I cannot create a https monitor for our adfs servers from the GTM. I have tried many different ciphers. Tried offering only the cipher used by my Firefox browser. Curl shows the TLS handshake soundly rejected. Packet captures and firewall logs suggest the same thing - TLS handshake a non-starter. My monitor send-string is: GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1\r\nHost: adfs.open-techs.com looking for html title. Any suggestions? [root@DNS2:Active:Standalone] tmp curl -v2 https://adfs.open-techs.com/adfs/ls/IdpInitiatedSignon.aspx About to connect() to adfs.open-techs.com port 443 (0)Trying 12.178.113.8... connectedConnected to adfs.open-techs.com (12.178.113.8) port 443 (0)successfully set certificate verify locations:CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: noneSSLv2, Client hello (1):Unknown SSL protocol error in connection to adfs.open-techs.com:443Closing connection 0 curl: (35) Unknown SSL protocol error in connection to adfs.open-techs.com:443 [root@DNS2:Active:Standalone] tmp

It seems odd that the monitor is attempting to do SSLv2. What cipher string are you using? Do you have anything in the Client Certificate field? To verify that the monitor is or isn't trying to do SSLv2, do an ssldump capture on the server side VLAN: ssldump -AdNn -i 0.0 port 443 and host [IP of pool member] This should display the SSL handshake and show what ciphers and protocols each side is trying to negotiate and where it's failing.

Thanks for your help Kevin. I just happened to dictate SSLv2 in that particular curl that I posted. I tried every curl option I could dig up. I have nothing in the client certificate field, as the site does not require a client cert. Browsers have no problem pulling up the site. output of ssldump: [root@DNS2:Active:Standalone] config ssldump -AdNn -i 0.0 port 443 and host 8.24.31.81 New TCP connection 1: 8.24.31.100(33508) <-> 8.24.31.81(443) 1 1 0.0020 (0.0020) C>S SSLv2 compatible client hello Version 3.1 cipher suites SSL2_CK_RC2 TLS_RSA_WITH_RC4_128_MD5 SSL2_CK_RC4 SSL2_CK_DES TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC2_EXPORT40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL2_CK_RC4_EXPORT40 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA SSL2_CK_3DES TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xff 1 0.0025 (0.0004) S>C TCP RST then repeats...

Just so weird that it's trying to do SSLv2. What BIG-IP version are you on? What do you have in the Cipher List field of the HTTPS monitor?

BIG-IP 11.4.1 Build 635.0 Hotfix HF2 At the moment, I have the default - DEFAULT:+SHA:+3DES:+kEDH. But I have tried many specific ciphers, including the very one that I took from a Fiddler capture of Firefox hitting the site (don't recall what it was). I asked the system admin if he could look at the logs in the adfs server, but he said that there is nothing to look at. adfs is kind of an odd bird, in that it not only serves as a proxy, but does not use IIS to serve the web page.

I set up a test pool on an LTM (11.6.0 HF4) that is on the same subnet. Here is the output: [root@OTS_WEBLTM_B:Active:Changes Pending] config ssldump -AdNn -i 0.0 port 443 and host 10.189.0.8 New TCP connection 1: 10.xxx.0.44(37668) <-> 10.xxx.0.8(443) 1 1 0.0013 (0.0013) C>SV3.1(512) Handshake ClientHello Version 3.3 random[32]= f6 04 14 2f 4d 00 c0 80 88 26 bc 3f 2b 5d e4 d0 f0 0e 8e f3 f8 ad 8d 2f 38 43 82 15 68 ce 12 09 cipher suites Unknown value 0xc030 Unknown value 0xc02c Unknown value 0xc028 Unknown value 0xc024 Unknown value 0xc032 Unknown value 0xc02e Unknown value 0xc02a Unknown value 0xc026 Unknown value 0x9d TLS_RSA_WITH_AES_256_CBC_SHA256 Unknown value 0xc02f Unknown value 0xc02b Unknown value 0xc027 Unknown value 0xc023 Unknown value 0xc031 Unknown value 0xc02d Unknown value 0xc029 Unknown value 0xc025 Unknown value 0x9c TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xc014 Unknown value 0xc00a Unknown value 0xc00f Unknown value 0xc005 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc013 Unknown value 0xc009 Unknown value 0xc00e Unknown value 0xc004 TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA Unknown value 0xc012 Unknown value 0xc008 Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0xa3 Unknown value 0x9f TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Unknown value 0xa2 Unknown value 0x9e TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xff compression methods NULL 1 0.0015 (0.0002) S>C TCP RST

monitor for adfs server (GTM)

