Forum Discussion
CirrostratusHTTPS Monitor not working as expected
I have created an HTTPS monitor as follows:
GET /idauth/isAlive.jsp\r\n
The receive string is set as:
ALIVE
There are 2 servers and when i curl them i get the following:
First Server
curl -k https://server1.domain.com:8443/idauth/isAlive.jsp
OpenAM
Server is DOWN
Second server:
curl -k https://server2.domain.com:8443/idauth/isAlive.jsp
OpenAM
Server is ALIVE:
However. Both servers are being flagged as unavailable.
If I change the receive string to DOWN - both servers are flagged as available.
I have changed curl to verbose to check for separate words showing ALIVE/DOWN but this doesnt show anything:
curl -k -v https://server2.domain.com:8443/idauth/isAlive.jsp
* About to connect() to server2.domain.com port 8443 (0)
* Trying 172.31.151.143... connected
* Connected to server2.domain.com (172.31.151.143) port 8443 (0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: C=GB; ST=Scotland; O=STANDARD LIFE; OU=IS; CN=server2.domain.com
* start date: 2014-11-11 21:48:09 GMT
* expire date: 2028-07-20 21:48:09 GMT
* common name: server2.domain.com (matched)
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
GET /idauth/isAlive.jsp HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5
Host: server2.domain.com:8443
Accept: */*
HTTP/1.1 200 OK
Cache-Control: private
Expires: Thu, 01 Jan 1970 01:00:00 GMT
Set-Cookie: JSESSIONID=A847EA20D06FC26A9B944B9CB5CC397E; Path=/idauth/; Secure; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 115
Date: Fri, 06 Feb 2015 13:17:35 GMT
Server: Anonymous
html>
head>
OpenAM
/head>
body>
h1>Server is ALIVE:
* Connection 0 to host server2.domain.com left intact
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
Has anyone seen anything like this?
27 Replies
LyonsG, unless I am missing something, I don't see an "Alive" string from the first server. The monitor should mark this down as expected.
Can you also try running this monitor separately on each pool member instead of at the pool level?
LyonsG_85618Nikhil. Thats correct 1 server is ALIVE and the other is DOWN. The problem is they are both either marked up or diown when it shoudl be only 1 or the other.- >>>Can you also try running this monitor separately on each pool member instead of at the pool level? What are results?
- LyonsG_85618monitor on each pool member returns same results
Amit_KarnikNimbostratus
-
When you use curl -k, the server certificate is being accepted. Make sure the monitor will also accept the server certificate if the certificate is signed by an Internal CA for example.
-
Check if your server responds to specific "Host:" header or "User-Agent:" header. Try setting both these headers to what curl sets.
Best.
-
shaggy_121467Cumulonimbus
have you tried the curl tests with the node IP address instead of the hostname? curl will automatically set the host header to the hostname entered in curl, which technically makes the curl test different than the f5's send string.
you could also use:
to open an SSL connection from the f5 to the pool member, and then paste your send string. the more data points, the better.openssl s_client -connect member-ip:port- LyonsG_85618curl testing results are now more consistent - but still not getting appropriate results from monitor. tcpdump being done!
shaggyhave you tried the curl tests with the node IP address instead of the hostname? curl will automatically set the host header to the hostname entered in curl, which technically makes the curl test different than the f5's send string.
you could also use:
to open an SSL connection from the f5 to the pool member, and then paste your send string. the more data points, the better.openssl s_client -connect member-ip:port- LyonsG_85618curl testing results are now more consistent - but still not getting appropriate results from monitor. tcpdump being done!
- LyonsG_85618
[admin@bigip:Active:Changes Pending] ~ curl -k https://172.31.151.143:8443/idauth/isAlive.jsp
OpenAM Server is ALIVE:[admin@bigip:Active:Changes Pending] ~ curl -k https://172.31.251.141:8443/idauth/isAlive.jsp
OpenAM Server is DOWNMonitor looks for ALIVE and both servers get flagged as available.
Change monitor to DOWN and both servers get flagged as unavailable.
