triage

January 29, 2010

SaaS network diagnostics

Posted by: Eric Siegel

And while I'm on a SaaS chain-of-thought, one final discussion for the day: diagnostics.

What will you do when users at a branch office or out in the field call and complain about SaaS performance? Your operations center needs a structured checklist to follow to quickly manage the incident and isolate it to the responsible party -- a process known as "triage." (See, for example, the Burton Group report "A Framework for Network Incident Management.")

Here's where your SLA key performance indicators, or service level indicators (SLIs) can be useful. Your SaaS provider should be giving you on-line access to their performance as seen by users in their server room, and that's clearly the first checkpoint for the operations staff. If that's in trouble, well, the problem is easy to locate. But if that's OK, then the next step is to look at your service level indicators at your branch offices, especially the branch office that's reporting trouble. If that indicator is in trouble (and that indicator may be a full SaaS web page download time, or it may be only the TCP round-trip time and DNS lookup time for the SaaS provider), then, if you have a solid SLA, you should be able to send that evidence to the SaaS provider and insist on their opening a trouble ticket. It's not really your job to diagnose the problems between your branch office and the SaaS server room; it's the SaaS provider's job. And they probably have more leverage with their Internet service provider (ISP) than you do; they can even demand better peering with the ISP that your branch office is using.

Of course, it may turn out that it's your ISP having internal problems. In that case, you and the SaaS provider may need to explore new ways of connecting to the SaaS server site, through better peering at a point that doesn't encounter the congestion within your ISP, by a direct link to your major offices outside of the Internet, or by your moving to a different ISP for your own access (the threat of doing that might inspire your ISP to upgrade its systems).

Or it may be that it's your user who is having problems with his own browser or with the branch office's internal network; you'll know that because your service level indicators won't see any problems. In that case, it's an incident to be handled by your service desk; there's no need to file a trouble ticket with the SaaS provider. (And your relationship and credibility with your SaaS provider will improve when you're not filing minor reports that turn out to be inside your own system!)

Posted by at 09:33 PM in cloud, Eric Siegel, incident management, triage | | Comments (0) | TrackBack (0)

|

July 31, 2009

Building Applications for the WAN

Posted by: Eric Siegel

Our final session at Catalyst this year was a joint presentation between Network and Telecom Strategies and Richard Watson of Burton Group's Application Platform Strategies group. We talked about how programmers and network engineers can work together to improve application performance and problem diagnosis.

This session was based on the NTS report "Designing Applications for the WAN," which will be updated next week -- so go read it when the update comes out (it's out now!), but there are a two points that came out in the session that I think were rather surprising to us network folks and that should be emphasized here.

First, the applications developers are now using frameworks to enable them to develop applications more quickly. Those application frameworks completely hide ("abstract") the network. For example, an application developer will ask a "method" for a "data object." The developer doesn't even realize that the network is involved, or that there may be some SQL queries used by that method to create the data object. That's why when you have a crisis, and you put Wireshark or a Sniffer on the communications link and show the resulting trace to the developer, he or she has no idea what the heck is going on. I'll say it again: the developer didn't even realize an SQL query was generated by the method request, and has no idea whatsoever what that stuff in the query string, trapped by the trace, really means.

No wonder there's frustration and wasted time in diagnosis! The time has arrived for the network organization, the operations group, and the development organization to cooperate and purchase a diagnostic tool that will trace individual transactions through the production system for diagnosis. (An example is Quest Software's PerformaSure; there are others.) The programmers will understand what they're seeing, the network staff won't need to run around doing Wireshark or Sniffer traces for days on end, and the problem will be handled much more quickly.

And, as the second point, realize that performance is poor because of the "abstraction" of the network layer. The application framework has a lot of parameters that set timeouts, window sizes, buffer sizes, compression, whether to disable the Nagle Algorithm, etc. The programmers understand none of this, so they use the defaults. But the defaults aren't usually set by the vendor to ensure optimum performance; they're set to create the fewest trouble calls to the vendor regardless of the network characteristics. That may not be the optimum setting for your particular situation, and that's why the people who install and set up the framework should talk to the network staff to jointly decide how to set the networking parameters for the networks that the framework will be running over. That'll help quite a bit in creating good performance.

Posted by at 12:30 PM in burtongroupcatalyst09, Catalyst09, Eric Siegel, networks, performance management, performance tuning, system management, triage | | Comments (0) | TrackBack (0)

|

January 06, 2009

Network and Systems Management: VMess

Posted by: Eric Siegel

OK, now I'm worrying about how we're going to manage VMs without losing our minds.

