In server load balancing deployments, the system uses health checks to poll the members of the real server pool to test whether an application is available. You can also configure additional health checks to poll related servers, and you can include results for both in the health check rule. For example, you can configure an HTTP health check test and a RADIUS health check test. In a web application that requires user authentication, the web server is deemed available only if the web server and the related RADIUS server pass the health check.
In link load balancing deployments, the health check can poll either the ISP link group member itself or a “beacon” server that is deployed on the other side of the ISP link. A beacon is an IP address that must be reachable in order for the link to be deemed available. A beacon can be any IP address, such as a main office, core router, or virtual server at another data center.
If you expect a backend server is going to be unavailable for a long period, such as when it is undergoing hardware repair, it is experiencing extended down time, or when you have removed it from the server farm, you can improve the performance of the FortiADC system by setting the status of the pool member to Disabled, rather than allowing the system to continue to attempt health checks. |
Table 81 describes the predefined health checks. You can get started with these or create custom objects.
Predefined | Description |
---|---|
LB_HLTHCK_HTTP |
Sends a HEAD request to the server port 80. Expects the server to return an HTTP 200. |
LB_HLTHCK_HTTPS |
Sends a HEAD request to the server port 443. Expects the server to return an HTTP 200. |
LB_HLTHCK_ICMP |
Pings the server. |
LB_HLTHCK_TCP_ECHO |
Sends a TCP echo to server port 7. Expects the server to respond with the corresponding TCP echo. |
Before you begin:
After you have configured a health check, you can select it in the SLB server pool, LLB link group, or GLB server configuration.
|
|
You can clone a predefined configuration object to help you get started with a user-defined configuration. To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page. |
Settings | Guidelines |
---|---|
General |
|
Name |
Configuration name. Valid characters are After you initially save the configuration, you cannot edit the name. |
Destination Address Type |
|
Destination Address |
IP address to send health check traffic. In server load balancing deployments, if you do not specify an IP address, the real server IP address is used. You might configure IP address for a health check if you are configuring a combination of health checks to poll related servers. In link load balancing deployments, if you do not specify an IP address, the destination IP address is the address of the gateway. You can configure IP address if you want to test connectivity to a beacon on the other side of the gateway, or if you want to test whether service traffic is allowed to pass through the link. |
Hostname |
For HTTP or HTTPS health checks, you can specify the hostname (FQDN) instead of the destination IP address. This is useful in VM environments where multiple applications have the same IP address. |
Interval |
Seconds between each health check. Should be more than the timeout to prevent overlapping health checks. The default is 10. |
Timeout |
Seconds to wait for a reply before assuming that the health check has failed. The default is 5. |
Up Retry |
Attempts to retry the health check to confirm server availability. The default is 1. |
Down Retry |
Attempts to retry the health check to see if a down server has become available. The default is 1. |
ICMP |
|
No specific options |
Simple ping to test connectivity. |
TCP / TCP Half Open / TCP SSL / UDP |
|
Port |
Listening port number of the backend server. Usually HTTP is 80, FTP is 21, DNS is 53, POP3 is 110, IMAP4 is 143, RADIUS is 1812, and SNMP is 161. |
Local Cert |
For TCP SSL only. Click the down arrow and select a local SSL Health Check Client certificate from the list menu. The certificate titled "Factory" is the default certificate shipped with your FortiADC. The rest, if any, are the custom certificates that you have created. |
HTTP/HTTPS |
|
Port |
Listening port number of the backend server. Usually HTTP is 80. If testing an HTTP proxy server, specify the proxy port. |
Local Cert |
For HTTPS only. See TCP / TCP Half Open Connection / TCP SSL / UDP above. |
HTTP CONNECT |
If the real server pool members are HTTP proxy servers, specify an HTTP CONNECT option:
See the FortiADC Deployment Guide for FortiCache for an example that uses this health check. |
Remote Host |
If you use HTTP CONNECT to test proxy servers, specify the remote server IP address. |
Remote Port |
If you use HTTP CONNECT to test proxy servers, specify the remote server port. |
Method Type |
HTTP method for the test traffic:
|
Send String |
The request URL, such as /contact.php. |
Receive String |
A string expected in return when the HTTP GET request is successful. |
Status Code |
The health check sends an HTTP request to the server. Specify the HTTP status code in the server reply that indicates a successful test. Typically, you use status code 200 (OK). Other status codes indicate errors. |
Match Type |
What determines a failed health check?