- shaggyplease run curl again with the -vv flags (-kvv)
- LyonsG_85618
[admin@bigip:Active:Changes Pending] ~ curl -k -vv https://172.31.251.141:8443/idauth/isAlive.jsp
* About to connect() to 172.31.251.141 port 8443 (0) * Trying 172.31.251.141... connected * Connected to 172.31.251.141 (172.31.251.141) port 8443 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES128-SHA * Server certificate: * subject: C=GB; ST=Scotland; O=company; OU=IS; CN=slglvmfi.internal.standardlife.com * start date: 2014-11-12 11:42:01 GMT * expire date: 2028-07-21 11:42:01 GMT * common name: slglvmfi (does not match '172.31.251.141') * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET /idauth/isAlive.jsp HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 > Host: 172.31.251.141:8443 > Accept: */* > < HTTP/1.1 401 Unauthorized < Cache-Control: private < Expires: Thu, 01 Jan 1970 01:00:00 GMT < Set-Cookie: JSESSIONID=0785483496A1B74384AB4DA3E287A91F; Path=/idauth/; Secure; HttpOnly < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 112 < Date: Mon, 09 Feb 2015 16:05:12 GMT < Server: Anonymous < OpenAM Server is DOWN * Connection 0 to host 172.31.251.141 left intact * Closing connection 0 * SSLv3, TLS alert, Client hello (1): - LyonsG_85618
[admin@bigip:Active:Changes Pending] ~ curl -k -vv https://172.31.151.143:8443/idauth/isAlive.jsp
* About to connect() to 172.31.151.143 port 8443 (0) * Trying 172.31.151.143... connected * Connected to 172.31.151.143 (172.31.151.143) port 8443 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using AES128-SHA * Server certificate: * subject: C=GB; ST=Scotland; O=; OU=IS; CN=slglvmfk * start date: 2014-11-11 21:48:09 GMT * expire date: 2028-07-20 21:48:09 GMT * common name: slglvmfk (does not match '172.31.151.143') * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET /idauth/isAlive.jsp HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5 > Host: 172.31.151.143:8443 > Accept: */* > < HTTP/1.1 200 OK < Cache-Control: private < Expires: Thu, 01 Jan 1970 01:00:00 GMT < Set-Cookie: JSESSIONID=2EB50E91CD9C6DAB9298DF12C3FA6EE8; Path=/idauth/; Secure; HttpOnly < Content-Type: text/html;charset=ISO-8859-1 < Content-Length: 115 < Date: Mon, 09 Feb 2015 16:08:37 GMT < Server: Anonymous < OpenAM Server is ALIVE: * Connection 0 to host 172.31.151.143 left intact * Closing connection 0 * SSLv3, TLS alert, Client hello (1): - LyonsG_85618
Also - I am on version 11.4.1 so cannot enable monitor debugging via GUI
- shaggy_121467
this is definitely a strange issue. i don't see anything wrong in your configuration so far. next steps are definitely a packet trace and a support case (if you haven't opened one yet).
can you also post the pool configuration (tmsh list ltm pool (pool-name))?
- LyonsG_85618list ltm pool POOL_SYST_IDAUTH_INTERNAL_LIVE_HTTPS ltm pool POOL_SYST_IDAUTH_INTERNAL_LIVE_HTTPS { load-balancing-mode predictive-member members { slglvmfi:pcsync-https { address 172.31.251.141 session monitor-enabled state up } slglvmfk:pcsync-https { address 172.31.151.143 session monitor-enabled state up } } monitor MONITOR_SYST_IDAUTH_INTERNAL_LIVE_HTTPS partition FEDERATION }
- shaggy
this is definitely a strange issue. i don't see anything wrong in your configuration so far. next steps are definitely a packet trace and a support case (if you haven't opened one yet).
can you also post the pool configuration (tmsh list ltm pool (pool-name))?
- LyonsG_85618list ltm pool POOL_SYST_IDAUTH_INTERNAL_LIVE_HTTPS ltm pool POOL_SYST_IDAUTH_INTERNAL_LIVE_HTTPS { load-balancing-mode predictive-member members { slglvmfi:pcsync-https { address 172.31.251.141 session monitor-enabled state up } slglvmfk:pcsync-https { address 172.31.151.143 session monitor-enabled state up } } monitor MONITOR_SYST_IDAUTH_INTERNAL_LIVE_HTTPS partition FEDERATION }
