Forum Discussion

Cirrus

Mar 21, 2022

Health Monitor issue

Hi, I am facing a weird issue. We renewed our SSL certificate and our health monitor uses this renewed certificate. Post renewal , our pool member went down. For Tshooting, i enabled monitor loggi...

application delivery

health monitor

SamCo

Cirrus

Mar 21, 2022

Hello,

As the only thing that change with your monitor is the client authentication certificate, my advice is to focus on the SSL Layer, both on your side and on the server side, but mainly focus on the certificate authentication configuration of the server. If the new certificate is issued by a new AC, it could be important to check if the server is trusting it.

Regarding your test, all of them have some miss :

1\ Telnet can only be used to test plain text http, not https so the reset is expected if the server is expecting ssl.

2\ The http 400 is probably here because the request in not well formed. Anyhow, you do not replicate the bigip monitor because there is no client certificate in your request,

3\ Same as below, but the payload seems fine. Anyhow, you do not replicate the bigip monitor because there is no client certificate in your request,

For curl, the synthax to used a client cert is :

$ curl --cert client.crt --key client.key --cacert ca.crt

Cheers,

Sam

Manu_Nair
Cirrus
Mar 21, 2022
Hi Samco,
Thanks for the reply!!. The certificate CA is the same and all the Cert Parameters is also the same. But not sure why it did not work which we are investigating.
I Understood , that telnet will not work due to https but do we need to specifically mention the certificate and key for the other two methods.??. Cos i am getting http 400 series error, which means SSL is passed right and i assume something else causing this.
- SamCo
  Cirrus
  Mar 21, 2022
  Yes, the HTTP 400 and 403 response mean you managed to established the SSL/TLS connection. But it does not mean the certificate check is ok for the server, it could establish the connection then inspect the certificate (IIS can make this from my experience).
  Anyhow, if your health monitor need the client certificate to work, it mean you need it to replicate it with curl.
  good luck,
  Cheers,
  Sam
  - Manu_Nair
    Cirrus
    Mar 21, 2022
    Thanks. I will replicate this with curl and see whats the outcome.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Health Monitor issue

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

iRule based RADIUS Health Monitor Builder

F5 health 443 monitor issue with Atlassian Conluence

Mgmt monitor issue

Losing Requests because of health monitoring

Synthetic Monitoring helps you detect application issues before your users do

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS