[f-nsp] ServerIron XL hard coded ICMP limit

George B. georgeb at gmail.com
Sun Feb 20 00:00:30 EST 2011 

SSL checks are *extremely* expensive and I have run serverirons out of CPU
doing them before.  I suggested to Brocade many years ago (back when they
were Foundry) that they not generate new RSA keys each time for health
checks.  Give an option where the same key can be re-used for healthchecks
only.  This would greatly reduce the load.  I am trying to remember how I
remedied the situation but it has been years.  I think I ended up just doing
a regular http health check as that would tell me if the daemon was up and
running on the server or not.  I didn't need to verify so much that the
remote host could gen keys and the same process listened on both 80 and 443,
so I just checked 80 and assumed 443 was working too.

It has been a while, though.  Or maybe I just did a TCP check to the port to
make sure it was listening, I don't remember.  But if they had the option
not to gen new keys for each health check, it would greatly reduce load on
checks.  That suggestion is probably long down the memory hole at this
point, though.

George



On Sat, Feb 19, 2011 at 11:12 AM, Drew Weaver <drew.weaver at thenap.com>wrote:

> Howdy again,
>
> I hate replying to my own messages but I have made progress =)
>
> It seems that the pings are failing when the health checks are running.
>
> Are healthcks really resource intensive?
>
> (especially ones like this):
>
> healthck node-ssl tcp
>  dest-ip 222.222.222.222
>  port ssl
>  protocol ssl
>  protocol ssl url "GET /test/gif.gif"
>  protocol ssl use-complete
>  l7-check
>
> I noticed that with the above configuration that pings to the switch fail
> quite regularly.
>
> If I add 'interval 30' to the configuration it seems like pings only fail
> once every 30 seconds.
>
> The goal is to not have it fail at all..
>
> Anyone seen this before, know how to fix it?
>
> Thanks,
> -Drew
>
>
> From: foundry-nsp-bounces at puck.nether.net [mailto:
> foundry-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
> Sent: Thursday, February 17, 2011 11:41 AM
> To: foundry-nsp
> Subject: [f-nsp] ServerIron XL hard coded ICMP limit
>
> Does anyone know if there is a hard coded ICMP limit in a serveriron XL for
> both packets directed at the system and passed through it?
>
> I am having the weirdest issues where ping monitoring a serveriron XL and
> anything directly connected to the serveriron xl gets messed up even though
> there is no real reason why on the network.
>
> It is not configured (by me) to have any sort of rate-limit.
>
> Anyone have any thoughts?
>
> -Drew
>
>
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20110219/16d56700/attachment.html>

More information about the foundry-nsp mailing list