Wireless Access

Reply
MVP

WAN Health Check - Required?

Hi,


Running a mobility master environment I came across the WAN health check service.

 

Is this something that should be enabled on each mobility device to check the status? Should it be set to UDP and to ping a host like say google DNS? 8.8.8.8 to ensure the uplink for each MD is up and able to get out to the internet or is this not the purpose of this feature?

 

Thanks

Regular Contributor I

Re: WAN Health Check - Required?

Hi Scott,

 

The WAN health check feature is used to determine reachability/Latency to the master via various WAN links (Configured for redundancy).

 

The main purpose is to let the branch devices know if their master is reachable or not.

 

There are two modes to verify reachability,

 

1.) Using Ping probes 

2.) Using UDP probes

 

you can check if they are configured in the running config , the default config looks more or less like the one below

 

(A_RAK)#show running-config | include “ip probe”

 

ip probe "default"

  mode              ping

  burst-size         10

  frequency       10

!

 

ip probe "health-check"

  mode            udp

  burst-size      10

  frequency      10

!

 

The major difference between these modes is that for UDP port 4500 is used whcih is usually not blocked, while ICMP may be blocked on a network for security concerns.

 

You can also verify the reachability using the command "show ip health-check <probe ip>" which gives more details regards to the health of the link.

 

The Master's public IP is usually configured for the probe.

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

 

 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Highlighted
MVP

Re: WAN Health Check - Required?

Great detail given on this thank you!

 

We don't have a public IP set on our master we have it going across our site-to-site VPNs - the mobility master has created tunnels on port udp 4500 however when i tried to set the health check probe mode to UDP it showed 3 or 4 sites unreachable even though they were still up on the MM and locally.

 

 

 

Regular Contributor I

Re: WAN Health Check - Required?

Hi Scott,

 

What is the output of the command show ip probe? Are there new health check profiles mapped or are you using the default ones?

 

This can be checked using the command " show ip health-check ". 

 

What is the state of the probe IP in the previous command.

 

If the state is showing as down, then try issuing the command show ip health-check <ip probe ip address> for a more detailed output.

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
MVP

Re: WAN Health Check - Required?

Hi,

 

Show IP probe returns

 

IP Probe Entries

----------------

Name          Probe Mode  Frequency(in sec)  Retries  Burst size

----          ----------  -----------------  -------  ----------

default       Ping        10                 3        5

health-check  Ping        10                 3        5

data-vpnc     Udp         10                 3        5

 

show ip health-check <mobility master IP> or <google dns> doesn't return anything

 

show ip health-check returns

 

IP Health-check Entries

-----------------------

Probe IP      Src Interface  Vpnc IP  State  Probe-Profile  Avg RTT(in ms)

--------      -------------  -------  -----  -------------  --------------

8.8.8.8       vlan 9                  Up     health-check   5.531

192.168.23.1                          Up     default        0.000

Regular Contributor I

Re: WAN Health Check - Required?

Hi Scott,

 

For the probe ip 192.168.23.1 the " default " health-check profile is used.

 

It is by default configured for ping probes. 

 

I see that you have created "data-vpnc" for UDP probes.

 

Could you try mapping data-vpnc profile to the probe ip 192.168.23.1

 

Also, check to see if the uplink health-feature is enabled/ disabled. Issue the command "Show uplink" to verify this.

 

Check to see if the " Uplink Health-check ip " (from the previous command) is showing the expected uplink IP to which the probes are to be sent.

 

Issue the command " uplink health-check enable " to enable the health check in case it is disabled.

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: