Forum Discussion
Joseph_Johnson_
Nimbostratus
NimbostratusADFS 3.0 Monitor not working
Hi All,
I have been tussling with this for a couple of days now. I have used the links, http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf and https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni to follow with no success. I have uploaded the script and set the variable but i still get the monitor down, when i browse directly to the server i am able to get to the sign in page, so I know at least ADFS configuration is correct. Below is the script i am using:
!/bin/sh These argument This script expects the following Name/Value pairs:s supplied automatically for all external monitors:
$1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) SNI = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)NODE=
echo ${1} | sed 's/::ffff://'basename ${0}if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${SNI}:${PORT}:${NODE}" | logger -p local0.error kill -9
cat $PIDFILEcurl-apd -k -v --resolve $SNI:$PORT:$NODE https://$SNI$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit
Variable are: SNI= sso.mysite.com URI= adfs/ls/idpinitiatedsignon.htm RECV= HTTP/1.1 200
Please assist if you can.
Thanks!
Hi, the iApp and deployment guide were updated to correct a syntax error in the monitor script:
https://devcentral.f5.com/wiki/iApp.Microsoft-Active-Directory-Federation-Services-iApp.ashx
Your curl command should be:
curl-apd -k -v --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" 2>&1 > /dev/null
Joseph_Johnson_So i redeployed from the newest iapp, 1.0.0rc3 and I'm still getting the nodes marked as down. Are there any other configurations that you need me to show here?
- Joseph_Johnson_
One other thing to note, I am using host files on my local PC to test SSO since it is not in production. Is there a chance the F5 is using dns server when doing checks for the sso URI in the health monitor. The current ADFS in place is 2.0, the new config which i am testing is 3.0.
- A good first troubleshooting step is to run the monitor's curl command from the BIG-IP command line and see what response you are getting from the server, for example: curl-apd -k -v --resolve sso.mysite.com:443:192.168.1.100 https://sso.mysite.com/adfs/ls/idpinitiatedsignon.htm AFAIK, the curl --resolve command bypasses the boxes DNS and local hosts file. You could try adding a host entry to BIG-IP, just in case.
- Joseph_Johnson_
Looks like the problem could be with the CURL command. When i run it, I get "-bash: curl-apd: command not found". Sorry i'm a little bit new to linux commands, do i have to install first?
- Which version of BIG-IP are you running?
- Joseph_Johnson_
BIG-IP 11.3.0 Build 3144.0 Hotfix HF8
- Unfortunately, curl-apd is required to do the SNI monitor, and is only available in BIG-IP v11.4.1 and later. This is documented in the deployment guide in the versions table. The iApp is incorrect in that it should either only support those later versions, or it should not offer ADFS 3.0 support for earlier versions. In this case, you will either need to upgrade BIG-IP to 11.4.1, or use a tcp monitor. We'll get that corrected in the next release. Sorry for the inconvenience.
- Joseph_Johnson_
I ended up using a TCP monitor so we can go ahead and finish up the sso configuration, I will be upgrading the F5's to version 11.6 in the immediate future. Thanks for your help!
Richie_T__24511I am on 11.3 and attempting load balancing ADFS 3.0. Obviously, I wasnt having luck with SNI monitor so I configured TCP monitor until we can upgrade to >11.4.1. I am still having issues, however. My nodes will appear online for a period of time and everything seems fine. Then they will go offline for awhile then back online again. Does any one have any suggestions? Thanks
