Hi, We have server listening on port 443 behind F5, The pool members is unable to monitor the server on port 443. Kindly advice Regards, Midhun p.K

There's SOL12531 that talks about monitors a little bit, and then this article that adds a little extra information. Whenever I'm having monitor issues, I try a couple different things. 1: I try to do a curl from the F5 CLI to verify that the url I'm trying to monitor is working properly and the response is coming back as expected. 2: Turn on monitor debugging for the member and check the log that gets created. Those steps are as follows: Open the pool that is having the problem (let's call it MY_POOL)Make sure the monitor is active on the pool (let's call it MY_MONITOR)On the Members tab in the pool settings, click on one of the members (let's call it 10.0.0.1:3389) Enable the checkbox for Monitor Logging Open an SSH session (I use Putty to connect) to the device and log in to the shell.Run the command cd /var/log/monitorsRun the command ls -lLook for the file referencing your pool and member (most likely in our example it'd be something like _Common_MY_MONITOR__Common_10.0.0.1_3389.log)Run the command tail -f FILENAME (where FILENAME is the log filename)It may be visible immediately, but you should see where the monitor sends the request to the server (and you'll see the send string), and you're looking for the recv string that comes back.Take that recv string and update the monitor and see if the pool member(s) show up green again. Go back in and disable the monitor logging for that member so you don't have excessive logging filling up space. Hopefully, this will help figure it out. If your log file ever looks like it's not updating, delete the lo file and remove the monitor from the pool and re-add it. I've found that will kick it back off again. Hope this helps.

Hi midhun, in addition to Michael´s detailed answer I would also consider the server expects a request via TLS with SNI (server name indication). There is an article with description of an external monitor using openssl s_client here on DevCentral. You can validate it from CLI by using the following syntax: openssl s_client -connect : -servername -quiet Now openssl establishes a connection using TLS with SNI attribute and you can paste in a valid request followed by two Carriage Return / New Lines (aka Enter): GET / HTTP/1.1 Host: Connection: close I had to use the described solution in a customer´s SharePoint environment and just added the ability to work in route domains. It works great on v11.5.1 since a couple of months. Thanks, Stephan

One small note : I believe there is no monitor logging checkbox on http/https monitors. You may rely on your back-end web server logs to get logging...

On your Windows 2012 server, I assume you are using IIS web server. By default, authentication is set to anonymous, so monitors should work out of the box. Check the authentication setting on your web server, if it is set to something else than anonymous, you may have to adjust your monitors.

Montoring https port in windows server 2012 is not working with F5

26 Replies

StephanManthey
Nacreous
Jan 28, 2015
Hi midhun,
in addition to Michael´s detailed answer I would also consider the server expects a request via TLS with SNI (server name indication).
There is an article with description of an external monitor using openssl s_client here on DevCentral.
You can validate it from CLI by using the following syntax:
openssl s_client -connect : -servername -quiet

Now openssl establishes a connection using TLS with SNI attribute and you can paste in a valid request followed by two Carriage Return / New Lines (aka Enter):

GET / HTTP/1.1 Host: Connection: close

I had to use the described solution in a customer´s SharePoint environment and just added the ability to work in route domains. It works great on v11.5.1 since a couple of months.
Thanks, Stephan
InnO
Nimbostratus
Jan 28, 2015
One small note : I believe there is no monitor logging checkbox on http/https monitors. You may rely on your back-end web server logs to get logging...
- Michael_Jenkins
  Cirrostratus
  Jan 28, 2015
  The monitor logging checkbox is found when you go to the Pool >> Members >> Click on a specific member. I'm on 11.5 and the option is there for both http and http monitors. But I agree too. Backend logging may be helpful as well.
- InnO
  Nimbostratus
  Jan 28, 2015
  Wow. Interesting ! Never noticed that check box in there :) Thanks.
F5Maniac_72324
Nimbostratus
Jan 28, 2015
One small note : I believe there is no monitor logging checkbox on http/https monitors. You may rely on your back-end web server logs to get logging...
- Michael_Jenkins
  Cirrostratus
  Jan 28, 2015
  The monitor logging checkbox is found when you go to the Pool >> Members >> Click on a specific member. I'm on 11.5 and the option is there for both http and http monitors. But I agree too. Backend logging may be helpful as well.
- F5Maniac_72324
  Nimbostratus
  Jan 28, 2015
  Wow. Interesting ! Never noticed that check box in there :) Thanks.
InnO
Nimbostratus
Jan 28, 2015
On your Windows 2012 server, I assume you are using IIS web server. By default, authentication is set to anonymous, so monitors should work out of the box. Check the authentication setting on your web server, if it is set to something else than anonymous, you may have to adjust your monitors.
midhun_108442
Nimbostratus
Jan 28, 2015
Hi Michael/Stephan,

Thanks for ur input, But am running version 10.2 and unable to run the above commands.

No monitor Logging option and monitor directory(/var/log/monitor) exist in 10.2 version

For Openssl no option to use -Servername.

Regards, Midhun P.K
- StephanManthey
  Nacreous
  Jan 28, 2015
  Hi midhun, sorry, my unit was already updated to openssl 1.0.1j. Here is what you can try with cURL: curl -k -H "Host: " https:/// Thanks, Stephan
- StephanManthey
  Nacreous
  Feb 01, 2015
  Hi midhun, did the **curl** syntax example above work? If it does not, you probably need to update your TMOS version Thanks, Stephan
Michael_Jenkins
Cirrostratus
Jan 28, 2015
From SOL12531, there's a spot that talks about using curl to test your URL. Are you able to do that on 10.2 from the command line (SSH into the box)?

Also, what's your config look like regarding send and recv strings?
midhun_108442
Nimbostratus
Jan 28, 2015
Hi,

I found the issue now, it is related to certificate, When we disable the server certificate f5 can able to monitor https port. monitor is showing down when we configure certificate on the server. Certificate we are using in server issued by CA.

Regards, Midhun P.K
midhun_108442
Nimbostratus
Jan 29, 2015
HI,

Our Server is using sha256 certificate issued by CA , But F5 is unable to monitor the pool when we bind any Sha256 certificate on the server, Kindly advice.

Regards, Midhun P.K
midhun_108442
Nimbostratus
Feb 01, 2015
Hi,

Can anyone help me to solve this certificate issue, F5 unable to monitor the server when it use sha256 certificate.

Regards, Midhun P.K
- boneyard
  MVP
  Feb 01, 2015
  you are asking this question on several places, please make one clear question, trying to get attention like this will probably not work.
midhun_108442
Nimbostratus
Feb 01, 2015
Hi,

Sorry for asking more question and making it not clear ,below is the actual issue.

When the server is using trusted CA certificate F5 unable to monitor the server on port 443. When it using self signed certificate F5 can able to monitor the server.

regards, Midhun P.K