02-14-2011 01:02 PM
We're just starting with the ADX platform, my last SLB work was with TCS and webcaches a few years ago, so I'm pretty green at the L7 configs. The first service I'm working on setting up has 2 secure web pages, one on port 443, the other on 8443. I've got health checks working just fine for 443 (If a 200 code isn't returned, it takes the real server out of the rotation), but the same process doesn't work for 8443 because the "protocol" commands don't work inside a healthck section for an undefined port number. You can't use the TCP unknown port checking with SSL either:
SSH@dcl-slb1(config-port-8443)#tcp keepalive protocol ssl
Error - Does not support protocol 443 for unknown port keepalive
server port 8443
server virtual shib-test-idp 192.168.13.16
port ssl sticky
bind ssl shib-test1 ssl shib-test2 ssl
bind 8443 shib-test1 8443 shib-test2 8443
02-14-2011 01:31 PM
AS the ADX see all unknown port as UDP by default, you need to create a port profile.
Configuring a port profile
For an application port not known to the ServerIron ADX, the ServerIron ADX assumes that it is a UDP port. In addition, the ServerIron ADX does not perform keepalive health checks for it. You can configure a port profile for the port and specify whether the port is TCP or UDP and also set keepalive health check parameters for the port.
Even for ports known to the ServerIron ADX, you must configure a profile for the port to globally configure the port’s parameters and configure the keepalive health check. After you add the port by indicating whether it is a TCP or UDP port, the ServerIron ADX automatically enables the keepalive health check for the port.
Enabling or disabling a keepalive health check does not affect the health check the ServerIron ADX sends when you bind a real server to a virtual server using the application port. The keepalive health check state also does not affect the health checks the ServerIron ADX sends if the server’s response time slows.
The keepalive interval and retry values for each type of TCP/UDP health check are global
parameters. For example, if you change the number of retries for the HTTP health check (TCP port 80), the change applies to all instances of port 80 on all the real servers configured on the ServerIron ADX.
Adding a port and specifying its type
By adding a port, you also automatically enable periodic Layer 4 (and Layer 7, if applicable)
keepalive health checks for the port. If you do not specify the port type (TCP or UDP), the ServerIron ADX assumes the port type is UDP.
To add a port and specify that it is a TCP port, enter commands such as the following.
ServerIron(config)# server port 8080
Syntax: server port
Syntax: tcp | udp ]
Changing a port’s keepalive parameters
To change a port’s keepalive state, enter a command such as the following.
ServerIron(config-port-8080)# tcp keepalive disable
To change a port’s keepalive interval and retries, enter a command such as the following.
ServerIron(config-port-80)# tcp keepalive 15 5
Syntax: tcp | udp keepalive
You can specify from 2 – 120 seconds for the
<interval-in-seconds> variable. You can specify from 1 – 5 for the <retries> variable.
02-14-2011 01:47 PM
I have that in the config snippit I posted "server port 8443 <cr> tcp". I can make it TCP, but I can't make it SSL. I don't see anything in what you quoted that addresses defining a port protocol of SSL for the unknown port. Did I miss that part?
02-14-2011 02:23 PM
sorry missed that. This should do what you are after.
ServerIron(config)# server port-policy p1
ServerIron(config-port-policy-p1)# port 8443
ServerIron(config-port-policy-name)# protocol ssl
ServerIron(config-port-policy-name)# retries 5
ServerIron(config)# server real r1 10.10.1.101
ServerIron(config-rs-r1)# port 1234 use-port-policy p1
ServerIron(config-rs-r1)# port 1234 keepalive
In Example 1, Port 1234 on Real Server 1 will be marked as up if the Layer 7 health check on Port
8443 on the server with the IP address of 10.10.1.101 passes.
02-16-2011 08:41 AM
I'm still waiting on the server side folks to test it. I got the config in place yesterday, but haven't heard back yet if it is working as they want.
I'll let you know for sure when I hear from them.
02-21-2011 10:19 AM
It's kind-of working. here's the note I got back from the service admins:
Alright, did a little more testing on port 8443 and found a problem.
It's not a conclusive test, but I can still hit /idp/profile/Status on port
8443 just lik eon port 443 to test basic functionality. In reality, Apache
passes both ports 443 and 8443 to the same exact spot in Tomcat. So, they
should work identically. I won't get into why we have to have both ports set
At any rate, if I stop one of the Tomcat instances, say on shib-test2, but
leave Apache running, going directly to /idp/whatever on either 443 or 8443
directly on shib-test2 will give me the "503 service temporarily
unavailable" as you would expect. This should be enough to tell the load
balancer to ignore this server because it's down
That's how it works for 443, but not for 8443. Right now, with Apache
running on shib-test1 and 2, but the service only running on shib-test1, 443
works perfectly. 8443 Gives me a 503 error for every other refresh of the
shib-test-idp URL. If I stop Apache, everything's fine on both 443 and 8443;
it always goes to shib-test1.
So if apache is down, it does what it should, but checking for a 200 response doesn't seem to work.
Here is what I actually configured:
the port-policy wouldn't take a "use complete" line. is there a similar command for port-policy? that seems to be what's missing.
thanks for the help so far!
02-21-2011 03:12 PM
I think they are just missing calling the healthch. See in bold below.
02-22-2011 07:52 AM
Those healthcks aren't being called. they're left over from when I tried to build an 8443 healthcheck that looked like the one for SSL. they wouldn't let me specify a protocol 8443, and they wont take the l7 command without a protocol:
Healthck Error: Cannot recognize protocol 8443