Forum Discussion
AltocumulusQuestion about healthchecks
Hello,
We're publishing quite old server behind XC load balancer, and to make it work I had to lower "TLS Security Level" to Medium under Origin Pool > TLS.
This works fine, however, without healthchecks. If I enable a simple healthcheck, for example:
Host Header Value = my.hostname
Path = /
I start getting "503 Service Unavailable" errors.
I checked the web server logs on the server and there are no hits, so I suspect the healthcheck uses newer TLS protocols/ciphers, therefore, it fails (as it used to fail when TLS Security Level was set by default to High).
Can TLS protocols/ciphers used by the healthecks be configured?
And second question, are there any logs that could be enabled for healthchecks?
Thank you.
3 Replies
- Nikoolayy1
MVP
The XC health checks use the same ciphers that you client traffic uses so if the client traffic can connect to the test web page without an issue it is not that. You can stop the health checks and try to connect to the test web page with a browser or postman through the Virtual server.
Add also the correct hostname is configured and under the health checks maybe stop or enable HTTP/2 .
See the links below as well
https://my.f5.com/manage/s/article/K000147503
https://my.f5.com/manage/s/article/K000156742
A quick post on how F5 XC Health Checks are different from BIG-IP | DevCentral
Teddy_BrewskiThank you Nikoolayy1
If I disable the healthcheck I can access the web page without any issues.
My case is exactly how it's described in K000156742:
Answer/Recommended Actions
- [Origin Pools][Origin Servers] : IP address
- [Health Check Parameters][Health Check HTTP Request Parameters][Specify Host Header]: Host Header Value (e.g., bbb.example.com)
- Actual Host header in HTTP request : bbb.example.com
Behavior:
If you wish the Host header to contain a specific hostname, you must manually provide it in the "Specify Host Header" setting when your origin is configured with an IP address. This allows requests to pass the proper Host value to your backend.
The origin server is the IP. If I define the healthcheck and specify the hostname (publicly resolvable FQDN), I can't access the web page anymore -- the error is "503 Service Unavailable". I do not see any connection attempts in the web server logs of the backend server.
- tysmith
I don't see any option to configure the http health check's tis settings (though I could swear it was previously an option). It could be worth exploring meeting in the middle and leveraging instead a TCP health check? You can drop in custom send/receive payloads to do more introspection than a simple connection check (but even that is better than no checking at all).
