default https health monitor showing down

I'd run a tcpdump to confirm what's coming back from the server.

As Jonathan said, a capture is probably your best troubleshooting tool here. Because this is SSL traffic though, you'll likely need SSLDUMP.

ssldump -k [path to server's private key] -AdNn -i 0.0 port 443 [additional filters]

You need a local copy of the web server's private key to be able to decrypt the data. The [additional filters] section is optional and would allow you to specify additional options to focus the capture (ex. "and host x.x.x.x and host x.x.x.x").

Another great tool you can use is cURL. This is a command line web browser that you can use directly from the F5 shell:

curl -k -v https://x.x.x.x

where -k tells it to ignore SSL errors, -v is verbose output, and https://x.x.x.x is the address of the web server. If you can get this request to work, then you could basically take everything that curl produces in the request, replace line feeds with "\r\n" characters, and put that in your HTTPS monitor (followed by "\r\n\r\n"). If it's by chance an SSL-related issue, the SSLDUMP should show you that.

Does webseal do HTTP/0.9 requests? (Been a while, but IIRC it requires a minimum of HTTP/1.0).

Create a new HTTPS monitor that does HTTP/1.0 and try that.

H

To closely approximate the cURL request, you might do something like this:

GET / HTTP/1.1\r\nHost: 172.168.120.22\r\nAccept: */*\r\n\r\n

And then your receive string could be anything that you want to see in the response. I'd start with no receive string just to make sure your request is being well received. Then if it works, you could use, at a minimum, "200".