HTTPS monitor does not work as expected.(what method does HTTPS monitor use to check pool member health)

Hi All,

 

I have a pool with two node which I am using HTTPS monitor to check node health. Monitor mark node down due to failed to receive expected string "OK". but I can use curl -k https:/xxx.xxx.xxx.xxx:8175/management/?action=health to get expected string. Can anyone help me to check what's wrong?

 

PS: F5 version(11.3.0)

 

ltm monitor https aw_https_monitor { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from /Common/https destination : interval 5 partition Platform_Services recv OK send "GET /management/\?action=health\r\n" time-until-up 0 timeout 16 }

 

When I do a curl. I can get expected string "OK".

 

curl -vv -k * About to connect() to x.x.x.x port 8175 (0) * Trying x.x.x.x... connected * Connected to x.x.x.x (x.x.x.x) port 8175 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES128-SHA * Server certificate: * subject: C=Unknown; ST=Unknown; L=Unknown; O=localhost; OU=localhost; CN=localhost * start date: 2009-03-27 18:42:02 GMT * expire date: 2009-06-25 18:42:02 GMT * common name: localhost (does not match 'x.x.x.x') * issuer: C=Unknown; ST=Unknown; L=Unknown; O=localhost; OU=localhost; CN=localhost * SSL certificate verify result: self signed certificate (18), continuing anyway.

 

GET /management/?action=health HTTP/1.1 User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Host: x.x.x.x:8175 Accept: /

 

< HTTP/1.1 200 OK < Content-Type: text/plain;charset=iso-8859-1 < Content-Length: 3 < OK * Connection 0 to host x.x.x.x left intact * Closing connection 0 * SSLv3, TLS alert, Client hello (1):

 

And I also used ssldump to read the package. It seems node doesn't answer client hello. here is the output of ssldump.

 

curl -vv -k * About to connect() to x.x.x.x port 8175 (0) * Trying x.x.x.x... connected * Connected to x.x.x.x (x.x.x.x) port 8175 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES128-SHA * Server certificate: * subject: C=Unknown; ST=Unknown; L=Unknown; O=localhost; OU=localhost; CN=localhost * start date: 2009-03-27 18:42:02 GMT * expire date: 2009-06-25 18:42:02 GMT * common name: localhost (does not match 'x.x.x.x') * issuer: C=Unknown; ST=Unknown; L=Unknown; O=localhost; OU=localhost; CN=localhost * SSL certificate verify result: self signed certificate (18), continuing anyway.

 

GET /management/?action=health HTTP/1.1 User-Agent: curl/7.19.7 (i686-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 Host: x.x.x.x:8175 Accept: /

 

< HTTP/1.1 200 OK < Content-Type: text/plain;charset=iso-8859-1 < Content-Length: 3 < OK * Connection 0 to host x.x.x.x left intact * Closing connection 0 * SSLv3, TLS alert, Client hello (1):

 

So, What method does F5 use for HTTPS monitor? and How deos HTTPS monitor works?