Hi, We have server listening on port 443 behind F5, The pool members is unable to monitor the server on port 443. Kindly advice Regards, Midhun p.K

There's SOL12531 that talks about monitors a little bit, and then this article that adds a little extra information. Whenever I'm having monitor issues, I try a couple different things. 1: I try to do a curl from the F5 CLI to verify that the url I'm trying to monitor is working properly and the response is coming back as expected. 2: Turn on monitor debugging for the member and check the log that gets created. Those steps are as follows: Open the pool that is having the problem (let's call it MY_POOL)Make sure the monitor is active on the pool (let's call it MY_MONITOR)On the Members tab in the pool settings, click on one of the members (let's call it 10.0.0.1:3389) Enable the checkbox for Monitor Logging Open an SSH session (I use Putty to connect) to the device and log in to the shell.Run the command cd /var/log/monitorsRun the command ls -lLook for the file referencing your pool and member (most likely in our example it'd be something like _Common_MY_MONITOR__Common_10.0.0.1_3389.log)Run the command tail -f FILENAME (where FILENAME is the log filename)It may be visible immediately, but you should see where the monitor sends the request to the server (and you'll see the send string), and you're looking for the recv string that comes back.Take that recv string and update the monitor and see if the pool member(s) show up green again. Go back in and disable the monitor logging for that member so you don't have excessive logging filling up space. Hopefully, this will help figure it out. If your log file ever looks like it's not updating, delete the lo file and remove the monitor from the pool and re-add it. I've found that will kick it back off again. Hope this helps.

Hi midhun, in addition to Michael´s detailed answer I would also consider the server expects a request via TLS with SNI (server name indication). There is an article with description of an external monitor using openssl s_client here on DevCentral. You can validate it from CLI by using the following syntax: openssl s_client -connect : -servername -quiet Now openssl establishes a connection using TLS with SNI attribute and you can paste in a valid request followed by two Carriage Return / New Lines (aka Enter): GET / HTTP/1.1 Host: Connection: close I had to use the described solution in a customer´s SharePoint environment and just added the ability to work in route domains. It works great on v11.5.1 since a couple of months. Thanks, Stephan

One small note : I believe there is no monitor logging checkbox on http/https monitors. You may rely on your back-end web server logs to get logging...

On your Windows 2012 server, I assume you are using IIS web server. By default, authentication is set to anonymous, so monitors should work out of the box. Check the authentication setting on your web server, if it is set to something else than anonymous, you may have to adjust your monitors.

Montoring https port in windows server 2012 is not working with F5

26 Replies

InnO
Nimbostratus
Jan 28, 2015
On your Windows 2012 server, I assume you are using IIS web server. By default, authentication is set to anonymous, so monitors should work out of the box. Check the authentication setting on your web server, if it is set to something else than anonymous, you may have to adjust your monitors.
midhun_108442
Nimbostratus
Jan 28, 2015
Hi Michael/Stephan,

Thanks for ur input, But am running version 10.2 and unable to run the above commands.

No monitor Logging option and monitor directory(/var/log/monitor) exist in 10.2 version

For Openssl no option to use -Servername.

Regards, Midhun P.K
- StephanManthey
  Nacreous
  Jan 28, 2015
  Hi midhun, sorry, my unit was already updated to openssl 1.0.1j. Here is what you can try with cURL: curl -k -H "Host: " https:/// Thanks, Stephan
- StephanManthey
  Nacreous
  Feb 01, 2015
  Hi midhun, did the **curl** syntax example above work? If it does not, you probably need to update your TMOS version Thanks, Stephan
Michael_Jenkins
Cirrostratus
Jan 28, 2015
From SOL12531, there's a spot that talks about using curl to test your URL. Are you able to do that on 10.2 from the command line (SSH into the box)?

Also, what's your config look like regarding send and recv strings?
midhun_108442
Nimbostratus
Jan 28, 2015
Hi,

I found the issue now, it is related to certificate, When we disable the server certificate f5 can able to monitor https port. monitor is showing down when we configure certificate on the server. Certificate we are using in server issued by CA.

Regards, Midhun P.K
midhun_108442
Nimbostratus
Jan 29, 2015
HI,

Our Server is using sha256 certificate issued by CA , But F5 is unable to monitor the pool when we bind any Sha256 certificate on the server, Kindly advice.

Regards, Midhun P.K
midhun_108442
Nimbostratus
Feb 01, 2015
Hi,

Can anyone help me to solve this certificate issue, F5 unable to monitor the server when it use sha256 certificate.

Regards, Midhun P.K
- boneyard
  MVP
  Feb 01, 2015
  you are asking this question on several places, please make one clear question, trying to get attention like this will probably not work.
midhun_108442
Nimbostratus
Feb 01, 2015
Hi,

Sorry for asking more question and making it not clear ,below is the actual issue.

When the server is using trusted CA certificate F5 unable to monitor the server on port 443. When it using self signed certificate F5 can able to monitor the server.

regards, Midhun P.K
midhun_108442
Nimbostratus
Feb 01, 2015
Hi,

Sorry for asking more question and making it not clear ,below is the actual issue.

When the server is using trusted CA certificate F5 unable to monitor the server on port 443. When it using self signed certificate F5 can able to monitor the server.

regards, Midhun P.K
StephanManthey
Nacreous
Feb 01, 2015
Hi midhun,

would you please provide the output of the following commands to us:

openssl version curl --version tmsh show sys version | head -n 8 curl -k -v https:/// openssl s_client -connect : (now enter "GET / HTTP/1.0" & press Enter twice)

You just indicated using TMOS v11.2. (There is a couple of maintenance releases and hotfixes available for this minor release.)

Thanks, Stephan
PS: I wasn´t able to modify my previous post and replaced it.
midhun_108442
Nimbostratus
Feb 02, 2015
Hi Stephan,

Find the below output.

openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

curl --version
curl 7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 Protocols: tftp ftp telnet dict ldap http file https ftps Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

curl -k -v https://192.168.249.21
About to connect() to 192.168.249.21 port 443
Trying 192.168.249.21... connected
Connected to 192.168.249.21 (192.168.249.21) port 443
successfully set certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
SSLv2, Client hello (1): Unknown SSL protocol error in connection to 192.168.249.21:443
Closing connection 0 curl: (35) Unknown SSL protocol error in connection to 192.168.249.21:443
openssl s_client -connect 192.168.249.21:443
CONNECTED(00000003) write:errno=104
- StephanManthey
  Nacreous
  Feb 02, 2015
  Hi midhun, so obviously even the provided command line tools of your TMOS version are not able to establish an SSL connection. What is the output of "tmsh show sys version | head -n 8" or alternatively "bigpipe version", please? Are you able to establish a connection to your poolmember on SSL level (i.e. via web browser) from another system in your infrastructure? Thanks, Stephan
- Edgar_Pajuelo_1
  Nimbostratus
  Aug 19, 2015
  Hello Stephan Do you know if they fixed the problem? We have the same issue. Big-IP 11.5.1 HF3 and SSL from Thawte with SHA-256. And the HTTPS monitors fails down, then, we can not go through F5 and see the the Web pages. But directly to the Web server (without F5) works well.