Forum Discussion
CirrostratusHTTPS Monitor failing after upgrade to v11.4(HF3)
Hi folks.
We recently upgraded from 10.2.4(HF5) to 11.4.1(HF3) and have come across a strange problem with a HTTPS monitor. I have done some testing and can see the following:
pool member = 10.5.6.7:10443. Default HTTPS monitor = FAILS pool member = 10.5.6.7:443. Default HTTPS monitor = WORKS pool member = 10.5.6.7:10443. Default HTTPS_443 monitor = WORKS pool member = 10.5.6.7:443. Default HTTPS_443 monitor = WORKS
I have checked using telnet to ensure port 10443 is open - IT IS.
When connected i tried a GET for a file i know is there (small.gif) and receive following:
GET /small.gif
400 Bad Request
Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Hint: https://test.domain.com/
Connection closed by foreign host.
curl -v -k -L https://10.5.6.7:10443/small.gif
* About to connect() to 10.5.6.7 port 10443 (0)
* Trying 10.5.6.7... connected
* Connected to 10.5.6.7 (10.5.6.7) port 10443 (0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* subject: C=GB; ST=Scotland; O=Company; OU=IS; CN=test.domain.com; emailAddress=test_admin@company.com
* start date: 2014-01-08 11:44:19 GMT
* expire date: 2029-01-29 11:44:19 GMT
* common name: test.domain.com (does not match '10.5.6.7')
* issuer: C=GB; ST=Scotland; L=Edinburgh; O=Company; OU=IS; CN=IS; emailAddress=test_admin@company.com
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /small.gif HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5
> Host: 10.5.6.7:10443
> Accept: /
>
< HTTP/1.1 200 OK
< Date: Tue, 13 May 2014 13:12:35 GMT
< Server: Apache
< Last-Modified: Wed, 24 Mar 2010 08:48:39 GMT
< Accept-Ranges: bytes
< Content-Length: 826
< Connection: close
< Content-Type: image/gif
<
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
GIF89a÷ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿ3fÌÿ3333f33Ì3ÿff3f
Any help would be appreciated.
Thanks
Graham
24 Replies
LyonsG_85618pool member = 10.5.6.7:10443. Default HTTPS monitor = FAILS
pool member = 10.5.6.7:443. Default HTTPS monitor = WORKS
pool member = 10.5.6.7:10443. Default HTTPS_443 monitor = WORKS
pool member = 10.5.6.7:443. Default HTTPS_443 monitor = WORKS
Cory_50405Noctilucent
I would expect this behavior to be reverse. The default https_443 monitor shouldn't work for your 10443 pool member, but would for your 443 pool member. Vice versa with the default https monitor.
Can you post your pool configs?
- LyonsG_85618Cory - i think the HTTPS_443 monitor "overrides" the 10443 port on the pool. Here's the pool config: ltm pool /SOA/POOL_TEST { members { /SOA/10.5.6.7:443 { address 10.5.6.7 } /SOA/10.5.6.7:10443 { address 10.5.6.7 } } monitor min 1 of { /Common/https_443 }
- Cory_50405https_443 specifies a port of 443 within the monitor and should not use the port of the specified pool member, you are correct. So the behavior you are seeing appears to be backwards. Have you tried removing the monitors and re-adding to the pool?
- LyonsG_85618The behavious I am seeing is that although firewalls rules are there port 10443 cannot be used by the http monitor (aliasservice ports= *all ports). Only when overrding port 10443 (https_43 monitor where alias service ports = 443) does the monitor work