Not applicable when using HTTP HEAD. HTTP HEAD requests test status code only. |
DNS |
|
Domain Name |
The FQDN, such as www.example.com, to use in the DNS A/AAAA record health check. |
Address Type |
|
Host Address |
IP address that matches the FQDN, indicating a successful health check. |
RADIUS / RADIUS Accounting |
|
Port |
Listening port number of the backend server. Usually RADIUS is 1812 and RADIUS accounting is 1813. |
Username |
User name of an account on the backend server. |
Password |
The corresponding password. |
Password Type |
|
Secret Key |
The secret set on the backend server. |
NAS IP Address |
NAS IP address RADIUS attribute (if the RADIUS server requires this attribute to make a connection). |
SIP / SIP-TCP | |
SIP Request Type |
Specify the SIP request type to be used for health checks:
|
Status Code | The expected response code. If not set, response code 200 is expected. Specify 0 if any reply should indicate the server is available. |
SMTP |
|
Port |
Listening port number of the backend server. Usually SMTP is 25. |
Domain Name |
The FQDN, such as www.example.com, to use in the SMTP HELO request used for health checks. If the response is OK (250), the server is considered as up. If there is error response (501) or no response at all, the server is considered down. |
POP3 |
|
Port |
Listening port number of the backend server. Usually POP3 is 110. |
Username |
User name of an account on the backend server. |
Password |
The corresponding password. |
IMAP4 |
|
Port |
Listening port number of the backend server. Usually IMAP4 is 143. |
Username |
User name of an account on the backend server. |
Password |
The corresponding password. |
Folder |
Select an email mailbox to use in the health check. If the mailbox does not exist or is not accessible, the health check fails. The default is INBOX. |
FTP |
|
Port |
Listening port number of the backend server. Usually FTP is 21. |
User name |
User name of an account on the backend server. |
Password |
The corresponding password. |
File |
Specify a file that exists on the backend server. Path is relative to the initial login path. If the file does not exist or is not accessible, the health check fails. |
Passive |
Select this option if the backend server uses passive FTP. |
SNMP |
|
Port |
Listening port number of the backend server. Usually SNMP is 161 or 162. |
CPU % |
Maximum normal CPU usage. If overburdened, the health check fails. |
Memory % |
Maximum normal RAM usage. If overburdened, the health check fails. |
Disk % |
Maximum normal disk usage. If the disk is too full, the health check fails. |
Agent type |
|
Community |
Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail. |
Version |
SNMP v1 or v2c. |
SNMP-Custom | |
Port |
Listening port number of the backend server. Usually SNMP is 161 or 162. |
Community |
Must match the SNMP community string set on the backend server. If this does not match, all SNMP health checks fail. |
Version |
SNMP v1 or v2c. |
OID | String specifying the OID to query. |
Value Type |
Abstract syntax notation (ASN) value type:
|
Compare Type |
|
Counter Value | Specify the value for the evaluation. |
SSH |
|
Port |
Listening port number of the backend server. Usually SSH is 22. |
Username |
Username for test login. |
Password |
Corresponding password. |
L2 Detection |
|
No specific options |
Link Layer health checker. Sends ARP (IPv4) or NDP (IPv6) packets to test whether a physically connected system is available. |
In SLB deployments, a health check port configuration specifying port 0 acts as a wildcard.The port for health check traffic is imputed from the real server pool member. In LLB and GLB deployments, specifying port 0 is invalid because there is no associated configuration to impute a proper port. If your health check port configuration specifies port 0, you will not be able to use it in an LLB or GLB configuration. |