# show serverfarm web inband | beg lnx4
rserver : lnx4[0]
action : remove
Total Delta
-------------------------------------------------------------------------
SYN RSTs : 5 5
SYN Timeouts : 0 0
ICMP Network Unreachable : 0 0
ICMP Host Unreachable : 0 0
ICMP Port Unreachable : 0 0
ICMP Protocol Unreachable : 0 0
ICMP Source Route Failed : 0 0
For UDP connections:
ACE-1/routed(config-sfarm-host)# do show serverfarm udp-svc inband
serverfarm : udp-svc
rserver : lnx1[0]
action : remove
Total Delta
-------------------------------------------------------------------------
ICMP Network Unreachable : 6 0
serverfarm : udp-svc
rserver : lnx2[0]
action : remove
Total Delta
-------------------------------------------------------------------------
SYN Timeouts : 9 0
ICMP Host Unreachable : 5 0
serverfarm : udp-svc
rserver : lnx3[0]
action : remove
Total Delta
-------------------------------------------------------------------------
ICMP Port Unreachable : 6 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: