Forum Discussion
Health check fails on HTTPS, even though port is open
I am basically using the F5 as a proxy for an HTTPS service, but when I use the built-in https health check to monitor the pool, it fails. The port is definitely open as it responds to direct browser requests, as well as telnet to port 443, but the F5 pool shows down rendering the service inoperable.
If I change the health check to TCP, it immediately responds and the VS works fine, but changing back to https again drops the service.
Any thoughts on the best way to find why the https HC is failing, or even ways to monitor the traffic?
Hi!
What happens if you login to the cli and run this command?
curl -vvv -k - https://[ip]:[port]
/Patrik
You can also try to run this command to see if there's a problem with the handshake and see what cipers that's accepted.
echo "Q" | openssl s_client -connect www.site.com:443
Perhaps your server SSL profile has an incompatible accepted ciphers string? Or perhaps the web service uses a client certificate?
You can test the default cipher by running this command (this cipher string is the default from 11.5.0-11.5.3):
echo "Q" | openssl s_client -connect www.site.com:443 -cipher '!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4'
You can find the default ciphers here: https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13171.html
/Patrik
- JG
Cumulonimbus
The default HTTP/HTTPS monitors use HTTP/0.9, which may not be supported by your backend server.
Create a separate HTTPS monitor with the minimum of the following:
Request string:
"GET / HTTP/1.0\r\n\r\n"
Receive string:
"200 OK"
(supposing your server returns this code for this URL.)
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com