You see, I've been hearing great stories about how there are going to be huge racks of servers containing zillions of VMs: virtual servers, virtual switches, virtual routers, virtual firewalls, virtual performance optimization appliances, virtual everything! And the system will instantly adapt to changing workloads, spawning new, fully-configured servers with their complete environment, along with switches, routers, whatever.

And if a newly-spawned virtual server is too many virtual-router hops away from closely-coupled applications or processes, well, then, that new virtual server will be automatically re-provisioned and re-configured closer to where it should be for minimum latency!

Yes, the entire mass of virtual whatevers is going to be in constant, thrilling motion! Everything is going to be moving around, minute by minute! Total efficiency in hardware utilization! Minimum transport latency! Automation! I just can't wait! It's going to be just totally wonderful!

Until it breaks.

And when it does break (and it will), I don't want to be the miserable technician trying to figure out where everything was when that transaction failed, trying to track down precisely what subtle interaction of data flow, firewall, optimization device, VLAN, switch... you get the picture... was the source of the difficulty.

It'll be like yelling "STOP!" six hours too late at a frenzied set of hyperactive squirrels loaded on caffeine and springing among the trees while chattering at each other. Now, where were they six hours ago, when the problem occurred? All the actors in the drama will have melted into thin air. I'll bet the guilty one won't even be there any more; he appeared, messed something up, and then vanished into the virtual fabric, leaving just the rack behind.

What will the vendors give us? Probably only the assurance that the virtual servers and switches and routers will have virtual MIBs, just like the real ones. But I know where the real ones are, and I can put my hand on them and monitor them. What happens if a virtual switch appears, switches a gigabyte or two, and then vanishes -- poof! -- inside of a minute? Where did it go? What did it do while it was alive? We'll be MIB-less in the fabric, without any vision.

I can already see a rule I'd like to impose on this mess, which will tie in with the "triage-based incident management" discussed in my post "Network and Systems Management: Over the Edge." It's this:

"Just because a production group can create a maze of unmeasured real and virtual servers, network components, and interconnections that change from one minute to the next is no reason it should. Edsger Dijkstra wrote a famous letter to the editor titled 'GO TO Considered Harmful' (Communications of the ACM, August 1968) in which he made the case for more program structure and less intertwined process flow. The same applies to IT infrastructure." [This is from my new Burton Group paper, "Using Network Management Platforms for Triage-Based Incident Management."]

I'll bet we network folks are going to be stuck in the middle of this VMess, and a miserable place it will be. We'd better start figuring out how we're going to handle it when incidents occur. And I think that triage orientation, with clearly-defined diagnostic domains and rules to ensure that the virtual servers providing a service are all grouped within the same domain, where we can evaluate them as a group with active measurement techniques, is a good place to start.

Posted by at 12:14 AM in data center network, Eric Siegel, governance, incident management, network management, performance management, performance monitoring, Server OS, SOA, system management, triage, virtualization | | Comments (1) | TrackBack (0)

|

January 05, 2009

Cisco the Computer Company, Act II

Posted by: Eric Siegel

Yes! Cisco is indeed becoming a computer company, as I originally blogged a year ago in "Cisco the Computer Company." (Go look at it!) A little while ago (sorry, late blog entry), I went to the annual Cisco analyst's conference, and it was full of further progress towards making the network into the backplane for a distributed multi-server computer system -- in effect, they're re-creating the Tandem Computers (HP) Integrity NonStop backplane in a heterogeneous server environment.

Just look at what they're doing or planning to do:

  • Lossless, extremely-low-latency transport ("lossless Ethernet" and cut-through switching, similar to NonStop's ServerNet low-latency inter-processor buses with "wormhole" switching)
  • Positive identification of network users and of individual transactions, along with accurate timestamps. (Great for system audit and diagnosis in a message-based distributed server system)
  • Standard API for talking to the network, asking for specific services and learning the identities, locations, and more about other network users.

With a secure, reliable "backplane" of the Cisco network, other manufacturers' servers and appliances could create a mesh of message-based services. And Cisco would provide the common, platform-independent transport API, integrating them all into one high-performance, secure fabric and, at the same time, handling data compression, transport performance optimization, and the measurement and diagnostic taps and tools needed to trace the performance of individual transactions or other interactions through the production system.

The big question, of course, is how this integrates with OS efforts from the computer system vendors, such as VMware and Microsoft, and with transaction monitors. Where is the line between the reliable, secure, "deliver the message exactly once" transport, and the higher-level OS functions? I'm very interested to see how this evolves!

Posted by at 11:11 PM in Cisco, data center network, Eric Siegel, incident management, Server OS, SOA, system management, triage | | Comments (0) | TrackBack (0)

|

December 13, 2008

Network and Systems Management: Over the Edge!

