Forum Discussion
NimbostratusHttp and https monitors not working
I have configured below monitors and used them in the pools mentioned below, but the pool does not come up, but when i configure a gateway_icmp monitor the pools come up.
Currently the monitors work from the ACE load balancers. The config for monitors on ACE is as below.
probe https pre-idp interval 10 faildetect 2 passdetect interval 45 passdetect count 2 request method get url /FIM/Info/InfoService expect status 200 200
probe http http80 interval 12 passdetect interval 45 request method get url /ldprobe.html expect status 200 200
=============================================================================================
MONITORS
ltm monitor http http_http80 { defaults-from /Common/http description http_http80 destination *:http interval 12 ip-dscp 0 partition ilm-int-acc recv 200 send "GET /ldprobe.html" time-until-up 0 timeout 10 }
ltm monitor https https_pre-idp { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from /Common/https description https_pre-idp destination *:https interval 10 ip-dscp 0 partition ilm-int-acc recv 200 send "GET /FIM/Info/InfoService" time-until-up 0 timeout 10 }
=============================================================================================
=============================================================================================
POOLS
ltm pool pre-holvi { description pre-holvi load-balancing-mode predictive-node members { IPREPRX3_10.129.50.135:any { address 10.129.50.135 session monitor-enabled state down } IPREPRX4_10.129.50.147:any { address 10.129.50.147 session monitor-enabled state down } } monitor http_http80 partition ilm-int-acc }
ltm pool pre-idp { description pre-idp load-balancing-mode predictive-node members { IPREPRX3_10.129.50.140:any { address 10.129.50.140 session monitor-enabled state down } IPREPRX4_10.129.50.143:any { address 10.129.50.143 session monitor-enabled state down } } monitor https_pre-idp partition ilm-int-acc }
ltm pool pre-sp { description pre-sp load-balancing-mode predictive-node members { IPREPRX3_10.129.50.139:any { address 10.129.50.139 session monitor-enabled state down } IPREPRX4_10.129.50.142:any { address 10.129.50.142 session monitor-enabled state down } } monitor https_pre-idp partition ilm-int-acc }
=============================================================================================
25 Replies
IheartF5_45022Nacreous
I don't suppose there's any network or host-based (like iptables) firewall inbetween the LTM and the pool members?
Try running tcpdump to see what's going on;-
tcpdump -i 0.0:nnn -s 0 -vv -XXX host 10.129.50.142 and port 80Paste the results here if you like.
yogesh_gaikwad_Hi- yogesh_gaikwad_I am getting below output when i run the command tcpdump -i 0.0:nnn -s 0 -vv -XXX host 10.129.50.142 and port 443
- yogesh_gaikwad_i am not able to paste the output
- IheartF5_45022
OK try less info, and also would help if I gave you correct IP :-)
tcpdump -i 0.0 -s 70 -X host 10.129.50.135 and port 80
You only need to do 12s (max) at a time to see a complete monitor. Try to stop it after 12s and paste the output.
- yogesh_gaikwad_I am unable to paste the output here, also this site is not giving an option to upload an image
- Mark_van_D
Cirrostratus
What if you tried adding in the \r\n\r\n into the monitor?
ltm monitor http http_http80 { defaults-from /Common/http description http_http80 destination *:http interval 12 ip-dscp 0 partition ilm-int-acc recv 200 send "GET /ldprobe.html\r\n\r\n" time-until-up 0 timeout 10 }
ltm monitor https https_pre-idp { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from /Common/https description https_pre-idp destination *:https interval 10 ip-dscp 0 partition ilm-int-acc recv 200 send "GET /FIM/Info/InfoService\r\n\r\n" time-until-up 0 timeout 10 }
- IheartF5_45022
Don't append HTTP/1.1 BTW. Do keep Marks suggestion of \r\n\r\n at the end.
Then let's go back to basics. Try this from the command line and paste output;
curl -0 -v http://10.129.50.135/ldprobe.html- yogesh_gaikwad_* About to connect() to 10.129.50.135 port 80 (0) * Trying 10.129.50.135... connected * Connected to 10.129.50.135 (10.129.50.135) port 80 (0) > GET /ldprobe.html HTTP/1.0 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1j zlib/1.2.3 libidn/0.6.5 > Host: 10.129.50.135 > Accept: */* > < HTTP/1.1 200 OK < connection: close < content-length: 0 < content-type: text/html < date: Fri, 09 Oct 2015 10:30:28 GMT < last-modified: Mon, 23 Sep 2013 09:40:19 GMT < p3p: CP="NON CUR OTPi OUR NOR UNI" < server: WebSEAL/6.1.1.13 (Build 141126) < Set-Cookie: PD-H-SESSION-ID=4_0_QYgqmmNGLUB6bgCZv+uZMM+WfHoX+7RKmMxz06g4NiyLGiU3; Path=/ < * Closing connection 0
- Mark_van_D
Hi Yogesh,
Did you have any luck with trying to post the tcpdump results? You should be able to add it as a picture if you post in answers rather than comments.
Mark
- yogesh_gaikwad_
- yogesh_gaikwad_
Finally I managed to insert the image :)
- IheartF5_45022
I'm sorry Yogesh - we should have taken more traffic - 70b wasn't enough. Get a binary cap file and email me the hc.cap;-
tcpdump -i 0.0:nnn -s 0 -w /var/tmp/hc.cap host 10.129.50.135 and port 80and/or read this article https://devcentral.f5.com/wiki/AdvDesignConfig.TroubleshootingLtmMonitors.ashx and try enabling debug on bigd.
- yogesh_gaikwad_I have got the hc.cap file, how do i email it to you?
- yogesh_gaikwad_Also, it has captured 77 packets, is that enough ?
- IheartF5_45022Should be fine - look on my profile for email address, or else check your messages - I messaged you.
- IheartF5_45022
So the server isn't responding to the GET - it ACKs and then sends a FIN, however the curl works, as we saw above. Can you try to make your monitor more like the curl ie;-
Send String "GET /ldprobe.html HTTP/1.0\r\nHost: 10.129.50.135\r\n\r\n"
Does that make a difference?
- yogesh_gaikwad_Hey Joanna that worked!! :) Also, i tried to edit the send string to "GET /ldprobe.html HTTP/1.0\r\n\r\n" and this worked too. Thank you so much
- IheartF5_45022
No worries. I feel ashamed I didn't get it earlier :-) - it's just that version numbers are not always mandatory (although it usually is if server only supports 1.1).
