In-band health checks are performed with each user request. Failing checks are tracked with a sliding average over the last 20 seconds, calculating the current failure rate. One single request can only impact the failure rate by a maximum of 5%. If more than 10% of the requests within that 20 seconds time window fail, Airlock Gateway marks the corresponding back-end server as "bad". If available, a spare back-end will now be brought on-line and take over traffic from the bad back-end. If no out-of-band health checks are configured, Airlock Gateway will then still send a small number of requests to a bad back-end server. If such a request still fails, it will then be diverted to a good back-end. As soon as one of those probe requests returns successfully, the back-end is set to "good" and will again be served normally. If a spare had been brought on-line previously, it will now be set to receive no further new sessions, but will still receive all traffic for its existing sessions. It is highly recommended to enable out-of-band health checks in order to avoid that any end-user requests are being sent to bad back-end servers.
Note: Connection-level errors such as connection timeouts and handshake failures will still mark back-end systems as "bad" even if "In-band Checks" are disabled.