Posted by: Eric Siegel

This is the first of what will be a series of discussions on management of complex networks and systems, a problem that's confronting us all. Before I became an analyst, I spent years in freezing server rooms in the middle of crises, listening to lots of threats ("If you don't fix it fast we're going to ...") and gobbling lots of free pizza.

And those were the "good old days"; now, things are worse. Everything is more real-time; networks, appliances, servers, and distributed applications are more intertwined; network and data flow topologies are out of control; nothing is stable; it's almost impossible to reproduce the production system in a test environment. And yet we're expected to detect incidents and repair them as soon as they occur, if not sooner.

It's a nightmare. We have to get a solid grip on how to manage this mess, or we're all doomed to even more stress and stale pizza and late nights.

So let's see if we can come up with a scheme that makes our lives easier without being too expensive or impossible to implement.

I'd like to start by discussing triage-based incident management, which I've been working on and writing about for a few years now. It seems, at least to me, to be a decent alternative to the classical strategy of spending staggering amounts of money on system monitoring solutions that measure everything that's easily measured (and for which the vendor can bill licensing fees!), then hoping that an expensive "expert system" will somehow sort through that overwhelming flood of data to understand what is going on and assist the operations staff.

Triage-based incident management is based on rapid incident classification, and the basic idea is to find out where the problems are and which group is responsible for them—and then to turn the incident over to the responsible group, with sufficient credible evidence to quash any attempts at finger-pointing. The first goal is to determine the seriousness of the incident; the second is to decide which specialist group should handle it.

Incident classification is based on measuring the service delivered across the boundaries of clearly-defined subsystems, such as DNS, queries to back-end databases, transport across network backbones, and transit time through firewalls and load balancer subsystems. It looks primarily at services delivered, not at individual element measurements such as CPU time and queue length.

For incident classification to work well, clear demarcation points need to be identified at the boundaries between responsibility domains, and there should be easily-understood, credible, real-time measurements of the services being delivered across those boundaries. For example, the service desk can instantly see that DNS response time has suddenly jumped to 30 seconds, or that transit time across a critical VLAN has tripled (or the VLAN has vanished entirely!). They'll then know that they have to call the DNS people or the people responsible for the VLAN. They won't know why the service is failing, but they will be able to prove, in a few seconds, that there really are problems and they'll know the appropriate group to handle the issue.

In actual use, the service desk uses end-to-end performance metrics, such as total transaction response time or VoIP voice quality, to detect incidents, then uses other service measurements to instantly sort the incident into one of three groups:

  • A well-known incident with a standard fix (e.g., reboot the server that runs some packaged software that hangs occasionally and that seems to restart without any further problems)
  • A new incident that clearly is being caused by problems in a single "responsibility domain" (e.g., a DNS problem is slowing down all transactions, or a slow identity database response is slowing all new logons, so it's obvious which responsible organization gets the trouble ticket)
  • A new incident that doesn't clearly fall into a responsibility domain (e.g., some subtle interaction among system elements is causing a confusing set of symptoms; diagnostic procedures should be started and higher-level diagnosticians should be notified)

Within each responsibility domain there can be additional, lower level "diagnostic domains" with the same types of clearly-defined demarcation boundaries and measurements to assist in rapid isolation of the incident to a particular subsystem.

In effect, all this is just what I call "pre-planning your next meltdown." After all, what do we do when we're confronted with a major crisis in the server room (after the obligatory freakout and power-cycling of every box we can find, of course)? We typically start putting in measurements or trying to find existing measurements to isolate the problem to a subsystem. Although we usually don't know what the performance is like when the thing is working, we can guess that response time is not some insanely-long value.

What we're doing with triage-based incident management is just pre-designing the measurements we'll use to diagnose system problems, but we're doing it early, so we can get the benefit of a baseline when the thing actually fails, and we don't have to do it while listening to threats from top management.

Well, that's a start. I'm going to keep writing on this topic, and I'd love to see your comments. What are YOU doing to manage the mess?  Does triage-based incident management seem reasonable?

(Burton Group subscribers, see: "A Framework for Network Incident Management" and the 2007 Catalyst conference presentation "Pre-Plan Your Next Network Meltdown" for much longer discussions of these ideas.)

Posted by at 02:08 PM in Eric Siegel, incident management, KPI, network management, networks, performance management, performance measurement, performance monitoring, system management, triage | | Comments (1) | TrackBack (0)

|

  • Burton Group Free Resources Stay Connected Stay Connected Stay Connected Stay Connected

Categories


Read more Burton Group blogs

Archives

More...

About

Blog powered by TypePad