Showing results for 
Search instead for 
Did you mean: 

Inband Health Monitoring on Cisco ACE




Health monitoring on the ACE tracks the state of a server by sending out probes. In case of out-of-band health monitoring, the ACE verifies the server response or checks for any network problems that can prevent a client from reaching a server. This is the default method and in this case ACE uses ARP and health probes to monitor the health of all real servers. When you configure the inband health monitoring feature, it informs the ACE load balancer of connection failures on the real servers in a server farm. This method is much faster in determining the failure of real servers. When failure-count threshold is configured and the number of these failures exceeds the threshold within the reset-time interval, the ACE immediately marks the server as failed, takes it out of service, and removes it from load balancing.


Health Monitoring

By default, no probes are configured in the ACE. Also referred to as out-of-band (OOB) health monitoring, the ACE verifies the server response to a probe or checks for any network problems that can prevent a client from reaching a server. Based on the server response, the ACE can place the server in or out of service and can make reliable load-balancing decisions. You can also use health monitoring to detect failures for a gateway or a host in high-availability (redundant) configurations.

The ACE evaluates the health of a server by marking the probes as follows:

Passed—The server returns a valid response.
Failed—The server fails to provide a valid response to the ACE and the ACE is unable to reach a server for a specified number of retries.


Requirements and Considerations

In case of inband health monitoring the resume-service option affects behavior of real server. In case the state of a real server changes because of inband health monitoring the standby ACE is not made aware of this change. The inband health monitoring and out of band health monitoring can monitor different ports if you configure different port for probes than what is used for traffic forwarding. You need to configure a inactiivty timeout if you are configuring inband health monitoring containing a layer 4 or layer 7 class map.



Once the Cisco ACE is configured for load balancing it is very simple to apply in-band health monitoring to a serverfarm.  See the “Basic Load Balancing Using Routed Mode on the Cisco Application Control Engine” document for an example of configuring load balancing.


Inband health monitoring is enabled within the server farm object of the configuration. For TCP connections, inband health monitoring feature monitors connection setup related errors such as TCP RST and SYN timeout. For UDP connections, it monitors the ICMP destination unreachable messages from the server or intermediate routers.


The following configuration will remove a real server from the load-balancing rotation if the number of connection failures in 100 milliseconds interval crosses 500 and again bring the server back to the rotation after 300 sec of it’s removal. In other words, once the connection failure threshold crosses the configured limit (500), the server is removed from the rotation. ACE again starts sending connections to that server after 300 sec.


ACE-1/routed(config-cmap)# serverfarm web

ACE-1/routed(config-sfarm-host)# inband-health check remove 500 resume-service 300


Note: ACE uses reset= 100 milliseconds as the default value. It is recommended to use the default, unless the nominal traffic to the VIP is very low (less than 100 connections per second).


Configuring inband health monitoring for UDP connection is similar to that of TCP connection. When enabled, this feature monitors ICMP related errors from servers or intermediate routers. Follow the steps:


a) Create a new VIP for UDP traffic.


ACE-1/routed(config)# class-map udp-vip

ACE-1/routed(config-cmap)# match virtual-address udp any


b) Make a new serverfarm for the UDP service, and assume it is a low utilization service, requiring the sampling time to be extended.


ACE-1/routed(config)# show run serverfarm


serverfarm udp-svc

  rserver lnx1


  rserver lnx2


  rserver lnx3




ACE-1/routed(config-sfarm-host)# inband-health check remove 16 reset 2000 resume-service 300


c) Associate the UDP servers to the LB policy, then associate the VIP and LB policy to the existing service policy.


ACE-1/routed(config)# policy-map type loadbalance http first-match slb udp

ACE-1/routed(config-pmap-lb)# class class-default

ACE-1/routed(config-pmap-lb-c)# serverfarm upd-svc


ACE-1/routed(config)# policy-map multi-match client-vips

ACE-1/routed(config-pmap)# class udp-vip

ACE-1/routed(config-pmap-c)# loadbalance policy slb-udp

ACE-1/routed(config-pmap-c)# loadbalance vip inservice


It is important to verify the access-list on the server side interface, allowing the ACE to accept the ICMP error messages from the real servers or intermediate routers. Inband health monitoring with UDP traffic will not work if the ICMP protocol is not allowed in access-list.


ACE-1/routed# show access-list everyone

access-list:everyone, elements: 2, status: ACTIVE

  remark :

access-list everyone line 8 extended permit ip any any (hitcount=55)

access-list everyone line 16 extended permit icmp any any (hitcount=20)



Use following commands to check if inband health monitoring is working fine. For TCP connections:


ACE-1/routed# show serverfarm web


serverfarm     : web, type: HOST

total rservers : 5



       real                  weight state        current    total      failures


   rserver: lnx1        8      OPERATIONAL      0          28         0

   rserver: lnx2        8      OPERATIONAL      0          28         0

   rserver: lnx3        8      OPERATIONAL      0          28         0

   rserver: lnx4        8      INBAND-HM-FAILED 0          0         5


ACE-1/routed# show serverfarm web inband | beg lnx4

rserver    : lnx4[0]

action    : remove

                                        Total                   Delta


    SYN RSTs                         : 5                5

    SYN Timeouts                     : 0                0

    ICMP Network Unreachable         : 0                0

    ICMP Host Unreachable            : 0                0

    ICMP Port Unreachable            : 0                0

    ICMP Protocol Unreachable        : 0                0

    ICMP Source Route Failed         : 0                0


For UDP connections:


ACE-1/routed(config-sfarm-host)# do show serverfarm udp-svc inband


serverfarm : udp-svc

rserver    : lnx1[0]

action    : remove

                                        Total                   Delta


    ICMP Network Unreachable         : 6                0


serverfarm : udp-svc

rserver    : lnx2[0]

action    : remove

                                        Total                   Delta


    SYN Timeouts                     : 9                0

    ICMP Host Unreachable            : 5                0


serverfarm : udp-svc

rserver    : lnx3[0]

action    : remove

                                        Total                   Delta


    ICMP Port Unreachable            : 6                0


Related Information

Configuring Health Monitoring on Cisco ACE

Configure URL Load balancing on Cisco ACE

Content for Community-Ad