Forum Discussion
NimbostratusHTTPS Load balancing
Hi,
I am trying to load balancing Citrix Access Gateway through the F5. MY F5 is in single arm mode. I have created the pool, Node and Virtual server. I can ping the VS and telnet on the port 443 but not able to see the hitcounts on the Pool and unable to open the page. But on Cisco CSS Citrix load balaning is working fine. I didnt do anything special in CSS. But same settings is not working in F5. Clients are able to open secure page through old VIP of cisco CSS.
MY nodes is showing down which i m monitoring through the default https 443 monitoring.Do i need to do something related to certificate. Certificate installed on the Citrix. What else I neeed.
- to make the node up in F5 through the monitoring.
- Successful HTTPS web page for the client through the F5 load balancer VIP.
Please assist.
ltm node CITRIX_ACCESS_GW_1 { address 192.168.210.152 description HO_CITRIX_ACCESS_GW monitor /Common/https_443 partition abc_PRODUCTION session monitor-enabled state down } ltm node CITRIX_ACCESS_GW_2 { address 192.168.210.153 description HO_CITIX_ACCESS_GW-2 monitor /Common/https_443 partition abc_PRODUCTION session monitor-enabled state down } ltm node CITRIX_ACCESS_GW_3 { address 192.168.10.73 description "DR CITRIX ACCESS GATEWAY" monitor /Common/https_443 partition abc_PRODUCTION session monitor-enabled state down
ltm virtual VS_CITRIX_GW {
destination 192.168.210.208:https
ip-protocol tcp
mask 255.255.255.255
partition abc_PRODUCTION
persist {
ENOC_PROD_STICKY {
default yes
}
}
pool PL_CITRIX_ACCESS_GW
profiles {
/Common/tcp { }
}
snat automap
vlans {
abc_PRODUCTION_VLAN_210
}
vlans-enabled
18 Replies
afedden_1985Cirrus
A few questions, are you terminiting the SSL on the F5 or passing it back to the servers in the pool. The config looks like your just load balancing the 443 traffic directly to the servers to verify the ssl service is up on the servers try to telnet to each server using port 443. It should connect and this will make sure they are running the HTTPS service. If it will not connect your servers may not be running the SSL service. If the telnet does connect it may be the monitor configuration.
Wasim_Hassan_13Hi,
I m passing SSL back to the server pool I am not terminating the SSL on F5.
Yes I am able to telnet to the pool servers from the network on port 443. All the servers are up and in production and servering the clients through the Cisco CSS.
I am sure something wrong with the monitor and wrong with the F5 configuration for the load balancing.
Peter_ZHello, you have assigned https_443 monitor to the ltm nodes. Note that the node is just the server address (IP addr) and has no service assigned to it. You need to assign https monitor to a POOL MEMBER (either to the pool itself and set 'inherit from pool' for all pool members, or for each member separately - which is less manageable). You can assign no monitor or simple ping monitor to NODE. Note that the NODE is a parent object to the pool member. If you set improper monitor to it and it will go down, it will bring ALL POOL MEMBERS using that node's address to DOWN state even if they receive a response to pool member healthcheck.
- afedden_1985
Can you post your monitor for us to see?
- Wasim_Hassan_13ltm monitor http HTTP_MONITOR { defaults-from /Common/http destination *:http interval 5 partition ENOC_PRODUCTION send "GET /\\r\\n" time-until-up 0 timeout 16 } ltm monitor tcp Discoverer0 { defaults-from /Common/tcp destination *:interwise interval 5 partition ENOC_PRODUCTION time-until-up 0 timeout 16 }
- Wasim_Hassan_13ltm pool PL_CITRIX_ACCESS_GW { load-balancing-mode least-connections-member members { CITRIX_ACCESS_GW_1:https { address 192.168.210.152 session monitor-enabled state down } CITRIX_ACCESS_GW_2:https { address 192.168.210.153 session monitor-enabled state down } CITRIX_ACCESS_GW_3:https { address 192.168.10.73 session monitor-enabled state down } } monitor /Common/https_443 partition ENOC_PRODUCTION
- Wasim_Hassan_13
Hi,
For the node If I am making Ping as a monitor node is showing up but my object to monitor the HTTPS service on the node so that in case of HTTPs service failure, F5 mark it down. but as per your suggestion i make the ICMP monitor for the node and HTTPS for the POOL but still POOL is showing down. though I can telnet from client machine on the vip successfully.
telnet 192.168.210.208 443 and ping is also working fine from the client machine. Is there anything to do with the cerficate or ssl profile. ???
- Peter_ZThen the monitor is not working or the response is not coming back. Try telnet to 443 from the BIG-IP to the pool memebr directly, not from a user machine. If it works, then the default https_443 monitor needs to be adjusted.
- Peter_ZFor the SSL profiles: if you don't intend to terminate SSL on the F5, you don't have to configure ssl profiles.
- Wasim_Hassan_13From the command line I m typing this [admin@ENOCDC_F501:Active] ~ telnet 192.168.210.152 443 Trying 192.168.210.152... telnet: connect to address 192.168.210.152: Connection refused
- afedden_1985
I see your using a HTTP monotor for HTTPS servers! And you do not have a URI listed for the page to health check or a host name if the servers need one.
this example below is similar to what we use for https and we use a head since we really only are interested in the 200 response code, it would work for you if you had the correct URI and host headerltm monitor https HTTPS-EXPECT-200 { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination : interval 15 recv 200 send "GET /something/ToCheck.aspx HTTP/1.1\r\nHost: healthcheck.yourcompany.com \r\nConnection: Close\r\n\r\n" time-until-up 10 timeout 46
- Wasim_Hassan_13I changed the mointor as mention below and NODE and POOL came up. GET /\r\n\r\n also I was using HTTP profile which I removed as well. But now I am sometimes able to connet with the servers and sometimes not. The issue is intermittent Please let me know what could be the issue. Some clients are able to connect and sometimes are not.
- Wasim_Hassan_13
I need assistance on this issue. Please help me out
- boneyard
MVP
call F5 support or your F5 partner, that is what they are there for. can you find any logic in when it works and when not? are it the same clients which never work? if you remove all but 1 node, does it work always then?
- Wasim_Hassan_13
I tried different combinations, by making active one, two, three nodes but always same behaviour sometime it will work and sometimes workign client will not able to connect but i can see the hits are comming on three node.
- boneyard
i would go back to the config with one node and then try to find when the client doesnt connect. you could do some basic tcpdump on the big-ip to check if the request is recieved and where the reset (probably) comes from.
