Forum Discussion
Ken_B_50116
Cirrostratus
CirrostratusGTM https health monitor has never worked
I'm trying to construct a health monitor in GTM 11.5.4 that looks for text on an https web page. I have never been able to get the monitor to go green so I am trying to troubleshoot it.
gtm monitor https mhconnect_https {
cert /Common/default.crt
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from https
description "Look for specific text"
destination *:*
interval 30
key /Common/default.key
probe-timeout 5
recv "Please sign in to begin your secure session."
send "GET /dana-na/auth/url_default/welcome.cgi"
timeout 120
}
The /var/log/gtm log shows this:
011ae0f2:1: Monitor instance /Common/mhconnect_https x.x.x.x:443 UNKNOWN_MONITOR_STATE --> DOWN from x.x.x.x (connect: server error search result false)From the GTM in question, I can use CURL and see the text in the HTML page that the health monitor keys on:
curl --insecure -v https://x.x.x.x/dana-na/auth/url_default/welcome.cgiThis returns many lines of text, including HTML containing the text I'm looking for.
A telnet test fails:
[root@F5-GTM-MC-01:Active:Standalone] monitors telnet x.x.x.x 443
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
GET /dana-na/auth/url_default/welcome.cgi
Connection closed by foreign host.
[root@F5-GTM-MC-01:Active:Standalone] monitors
I have also tried using this as the send string, to force HTTP 1.0:
GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0\r\n..and that doesn't work either. If I open the IP and path () in a web browser, it works fine.
I have used tcpdump to capture the traffic, and I can see the regular health monitor TCP traffic flowing, but the application data is all encrypted so that's been no help. The "011ae0f2:1" error seems to be somewhat well documented but I've seen nothing that relates to my problem.
What should I do next to troubleshoot this?
Kevin_Davies_40Nacreous
GTM delegates monitoring where possible. If the server is a BIGIP it will defer to the monitoring provided by the LTM. When server is not it will delegate its monitoring to a BIGIP in the same data center. When GTM is initially setup, big3d software is installed to all BIGIP's. GTM sends out requests to that software which then monitors non BIGIP servers on its behalf. If this is not available then finally GTM will do the monitoring itself.
So testing from your GTM may not actually reflect where the monitor is actually coming from. It is likely delegated to a LTM in the data center which does not have access to the server. You need to run your curl from those devices and make sure they can reach the server.
Ken_B_50116The server x.x.x.x being tested is not located on LTM; it's a remote access appliance. Anyhow, all of my LTMs successfully pass the curl test:
curl --insecure -v https://x.x.x.x/dana-na/auth/url_default/welcome.cgi- Ken_B_50116
I have also been unable to get the basic CURL-based external monitor to give a green/up status, although that's really a separate can of worms.
- Kevin_Davies_40
Your send string is missing important parts, namely \r\n see the links below from Kevin.K
One place to start troubleshooting is to remove the configured recv string. If that doesn't work, it might be helpful to review the following:
Proper request formatting:
https://support.f5.com/csp/article/K13397
Additional background on responses:
https://support.f5.com/csp/article/K13622
Enable debug logging:
https://support.f5.com/csp/article/K13768
Lastly, I've always recommended to let the LTM monitor the servers and report status to GTM via bigip monitor (if possible).
I also forgot to mention, checking the 200 status using the -D option:
curl --insecure -D file
