Forum Discussion

John_M__Brights's avatar
John_M__Brights
Icon for Nimbostratus rankNimbostratus
Sep 07, 2015

Health check fails on HTTPS, even though port is open

I am basically using the F5 as a proxy for an HTTPS service, but when I use the built-in https health check to monitor the pool, it fails. The port is definitely open as it responds to direct browser requests, as well as telnet to port 443, but the F5 pool shows down rendering the service inoperable.

 

If I change the health check to TCP, it immediately responds and the VS works fine, but changing back to https again drops the service.

 

Any thoughts on the best way to find why the https HC is failing, or even ways to monitor the traffic?

 

  • Hi!

    What happens if you login to the cli and run this command?

    curl -vvv -k - https://[ip]:[port]
    

    /Patrik

  • You can also try to run this command to see if there's a problem with the handshake and see what cipers that's accepted.

    echo "Q" | openssl s_client -connect www.site.com:443
    

    Perhaps your server SSL profile has an incompatible accepted ciphers string? Or perhaps the web service uses a client certificate?

    You can test the default cipher by running this command (this cipher string is the default from 11.5.0-11.5.3):

    echo "Q" | openssl s_client -connect www.site.com:443 -cipher '!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4'
    

    You can find the default ciphers here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html

    /Patrik

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    The default HTTP/HTTPS monitors use HTTP/0.9, which may not be supported by your backend server.

     

    Create a separate HTTPS monitor with the minimum of the following:

     

    Request string:

     

    "GET / HTTP/1.0\r\n\r\n"

     

    Receive string:

     

    "200 OK"

     

    (supposing your server returns this code for this URL.)