Application Delivery (ADX)

Reply
Occasional Contributor
Posts: 7
Registered: ‎05-20-2010

how do I health check an https page on an unusual port?

We're just starting with the ADX platform, my last SLB work was with TCS and webcaches a few years ago, so I'm pretty green at the L7 configs.   The first service I'm working on setting up has 2 secure web pages, one on port 443, the other on 8443.  I've got health checks working just fine for 443 (If a 200 code isn't returned, it takes the real server out of the rotation), but the same process doesn't work for 8443 because the "protocol" commands don't work inside a healthck section for an undefined port number.  You can't use the TCP unknown port checking with SSL either:

SSH@dcl-slb1(config-port-8443)#tcp keepalive protocol ssl

Error - Does not support protocol 443 for unknown port keepalive

I've included the relevant config bits below, any ideas how to check for a 200 code on an SSL webserver listening on port 8443 anyone?
thanks,
-debbie

server port 8443

tcp

context Shiboleth
healthck shibtest1 tcp
  dest-ip 192.168.37.181
  port ssl
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete                                      
  l7-check
healthck shibtest2 tcp
  dest-ip 192.168.37.182
  port ssl
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete
  l7-check
healthck shibtest8443-1 tcp
  dest-ip 192.168.37.181
  port 8443
healthck shibtest8443-2 tcp
  dest-ip 192.168.37.182
  port 8443
!
server real shib-test1 192.168.37.181
port ssl
port ssl healthck shibtest1                                     
port ssl keepalive                                              
port 8443                                                       
port 8443 healthck shibtest8443-1                               
port 8443 keepalive                                             
!                                                                
server real shib-test2 192.168.37.182                             
port ssl                                                        
port ssl healthck shibtest2                                     
port ssl keepalive                                              
port 8443                                                       
port 8443 healthck shibtest8443-2                               
port 8443 keepalive                                             

server virtual shib-test-idp 192.168.13.16

sym-priority 100

sym-active

predictor round-robin

port ssl sticky

port 8443

bind ssl shib-test1 ssl shib-test2 ssl

bind 8443 shib-test1 8443 shib-test2 8443                       

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: how do I health check an https page on an unusual port?

Hi fligor,

     AS the ADX see all unknown port as UDP by default, you need to create a port profile.

Configuring a port profile

For an application port not known to the ServerIron ADX, the ServerIron ADX assumes that it is a UDP port. In addition, the ServerIron ADX does not perform keepalive health checks for it. You can configure a port profile for the port and specify whether the port is TCP or UDP and also set keepalive health check parameters for the port.

Even for ports known to the ServerIron ADX, you must configure a profile for the port to globally configure the port’s parameters and configure the keepalive health check. After you add the port by indicating whether it is a TCP or UDP port, the ServerIron ADX automatically enables the keepalive health check for the port.

NOTE

Enabling or disabling a keepalive health check does not affect the health check the ServerIron ADX sends when you bind a real server to a virtual server using the application port. The keepalive health check state also does not affect the health checks the ServerIron ADX sends if the server’s response time slows.

The keepalive interval and retry values for each type of TCP/UDP health check are global

parameters. For example, if you change the number of retries for the HTTP health check (TCP port 80), the change applies to all instances of port 80 on all the real servers configured on the ServerIron ADX.

Adding a port and specifying its type

By adding a port, you also automatically enable periodic Layer 4 (and Layer 7, if applicable)

keepalive health checks for the port. If you do not specify the port type (TCP or UDP), the ServerIron ADX assumes the port type is UDP.

To add a port and specify that it is a TCP port, enter commands such as the following.

ServerIron(config)# server port 8080

ServerIron(config-port-8080)# tcp

Syntax: server port

<TCP/UDP-portnum>

Syntax: tcp | udp ]

Changing a port’s keepalive parameters

To change a port’s keepalive state, enter a command such as the following.

ServerIron(config-port-8080)# tcp keepalive disable

To change a port’s keepalive interval and retries, enter a command such as the following.

ServerIron(config-port-80)# tcp keepalive 15 5

Syntax: tcp | udp keepalive

You can specify from 2 – 120 seconds for the

<interval-in-seconds> variable. You can specify from 1 – 5 for the <retries> variable.

Occasional Contributor
Posts: 7
Registered: ‎05-20-2010

Re: how do I health check an https page on an unusual port?

I have that in the config snippit I posted "server port 8443  <cr> tcp".  I can make it TCP, but I can't make it SSL.   I don't see anything in what you quoted that addresses defining a port protocol of SSL for the unknown port.  Did I miss that part?

thanks,

-debbie

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: how do I health check an https page on an unusual port?

sorry missed that.  This should do what you are after.

Example 1:

ServerIron(config)# server port-policy p1

ServerIron(config-port-policy-p1)# port 8443

ServerIron(config-port-policy-name)# protocol ssl

ServerIron(config-port-policy-name)# retries 5

ServerIron(config-port-policy-name)# exit

ServerIron(config)# server real r1 10.10.1.101

ServerIron(config-rs-r1)# port 1234 use-port-policy p1

ServerIron(config-rs-r1)# port 1234 keepalive

In Example 1, Port 1234 on Real Server 1 will be marked as up if the Layer 7 health check on Port

8443 on the server with the IP address of 10.10.1.101 passes.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: how do I health check an https page on an unusual port?

Hi fligor,

     Did this solve your issue?

Thanks

Michael.

Occasional Contributor
Posts: 7
Registered: ‎05-20-2010

Re: how do I health check an https page on an unusual port?

