[f-nsp] multiple service failover

David Miller syslog at d.sparks.net
Wed Jul 15 12:27:55 EDT 2009


Oliver Adam wrote:
> Do you have any traces from the time the problem occured? The config 
> itself seems to be fine - testing this quickly at a 4G result in log 
> messages like:
>
> Dynamic Log Buffer (50 lines):
> Jul 15 16:56:34:N:L4 server 192.168.9.101 rs101 port 80 is down due to 
> healthcheck
> Jul 15 16:56:34:C:Real server rs101 track group 80 443  state changed 
> from ACTIVE to DOWN
> Jul 15 16:49:45:N:L4 server 192.168.9.101 rs101 port 80 is up
> Jul 15 16:49:45:C:Real server rs101 track group 80 443  state changed 
> from DOWN to ACTIVE

Unfortunately, the logs are gone:(

> The track group is working as expected. Is it anyhow possible that you 
> had problems with sessions which were open already at the time the 
> problem occured? The SI is not going to cut all the sessions hardly by 
> default. Have a look at "reset-on-port-fail" as an option in this area. 

Interesting.  Why would they have a default behavior that keeps 
connections tied to a port/server that's failed a health check?  But I 
digress, that doesn't appear to be the problem I had.  Upon hearing of 
the ports being split between the two servers I connected and verified 
that news connections for http went to server2 while ssl remained on 
server 1.


> On top of that I am confused because you are using healthck's why do 
> not you do it this way:
>
>
>> server real server1 192.168.0.60
>> source-nat access-list 1
>> port http
>> port http url "GET /status.html"
>> port http content-match Content_Match
>> port ssl
>> port ssl keepalive
>> port ssl l4-check-only
>> port 8080
>> port 9000
>> port 4443
>> hc-track-group 80 443
>
>
> No healthck needed - much shorter and simple to understand - same 
> behaviour.

I'm a rookie with the foundry/brocade equipment and inherited the 
configuration I posted.  There may be simpler ways to do many things.

With these bind statements:

bind http server1 8080 real-port http server2 8080 real-port http
bind ssl server1 4443 real-port ssl server2 4443 real-port ssl

is it necessary to add 8080 and 4443  to the hc-track-group ?



> Please ensure you do have "server no-fast-bringup" in the config - 
> this is to ensure the health check is only successful in case 
> everything up to L7 is working.


I do have that.

> Something to look at in the future: http://community.brocade.com/adi

Looks interesting.

Thanks Oliver



More information about the foundry-nsp mailing list