Monitor showing Down

is the curl command supported on LTM with version 10.2.1?

1. Do you see the HTTPS web service logging anything for the requests? - Did not see this but from F5 using tcpdump i can see response coming on port 443 from both the DIPsit is health monitor traffic, isn't it? it is not tcp reset, is it?

 

 

2.The monitor status for https for the 2 DIPs shows as Inactive, Down. - Is it necessary that DIPs gateway should be F5 for monitor to work?if pool member is able to return health monitor traffic to bigip, it is fine.

 

 

3.There is no receive string configured on the monitor? - Is the receive string mandatory to be defined?it is not mandatory.

 

 

4. Can you use " openssl s_client -connect 1.1.1.1:443" - you mean execute this cmd from the F5 prompt ?yes

 

 

and for sending request, are you suggesting i use only, " GET /HeartBeat/Heartbeat.htm" and NOT the part "HTTP/1.0\r\n\r\n" ?you have to put HTTP/1.0 but \r\n\r\n is just hitting enter twice.

 

 

openssl s_client -connect 1.1.1.1:443

 

GET /HeartBeat/Heartbeat.htm HTTP/1.0

 

 

 

 

is the curl command supported on LTM with version 10.2.1?yes

 

 

by the way, can you also show us the https_default_mn health monitor configuration?

thanks for the response nitass. Plz see below my replies..

 

 

1. It is the response from the pool member and the F5 self IP on the same pool member vlan. I used the below tcpdump cmd to get it

 

 

tcpdump -nni 0.0 -X -s0 host 10.41.0.77 and port 80 and host 10.41.0.50

 

 

Is thr any other way to check and verify, health monitor traffic?

 

 

2. Not sure if pool member is able to return traffic. But am able to telnet on port 443 from F5 to the pool member. Gwy on the pool member is the upstream router IP.

 

 

3. What is the command to display the https_default_mn health monitor configuration?

 

 

4. One more information - I have another 2 pool members in a different pool having same monitor configured for port 443 and monitor is

 

working fine.

 

 

Could this be pool member server side issue? If yes, is thr a way to check and verify it.

Is thr any other way to check and verify, health monitor traffic?generally, if it is non-floating selfip, it could be health monitor traffic.

 

 

3. What is the command to display the https_default_mn health monitor configuration?b monitor https_default_mn list

 

 

Could this be pool member server side issue? If yes, is thr a way to check and verify iti think it had better do more troubleshooting e.g. openssl s_client, curl, etc.

b monitor https_default_mn list

 

 

monitor https_default_mn {

 

defaults from https

 

recv "200 OK"

 

send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"

 

}

nitass,

 

 

Looks like there is a mismatch of "Send string" between the default monitor and the below

 

Port 443 - Not Working Monitor

 

 

DeviceA b monitor https_443_pqr_mn list

 

monitor https_443_pqr_mn {

 

defaults from https_default_mn

 

send "GET /HeartBeat/Heartbeat.html HTTP/1.0\r\n\r\n"

 

 

 

Could this be the issue?

Looks like there is a mismatch of "Send string" between the default monitor and the below

 

Port 443 - Not Working Monitor but the same send string in http monitor is working, isn't it?

hmm..looks like ..Yes..let me check again..

 

 

Meanwhile i executed the openssl cmd an the output as below

 

 

 

openssl s_client -connect 10.11.70.77:443

 

CONNECTED(00000005)

 

depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

 

verify return:1

 

depth=2 /CN=Microsoft Internet Authority

 

verify return:1

 

depth=1 /DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

 

verify return:1

 

depth=0 /C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws

 

verify return:1

 

---

 

Certificate chain

 

0 s:/C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws

 

i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

 

1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

 

i:/CN=Microsoft Internet Authority

 

2 s:/CN=Microsoft Internet Authority

 

i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

 

GET /HeartBeat/Heartbeat.htm HTTP/1.0

 

 

HTTP/1.1 404 Not Found

 

Content-Type: text/html; charset=us-ascii

 

Server: Microsoft-HTTPAPI/2.0

 

Date: Thu, 19 Apr 2012 00:33:40 GMT

 

Connection: close

 

Content-Length: 315

 

 

 

Not Found

 

 

Not Found

 

HTTP Error 404. The requested resource is not found.

 

 

 

read:errno=0

for the 2nd pool memebr, openssl gives the following output, getting HTTP/1.1 404 Not Found.What this means?

 

 

 

openssl s_client -connect 10.11.70.78:443

 

CONNECTED(00000005)

 

depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

 

verify return:1

 

depth=2 /CN=Microsoft Internet Authority

 

verify return:1

 

depth=1 /DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

 

verify return:1

 

depth=0 /C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws

 

verify return:1

 

---

 

Certificate chain

 

0 s:/C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws

 

i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

 

1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

 

i:/CN=Microsoft Internet Authority

 

2 s:/CN=Microsoft Internet Authority

 

i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

 

 

GET /HeartBeat/Hearbeat.htm HTTP/1.0

 

 

HTTP/1.1 404 Not Found

 

Content-Type: text/html; charset=us-ascii

 

Server: Microsoft-HTTPAPI/2.0

 

Date: Thu, 19 Apr 2012 00:46:20 GMT

 

Connection: close

 

Content-Length: 315

 

 

 

Not Found

 

 

Not Found

 

HTTP Error 404. The requested resource is not found.

 

 

 

read:errno=0

 

for the 2nd pool memebr, openssl gives the following output, getting HTTP/1.1 404 Not Found.What this means? it means request object (e.g. /HeartBeat/Hearbeat.htm, /HeartBeat/Hearbeat.html) is not in the server.

 

 

can you try "404 Not Found" as receive string in the https_443_pqr_mn monitor? i understand currently the https_443_pqr_mn monitor inherits receive string from the https_default_mn monitor which is "200 OK".