For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

F5_Digger_13600's avatar
F5_Digger_13600
Icon for Cirrus rankCirrus
Apr 23, 2018
Solved

Multiple external health monitors do not work except one. Any alternative?

I need some help from DevCentral F5 expert regarding external monitors.   In our organization, I created a bash script file, which will be associated with 4 different external monitors. Basically t...
application delivery
BIG-IP
LTM
  • F5_Digger_13600's avatar
    F5_Digger_13600
    Apr 30, 2018

    The issue has been resolved and I am sharing the solution for the people who may need multiple external monitors using SSH connection within their script.

    Configuration and Environment

    - BIG-IP version: 12.1.3.3

    - Use multiple External monitors

    - Script(External script file) include SSH connection to backend pool member on tcp port 22

    Issues identified and its solution

    - Issue 1: Redirection logging data to a file for the troubleshooting purpose doesn't work well.

    Solution: Use logger command to send logging data to /var/log/ltm (Credit to Jie. Thanks Jie)

    echo "`date` ${node_ip}: Script started" | logger -p local0.debug

    -Issue 2: From the second SSH connection used in any external health monitors, it doesn't use the Client SSH cipher configuration under /config/ssh/ssh_config. 

    Ciphers aes128-cbc,aes256-cbc,aes256-ctr,aes128-ctr,aes192-ctr

    Instead it starts using only ciphers aes128-cbc,aes256-cbc where the pool members (backend servers) require aes128-ctr,aes192-ctr,aes256-ctr. Because of this, SSH connection fails and finally ssh command returns 255, which says SSH connection failure - Refer to wireshark capture above

    -Solution: Specify specific SSH ciphers within ssh command

    RET_STATUS=`ssh -c aes128-ctr,aes192-ctr,aes256-ctr ${un}@${node_ip} -t "bash -l -c 'exit'" 2>/dev/null`

    Thank you.

F5_Digger_13600's avatar
F5_Digger_13600
Icon for Cirrus rankCirrus
Apr 30, 2018

The issue has been resolved and I am sharing the solution for the people who may need multiple external monitors using SSH connection within their script.

Configuration and Environment

- BIG-IP version: 12.1.3.3

- Use multiple External monitors

- Script(External script file) include SSH connection to backend pool member on tcp port 22

Issues identified and its solution

- Issue 1: Redirection logging data to a file for the troubleshooting purpose doesn't work well.

Solution: Use logger command to send logging data to /var/log/ltm (Credit to Jie. Thanks Jie)

echo "`date` ${node_ip}: Script started" | logger -p local0.debug

-Issue 2: From the second SSH connection used in any external health monitors, it doesn't use the Client SSH cipher configuration under /config/ssh/ssh_config. 

Ciphers aes128-cbc,aes256-cbc,aes256-ctr,aes128-ctr,aes192-ctr

Instead it starts using only ciphers aes128-cbc,aes256-cbc where the pool members (backend servers) require aes128-ctr,aes192-ctr,aes256-ctr. Because of this, SSH connection fails and finally ssh command returns 255, which says SSH connection failure - Refer to wireshark capture above

-Solution: Specify specific SSH ciphers within ssh command

RET_STATUS=`ssh -c aes128-ctr,aes192-ctr,aes256-ctr ${un}@${node_ip} -t "bash -l -c 'exit'" 2>/dev/null`

Thank you.