hello we're running 11.4.1 647 and trying to monitor the pool servers with https monitor https monitor configured as bellow: GET /login HTTP/1.1\r\nHost: my.website.com\r\nConnection: close\r\n\r\n when troubleshooting this issue from cli: [root@Cust-F5:Active:Standalone] config openssl s_client -connect 172.26.133.213:443 -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:error in SSLv2/v3 read server hello A write:errno=104

yeah i did that but still not working

Paste your https monitor settings. Use command list /ltm monitor https monitor_name all-properties

This article explains the problem in details. Probably bigd is using TLS1.0, while the server is expecting TLS1.1 or TLS1.2. Just take a tcpdump, and check what error you get via bigd. tcpdump solution: https://support.f5.com/csp/article/K411

https monitor not working

11 Replies

Raja_M
Nimbostratus
May 22, 2018
give recive string as 200 OK
Abed_AL-R
Cirrostratus
May 22, 2018
yeah i did that but still not working
Anoop
Nimbostratus
May 22, 2018
Paste your https monitor settings. Use command list /ltm monitor https monitor_name all-properties

Abed_AL-R

Cirrostratus

May 22, 2018

root@(Suppliers-F5)(cfg-sync Standalone)(Active)(/Common)(tmos) list /ltm monitor https Cust_GET_Monitor all-properties
ltm monitor https Cust_GET_Monitor {
app-service none
cert none
cipherlist DEFAULT:+SHA:+3DES:+kEDH:-kRSA
compatibility enabled
defaults-from https
description none
destination *:*
interval 15
key none
manual-resume disabled
partition Common
password none
recv "200 OK"
recv-disable none
reverse disabled
send "GET /login HTTP/1.1\\r\\nHost: cust.website.com\\r\\nConnection: close\\r\\n\\r\\n"
time-until-up 0
timeout 30
transparent disabled
up-interval 0
username none
}

Leonardo_Souza
Cirrocumulus
May 22, 2018
This article explains the problem in details.

Probably bigd is using TLS1.0, while the server is expecting TLS1.1 or TLS1.2.

Just take a tcpdump, and check what error you get via bigd.

tcpdump solution:

https://support.f5.com/csp/article/K411
Anoop
Nimbostratus
May 23, 2018
So it is clearly SSL/TLS version mismatch issue. Can you run a tcpdump with below syntax tcpdump -vvv -s0 -nni 0.0:nnn host internal static self ip or host pool member ip address -w /var/tmp/
/bin/hostname
_`date +%Y-%m-%d--%H%m%S`.pcap.

Same time do enable SSL debug to confirm the same. Troubleshooting SSL/TLS handshake failures : https://support.f5.com/csp/article/K15292enable
Abed_AL-R
Cirrostratus
May 23, 2018
JG
Cumulonimbus
May 23, 2018
You cannot modify the TLS/SSL protocol version. The HTTPS monitor will choose the highest level TLS/SSL protoco
, according to K16526: Configuring the SSL cipher strength for a custom HTTPS health monitor.

It is more likely that your back-end server does not accept higher versions of SSL/TLS protocol. You can check the supported version of that server by running the following on BIG-IP:

openssl s_client -tls1 -connect x.x.x.x:443

You can also use other flags when checking:
-ssl2, -ssl3, -tls1, -tls1_1, -tls1_2, -no_ssl2, -no_ssl3, -no_tls1, -no_tls1_1, -no_tls1_2
to find out exactly what is supported there.
Anoop
Nimbostratus
May 23, 2018
Looks like you meet symptoms mentioned in https://support.f5.com/csp/article/K16646. Check /var/log/ltm to see any messages like below.

err bigd[13958]: 01060111:3: Open SSL error - error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure. err bigd[13958]: 01060111:3: Open SSL error - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number.

notice mcpd[7842]: 01070638:5: Pool /Common/ member /Common/ monitor status down. [ /Common/https: down ] [ was up for 0hr:0min:21sec ]
Abed_AL-R
Cirrostratus
May 23, 2018
no i don't have such those logs , i don't think this article related to our issue