How HTTPS health monitor works in f5 loadbalancer

doesn't it work as normal??

 

what is the problem?

It is marking node as down...so need to know how it works ...eg 1st ssl handshake ..then http... etc

 

 

how it establish connection with server...by telnet IP:port ..?

 

 

setup is like this

 

 

vip ip :7002 --back servers:7002

 

 

one i am having which is working

 

 

vip ip:443 --back server:443

 

 

 

 

I applyed....https health monitor.

 

 

name https_7002

 

 

type https

 

 

interval 5

 

 

Up Interval diable

 

 

Time Until Up 0

 

 

Timeout 16

 

 

Manual Resume no

 

 

Send String GET /alive.html\r\n

 

 

Receive String OK

 

 

Receive Disable String

 

 

Cipher List DEFAULT:+SHA:+3DES:+kEDH

 

 

User Name

 

 

Password

 

 

Compatibility enable

 

 

Client Certificate

 

 

Client Key

 

 

Reverse no

 

 

Transparent no

 

 

Alias Address *All Addresses

 

 

Alias Service Port *All Ports

 

 

so need to know how it works ...eg 1st ssl handshake ..then http... etc it is just normal https i.e. 3-way handshake, ssl handshake and then http request/response.

 

 

how it establish connection with server...by telnet IP:port ..? you can use "openssl s_client" command to test similar to telnet command for http.

 

 

e.g.

 

 

testing HTTPS with openssl

 

http://blog.yimingliu.com/2008/02/04/testing-https-with-openssl/

 

 

also, tcpdump/ssldump would be helpful to see what is going on.

in 3-way handshake, ssl handshake ...

 

 

does it requir certificate on f5 device ?...

 

 

as certificate is installed on server..

 

 

or does health monitor takes certificate from somewhere ?...

 

 

or it does not require. ?.

 

 

.as it is https...how encription and decripotion between f5 and server happen..

 

 

 

as monitor is like this in url from browser

 

 

https://host.domain.com:7002/alive.html.

 

 

as of now i have read access..so not able to see logs ..tcpdump/ssldump.....

there are 2 certificates in ssl handshake. one is on server which always be presented to client and the other one is on client which is sent to server only when server requests i.e. client certificate authentication.

 

 

if server does client certificate authentication, you have to import client certificate and key to bigip and set them in https monitor. otherwise, certificate and key is not needed.

 

 

 

as of now i have read access..so not able to see logs ..tcpdump/ssldump.....for log, you may try to enable bigd debug.

 

 

Troubleshooting Ltm Monitors by Aaron

 

https://devcentral.f5.com/wiki/AdvDesignConfig.TroubleshootingLtmMonitors.ashx

 

 

about tcpdump/ssldump, step should look like this. and you know private key is necessary to decrypt packet.

 

1/ remove https monitor from pool

 

2/ start tcpdump

 

tcpdump -i 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x and host y.y.y.y and port 7002

 

 

3/ assign https monitor to pool

 

4/ wait until pool member is marked down

 

5/ stop tcpdump

 

 

to decrypt packet, you may try wireshark.

 

 

e.g.

 

How to decrypt SSL and TLS traffic using Wireshark

 

http://support.citrix.com/article/CTX116557/

 

 

hope this helps.

Hi Nitass,

 

 

issue is solved by just changing

 

 

 

Send String GET /alive.html\r\n

 

 

to

 

 

Send String GET /alive.html\n\n

 

 

as i actualy don't know how https monitor work.

 

while in some R&D we found this...

 

 

can u explane what will this do ? with step by step...that will be helpful for further..

 

 

Regards

 

pradeep

can u explane what will this do ? with step by step...that will be helpful for further..i do not know either. anyway, if you can compare packet capture between the two monitors, i think you should be able to see what the wrong was.

To create an HTTP 1.0 compliant request using the send string, you should use \r\n's to terminate lines and two \r\n's to terminate the GET request:

 

 

GET /alive.html\r\n\r\n

 

 

The application you're monitoring was probably responding with a 400 error with the single \n terminator you were using:

 

 

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

 

400 Bad Request

 

The request cannot be fulfilled due to bad syntax.[2]

 

 

Aaron