Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 7
Registered: ‎09-12-2009

ServerIron health checks to external addresses

Hi,

I have recently been working on a project to provide resiliant internet access via 2 separate sites with internet connectivity. I am using Bluecoat proxies and currently a simple pac file to provide failover when the primary proxy is unavailable. These Bluecoats now need to be load-balanced rather than operating in an active-standby set-up. More worryingly i've identified a MAJOR flaw in the plan!

Traffic from each Bluecoat passes through 2 firewalls to reach the internet. When one of these fails, failover will not be invoked as the Bluecoat does not perform any kind of health check of its interfaces. I.e. Traffic will still be sent to the primary bluecoat which will then forward it via the default route for the network which is a 'black hole' address....

I think i can solve both of these issues by using an existing pair of L3 ServerIrons and L7 healthchecks but i'm not 100% sure that this will work. I have pre-written the following config (priorities etc will be swapped for the 2nd SI):

server remote-name proxy1 10.10.10.100

description proxy1

source-nat

port http

port http healthck proxy1

port http keepalive

port http url "HEAD / HTTP/1.1\r\nHost:www.google.com"

port http status-code  200 399

port 443

port 443 healthck proxy1

port 443 keepalive

port 443 url "HEAD / HTTP/1.1\r\nHost:www.google.com"

port 443 status-code  200 399

!

server remote-name proxy2 10.10.10.200

description proxy2

source-nat

port http

port http healthck proxy2

port http keepalive

port http url "HEAD / HTTP/1.1\r\nHost:www.google.com"

port http status-code  200 399

port 443

port 443 healthck proxy2

port 443 keepalive

port 443 url "HEAD / HTTP/1.1\r\nHost:www.google.com"

port 443 status-code  200 399

!

!

server virtual bluecoat 20.20.20.1

sym-priority 100

sym-active

dyn-sym-pri-factor 20

predictor least-conn

port http sticky

port 443 sticky

bind http proxy1 http proxy2 http

bind 443 proxy1 443 proxy2 443

!

vlan 150 name bluecoat-vip-vlan by port

tagged ethe 2/1 to 2/2 ethe 3/1 to 3/4

router-interface ve 150

spanning-tree 802-1w

interface ve 150

port-name wdc-bluecoat-vip-vlan

ip address 20.20.20.251 255.255.255.0

ip vrrp-extended vrid 50

  backup priority 200

  advertise backup

  ip-address 20.20.20.254

  enable

ip vrrp-extended vrid 150

  backup

  advertise backup

  ip-address 20.20.20.253

  enable



The plan would then be as follows.....

1. Update the Pac file to point all users at 20.20.20.1

2. Under normal conditions, sessions would be load-balanced between the 2 proxies.

3. In the event that the path to google is unavailable via either of the proxies, it would fail the healthcheck and be removed from the pool, therefore failing over when any device in the path fails (Proxy / FW1 / FW2).

I'm fairly sure that the load balancing config is close to correct but is it possible to use health checks in this way? I.e. Can you link the health of a remote server to its ability to reach an external URL??

I appreciate that this is a long post so thanks for even getting this far! If someone could put me out of my misery that would be great. Obviously i would test this myself but for various reasons, i don't have the kit available in the lab and politically, we can't make this change unless it works...

New Contributor
Posts: 3
Registered: ‎06-04-2009

Re: ServerIron health checks to external addresses

Tony,

  I am not sure of the full issue here, could you please send a diagram of your design, but the short answer is that you can health check a remote url. Please make sure that you use the command: server no-fast-bringup This will remove flaps between the L4 health checks and the L7 health checks.

Steve

Occasional Contributor
Posts: 7
Registered: ‎09-12-2009

Re: ServerIron health checks to external addresses

Hi,

Apologies if the problem wasn't clear. I can't upload a topology diagram at the moment as the work proxy appears to block the upload

Basically, i have 2 paths to the internet from the corporate network. At each 'exit' site the following devices sit between the users and the internet:

Foundry FESX L3 Switch  >  Bluecoat SG Proxy  >  Checkpoint Firewall  >  Cisco ASA  >  Internet

My plan was to use an existing pair of ServerIron 450's on the network to load balance the 2 proxies. I was intending to use healthchecks to test the 'backend' devices so that a loss of either firewall would mean that traffic would fail over to the 2nd proxy. However, i've since tested this and it won't work as the ServerIrons do not have a route to get to external addresses and this traffic is not allowed through the firewalls.

My Plan B is as follows:

The Bluecoats are capable of performing periodic health checks and these are displayed on a html page as a success or failure. If i configure these health checks to an external URL, should it be possible for the serverirons to search the contents of this page for 'Success' or 'Failure' and make a forwarding decision based on this??

I hope this hasn't confused the matter further.....

New Contributor
Posts: 3
Registered: ‎06-12-2009

Re: ServerIron health checks to external addresses

Hello Tony,

Based on what you are saying, I understand that you have two exit paths for the Internet through two proxies, and you wish to load balance among these two proxies using your ServerIron pair. You want to ensure that in the event of one of the paths failure, ServerIron takes respective proxy out of service rotation. Is this correct?

If yes, then you could use the "boolean" health checks available on ServerIron. Since your oobjective is to ensure that the exist path (i.e. your ultimate default gateway) is up, you could do healt check on the gateway IP address and then tie it with the health of your individual proxies. See the sample below:

healthck h1icmp icmp
  dest-ip 1.1.1.1                    <<<< this is your gateway IP (checkpoint firewall IP)

healthck proxy1int tcp
  dest-ip 10.10.10.100
  port http
  protocol http
  protocol http url "GET /default.html"    <<< health check on any local URL to ensure that proxy itself is up

healthck proxy1final boolean
  and h1icmp1 proxy1int

!
server real proxy1 10.10.10.100

port http
port http healthck proxy1final
!

Now repeat the same thing for second proxy.

The ServerIron will bring down the health of your proxy of respecive gateway is unreachable and that way you would prevent your "black holes".

Hope this clarifies and helps.

Regards,

Deepak Kothari

Occasional Contributor
Posts: 7
Registered: ‎09-12-2009

Re: ServerIron health checks to external addresses

Hi Deepak,

Thanks for taking the time to respond. Unfortunately this won't solve my problem as i can't allow traffic generated by the serveriron to pass through the firewalls....

I think i need to rely on the proxies healthchecking external addresses. They then generate a html page that looks something like this...

External Services
  drtr.rating_service   sp.cwfservice.net   Functioning properly   UP

Is it possible for the Serverirons to search this page for the text 'Functioning Properly' and if its not present, then remove the proxy from the pool?

Thanks again,

Tony

New Contributor
Posts: 3
Registered: ‎08-24-2009

Re: ServerIron health checks to external addresses

Tony

I've used HTTP health checks with Content Verification to achieve something similiar. i.e match list for your text "Functioning properly"

following Deepak's suggestion, you could just add the following to the proxy1int healthck and and create a match-list m1

protocol http content-match m1

http match-list m1
  up simple "functioning properly"
  default down

I found a reference to this "Content Verification" in the health checking 101 wiki here

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: ServerIron health checks to external addresses

Patburke is correct. You should use healthck's together with so called match-list. An example from the top of my head you look like:

healthck test tcp

  dest-ip a.b.c.d

  port http

  protocol http

  protocol http url "GET /whatever/test.html"

  port http content-match m1

  interval 3

  l7-check




http match-list m1
  up simple "functioning properly"
  default down

server real myRealA 192.168.9.101
  port http
  port http healthck test

Dest-ip would be the proxy's IP address and "/whatever/test.html" is the page the proxy is generating depending on the health of the real server. The match-list is looking for "functioning properly" in the page coming back from the proxy.

Occasional Contributor
Posts: 7
Registered: ‎09-12-2009

Re: ServerIron health checks to external addresses

Hi,

    using your example we've tried to configure the following  ' port http content-match check '  under   ' healthck test tcp' . However the ServerIron which we are using won't accept the 'content-match' part of the command. The  chassis  we've got is  ServerIron XL running  Version 07.4.00T12 (slb07400.bin) code. Do you know of another way to achieve this.

Thanks,

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: ServerIron health checks to external addresses

This is a type - should read: protocol http content-match...

You should mention your software release the next time. The ServerIron XL is pretty old and less flexible that current products - this is going to help to ensure nobody suggests stuff based on current releases.

Occasional Contributor
Posts: 7
Registered: ‎09-12-2009

Re: ServerIron health checks to external addresses

Hi,

Thanks for your help so far, we still have a few problems though.  I have attached a visio diagram to show you our test lab setup.  I've also attached the running config and the html page we are using.  Points 1 & 2 below are really to establish failure of remote Webserver from the ServerIron perspective when the Webserver is phyiscally disconnected (1) and logically the Webserver cannot reach the internet (2)

1. When the HTTP server is up/connected the Virtual IP on the ServerIron shows as 'Active' , when issuing the 'show server bind comand'.  However if we unplug the HTTP server from the test network the ServerIron doesn't register the disconnection and still shows the Virtual IP as 'Active'.  I'm sure we are just missing a couple of simple commands. (This test was performed without the 'Health test' command under the Server Remote configuration)

2. With ' Health check test '  under Server Remote configuration and test.html file NOT data filled with 'functioning Properly' the Virtual IP on the ServerIron still shows as 'Active' , when issuing the 'show server bind comand' 

3. The Bluecoat Proxy server that we eventually require to health check to is an HTTPS server.  Does anyone know how we go about getting the ServerIron to log in with the correct credentials to view the page?

Any help on the above would be much appreciated.

Many Thanks

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.