I'm still waiting on the server side folks to test it.  I got the config in place yesterday, but haven't heard back yet if it is working as they want.

I'll let you know for sure when I hear from them.

-debbie

Occasional Contributor
Posts: 7
Registered: ‎05-20-2010

Re: how do I health check an https page on an unusual port?

It's kind-of working.  here's the note I got back from the service admins:

Alright, did a little more testing on port 8443 and found a problem.


It's not a conclusive test, but I can still hit /idp/profile/Status on port
8443 just lik eon port 443 to test basic functionality. In reality, Apache
passes both ports 443 and 8443 to the same exact spot in Tomcat. So, they
should work identically. I won't get into why we have to have both ports set
up here.


At any rate, if I stop one of the Tomcat instances, say on shib-test2, but
leave Apache running, going directly to /idp/whatever on either 443 or 8443
directly on shib-test2 will give me the "503 service temporarily
unavailable" as you would expect. This should be enough to tell the load
balancer to ignore this server because it's down


That's how it works for 443, but not for 8443. Right now, with Apache
running on shib-test1 and 2, but the service only running on shib-test1, 443
works perfectly. 8443 Gives me a 503 error for every other refresh of the
shib-test-idp URL. If I stop Apache, everything's fine on both 443 and 8443;
it always goes to shib-test1.

So if apache is down, it does what it should, but checking for a 200 response doesn't seem to work.

Here is what I actually configured:

slb1:

server port 8443
tcp
!
context default
!
context Shiboleth
healthck shibtest1 tcp
  dest-ip 192.168.37.181
  port ssl
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete                                      
  l7-check
healthck shibtest2 tcp
  dest-ip 192.168.37.182
  port ssl
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete
  l7-check
healthck shibtest8443-1 tcp
  dest-ip 192.168.37.181
  port 8443
healthck shibtest8443-2 tcp
  dest-ip 192.168.37.182
  port 8443
server port-policy shib-8443
  port 8443
  protocol ssl                                                   
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
!
server real shib-test1 192.168.37.181
port ssl
port ssl healthck shibtest1
port ssl keepalive
port 8443
port 8443 use-port-policy shib-8443
port 8443 keepalive
!
server real shib-test2 192.168.37.182
port ssl
port ssl healthck shibtest2
port ssl keepalive
port 8443
port 8443 use-port-policy shib-8443
port 8443 keepalive
!
!
server virtual shib-test-idp 192.168.13.16
sym-priority 100                                                
sym-active
predictor round-robin
port ssl sticky
port 8443
bind ssl shib-test1 ssl shib-test2 ssl
bind 8443 shib-test1 8443 shib-test2 8443
!

the port-policy wouldn't take a "use complete" line.  is there a similar command for port-policy? that seems to be what's missing.

thanks for the help so far!

-debbie

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: how do I health check an https page on an unusual port?

Hi,

     I think they are just missing calling the healthch.  See in bold below.

slb1:

server port 8443
tcp
!
context default
!
context Shiboleth
healthck shibtest1 tcp
  dest-ip 192.168.37.181
  port ssl
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete                                     
  l7-check
healthck shibtest2 tcp
  dest-ip 192.168.37.182
  port ssl
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete
  l7-check
healthck shibtest8443-1 tcp
  dest-ip 192.168.37.181
  port 8443
  l7-check
healthck shibtest8443-2 tcp
  dest-ip 192.168.37.182
  port 8443
  l7-check
server port-policy shib-8443
  port 8443
  protocol ssl                                                  
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
!
server real shib-test1 192.168.37.181
port ssl
port ssl healthck shibtest1
port ssl keepalive
port 8443
port 8443 use-port-policy shib-8443
port 8443 keepalive
!
server real shib-test2 192.168.37.182
port ssl
port ssl healthck shibtest2
port ssl keepalive
port 8443
port 8443 use-port-policy shib-8443
port 8443 keepalive
!
!
server virtual shib-test-idp 192.168.13.16
sym-priority 100                                               
sym-active
predictor round-robin
port ssl sticky
port 8443
bind ssl shib-test1 ssl shib-test2 ssl
bind 8443 shib-test1 8443 shib-test2 8443
!
Occasional Contributor
Posts: 7
Registered: ‎05-20-2010

Re: how do I health check an https page on an unusual port?

Those healthcks aren't being called. they're left over from when I tried to build an 8443 healthcheck that looked like the one for SSL.  they wouldn't let me specify a protocol 8443, and they wont take the l7 command without a protocol:

SSH@dcl-slb1(config)#healthck shibtest8443-1
SSH@dcl-slb1(config-hc-shibtest8443-1)#l7-check
Healthck Error: Need to specify protocol for unknown port l7-check
SSH@dcl-slb1(config-hc-shibtest8443-1)#

SSH@dcl-slb1(config-hc-shibtest8443-1)#protocol 8443

Healthck Error: Cannot recognize protocol 8443

SSH@dcl-slb1(config-hc-shibtest8443-1)#

will this work (defined as check to see if port 8443 returns a 200) or will it check port 443 for a 200 and if that's up call 8443 up (which isn't good enough for our application)?
healthck shibtest8443-1 tcp
  dest-ip 192.17.37.181
  port 8443
  protocol ssl
  protocol ssl url "GET /idp/profile/Status"
  protocol ssl status-code 200 200
  protocol ssl use-complete
  l7-check
-debbie

Occasional Contributor
Posts: 7
Registered: ‎05-20-2010

Re: how do I health check an https page on an unusual port?

just wondering if anyone knew whether or not my example above would work. we're kind of stuck on this at the moment.

-debbie

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.