The health status of the SSL VPN server can be monitored by using the heartbeat URL. The heartbeat URL uses the DNS name of the SSL VPN server as follows:
https://<SSLVPN DNS NAME>/sslvpn/heartbeat
L4 switches require you to use the IP address rather than the DNS name. If the IP address of the SSL VPN Server is 10.10.16.50, and you have configured it for HTTPS, the heartbeat URL is:
https://10.10.16.50:8443/sslvpn/heartbeat
You must configure the L4 switch to use this heartbeat to perform a health check. If you have configured SSL on the SSL VPN servers and your L4 switch has the ability to do an SSL L7 health check, you can use HTTPS. The SSL L7 health check returns a value of 200 OK, indicating everything is healthy. Any other status code indicates an unhealthy state.
For a Foundry* switch, the L7 health check script string should look similar to the following when the hostname is sslvpn1 and the IP address is 10.10.16.50:
healthck sslvpn1ssl tcp dest-ip 10.10.16.50 port ssl protocol ssl protocol ssl url "GET /sslvpn/heartbeat HTTP/1.1\r\nHost: st160.lab.tst" protocol ssl status-code 200 200 l7-check
If your switch does not support an SSL L7 health check, the HTTPS URL returns an error, usually a 404 error. The SSL VPN Server heartbeat URL listens on both HTTPS and HTTP, you can use an HTTP URL for switches that do not support the SSL L7 health check. For example:
http://10.10.16.50:8080/sslvpn/heartbeat
An Alteon switch does not support the L7 health check, so the string for the health check should look similar to the following:
open 8080,tcp send GET /sslvpn/heartbeat HTTP/1.1\r\nHOST:heartbeat.lab.tst \r\n\r\n expect HTTP/1.1 200 close