15 Replies

Kevin_Stewart
Employee
Jul 24, 2015
I can't cURL from my mac either (browser works), and it appears to be failing on the initiation of SSL, long before an HTTP user-agent can come into play. I have to assume your server is requiring some TLS extension that cURL isn't sending. Time to test with openssl...
OTS02
Cirrus
Jul 24, 2015
Good ole Qualsys ssl Labs shows that the server-ciphers (in preferred order) are 0xc028, 0xc027, 0xc014, 0xc013, 0x9f, & 0x9e.

Every one of these is unknown by the f5s. How lucky am I?
Kevin_Stewart
Employee
Jul 27, 2015
Okay, so finally figured it out. 😉

To start, the ciphers 0xc028, 0xc027, 0xc014, 0xc013, 0x9f, and 0x9e all equate to:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

respectively, and are all definitely supported by the BIG-IP. The definitions for these ciphers can be found here:

http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

You can verify the tmm native ciphers from your BIG-IP command line:

tmm --clientciphers NATIVE

and for openssl:

openssl ciphers |sed 's/:/\'$'\n/g'

In any case, the issue isn't one of cipher support, though your ADFS server is pretty darn restrictive in that regard. The issue is that the server requires SNI (server name indication) - a TLS extension that embeds the target hostname in the ClientHello message. It doesn't look like the built-in HTTPS monitor supports SNI, so you'd need to use an external scripted monitor. cURL would be an obvious choice here:

curl -k https://adfs.open-techs.com/adfs/ls/idpinitiatedsignon.aspx

But (this version of) curl will only send the SNI value if you use the hostname as the URL, versus the IP and port that you'd typically use in a server pool. So I had to drop back to openssl s_client. Here's an external monitor script that should do the job:

!/bin/bash pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" if [ -f $pidfile ] then kill -9 -`cat $pidfile` > /dev/null 2>&1 fi echo "$$" > $pidfile node_ip=`echo $1 |sed 's/::ffff://'` node_port=$2 getscript () { echo 'GET /adfs/ls/idpinitiatedsignon.aspx HTTP/1.1' echo 'Host: adfs.open-techs.com' echo '' while sleep 0; do echo 'quit\n' done } docurl () { IFS=$'\n' arr=($(getscript | openssl s_client -connect ${node_ip}:${node_port} -cipher 'ECDHE-RSA-AES256-SHA' -servername 'adfs.open-techs.com' 2>/dev/nul |grep -E '200 OK')) unset IFS } docurl echo ${arr[0]} if [ -n "${arr[0]}" ] then Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" fi Remove the pidfile before the script ends rm -f $pidfile

Notice in the openssl script I'm forcing a cipher string (ECDHE-RSA-AES256-SHA), sending the SNI with the -servername option, and then grepping for '200 OK' which then gets dumped into the array variable ${arr[0]}. If '200 OK' doesn't appear in the response, then the script sends nothing back to the monitor, otherwise it sends "up". You can obviously change what you're looking for in that grep statement.
OTS02
Cirrus
Jul 27, 2015
You rock Kevin - Thank you! I've never had to use an external monitor, so I have some learning to do, but I'm confident that your script will work.

The adfs servers were created using the standard "role" which I guess is some sort of Microsoft template. Anyway, since it seems that adfs is not going away anytime soon, could you maybe suggest that f5 incorporate SNI into built-in HTTPS monitors?
OTS02
Cirrus
Aug 19, 2015
Finally learned how to create an external monitor, using your script. Yes - it works! Thanks.

Forum Discussion

monitor for adfs server (GTM)

15 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Unblock Request WAF

F5OS login with admin/root failed via console

TLS handshake failure from BIG-IP to backend – Fatal Alert: Decode Error (Server SSL)

Share what you learned on DevCentral in 2025

Failing over Virtual F5 VE to DR location using Zerto

Related Content

F5 DNS/GTM External Monitor(EAV) with SNI support and response code check

GTM health Monitoring and Probe

Using a BIG-IP EAV external monitor to monitor HTTP/2 h2c servers

F5 MCP(Model Context Protocol) Server

GTM health monitor connection refuesd

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS