Montoring https port in windows server 2012 is not working with F5

There's SOL12531 that talks about monitors a little bit, and then this article that adds a little extra information.

Whenever I'm having monitor issues, I try a couple different things.

1:

curl

2:

• Open the pool that is having the problem (let's call it MY_POOL)
• Make sure the monitor is active on the pool (let's call it MY_MONITOR)
• On the

  Members

  tab in the pool settings, click on one of the members (let's call it 10.0.0.1:3389)
• Enable the checkbox for

  Monitor Logging

  • Open an SSH session (I use Putty to connect) to the device and log in to the shell.
  • Run the command

    cd /var/log/monitors

  • Run the command

    ls -l

  • Look for the file referencing your pool and member (most likely in our example it'd be something like

    _Common_MY_MONITOR__Common_10.0.0.1_3389.log

    )
  • Run the command

    tail -f FILENAME

    (where FILENAME is the log filename)
  • It may be visible immediately, but you should see where the monitor sends the request to the server (and you'll see the

    send

    string), and you're looking for the

    recv

    string that comes back.
  • Take that

    recv

    string and update the monitor and see if the pool member(s) show up green again.
• Go back in and disable the monitor logging for that member so you don't have excessive logging filling up space.

Hopefully, this will help figure it out. If your log file ever looks like it's not updating, delete the lo file and remove the monitor from the pool and re-add it. I've found that will kick it back off again.

Hope this helps.

Hi midhun,

openssl s_client -connect : -servername  -quiet  

Now openssl establishes a connection using TLS with SNI attribute and you can paste in a valid request followed by two Carriage Return / New Lines (aka Enter):

GET / HTTP/1.1
Host: 
Connection: close
  

I had to use the described solution in a customer´s SharePoint environment and just added the ability to work in route domains. It works great on v11.5.1 since a couple of months.

One small note : I believe there is no monitor logging checkbox on http/https monitors. You may rely on your back-end web server logs to get logging...

One small note : I believe there is no monitor logging checkbox on http/https monitors. You may rely on your back-end web server logs to get logging...

On your Windows 2012 server, I assume you are using IIS web server. By default, authentication is set to anonymous, so monitors should work out of the box. Check the authentication setting on your web server, if it is set to something else than anonymous, you may have to adjust your monitors.

Hi Michael/Stephan,

Thanks for ur input, But am running version 10.2 and unable to run the above commands.

No monitor Logging option and monitor directory(/var/log/monitor) exist in 10.2 version

For Openssl no option to use -Servername.

Regards, Midhun P.K

From SOL12531, there's a spot that talks about using curl to test your URL. Are you able to do that on 10.2 from the command line (SSH into the box)?

Also, what's your config look like regarding send and recv strings?

Hi,

I found the issue now, it is related to certificate, When we disable the server certificate f5 can able to monitor https port. monitor is showing down when we configure certificate on the server. Certificate we are using in server issued by CA.

Regards, Midhun P.K

HI,

Our Server is using sha256 certificate issued by CA , But F5 is unable to monitor the pool when we bind any Sha256 certificate on the server, Kindly advice.

Regards, Midhun P.K

Hi,

Can anyone help me to solve this certificate issue, F5 unable to monitor the server when it use sha256 certificate.

Regards, Midhun P.K