Configuring Rapid-Fail Protection

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

When a worker process fails, the WWW service detects the failure and takes action, such as logging the event and restarting the process. You can also configure IIS so that if a worker process fails multiple times within a specified time period, its application pool is disabled to protect other application pools that are running on the same computer. This feature, known as rapid-fail protection, stops application pools from a continuous cycle of failing and restarting, which uses up system resources.

The WWW service shuts down an application pool whenever a worker process in the application pool fails often enough to equal or exceed the Rapid-Fail Protection (RFP) interval time window (for example: five failures in five minutes). The WWW service detects failure whenever:

  • A worker process does not start within the startup time limit.

  • A worker process does not shut down within the shutdown time limit.

  • A worker process shuts itself down because of a fatal error and sends the WWW service an error code.

  • A worker process fails to respond to a ping message.

  • The WWW service detects that a worker process is sending non-standard communications (the worker process may have been taken over).

Rapid-fail protection places the disabled application pool in out-of-service mode, and HTTP.sys returns a 503 error (Service Unavailable) message for requests to that portion of the namespace, including requests that have already been queued for the disabled application pool. In addition, you can configure IIS so that when an application pool is stopped automatically, a specified action occurs, such as running a debugger or notifying the administrator that the application pool has stopped.

Note

Alternatively, HTTP.sys can do a connection reset based on the configuration of the LoadBalancerCapabilities property of the application pool. However, if a single computer hosts multiple applications, be sure to configure load balancers or switching hardware to reroute only the traffic intended for a failed application pool. Do not route requests away from healthy application pools, which can still receive and process requests.

The rapid-fail protection feature is unavailable when IIS 6.0 is running in IIS 5.0 isolation mode. For more information about configuring rapid-fail protection, see Configuring Rapid-Fail Protection in IIS 6.0.