Forum Discussion
ErikM
Cirrus
CirrusNative SNI support for Health Monitoring
Hi all,
Back in 2018 i was wondering why there was no native Bigd process based SNI support in Health Monitoring. It turned out that the only way to achive this was with the help of the famous external curl script.
The other option was to change to in-TMM monitoring. And that probably for a good reason. This would require setting a database key : modify sys db bigd.tmm value enable - according to K11323537.
Has anyone tried this in-TMM option and would you please share your experiences?
I was still hoping F5 would incorporate this very useful option as native, but haven't found this in any new version yet. Or perhaps i missed it somehow? π
Thanks,
Erik
I have tried this in the past on v13.x π and it showed unexpected behaviours. The in-tmm monitoring was brought up and it caused multiple other pools to go down. Later investigation showed that it consumed huge memory as the version was having a bug. So we turned it off and sticked back to external monitor.
Also to note, if once upgrades from v11 to v13, the upgry process by default appends a SSL profile to the monitor. So need to make sure they remove those profiles or add right profile before turning on in-tmm monitoring.
I'm sure with the latest bug fixes, it should be stable, make sure your infra is on that version. Don't start off with the production and later have a face palm π
Hi ErikM,
On my part, I use In-TMM monitoring on a version v14.x to be able to use Authenticate Name option on Server SSL profile to perform a CN check of the backend server certificates
No problem for the past 2 years, it's stable and does the job well π
jaikumar_f5MVP
I have tried this in the past on v13.x π and it showed unexpected behaviours. The in-tmm monitoring was brought up and it caused multiple other pools to go down. Later investigation showed that it consumed huge memory as the version was having a bug. So we turned it off and sticked back to external monitor.
Also to note, if once upgrades from v11 to v13, the upgry process by default appends a SSL profile to the monitor. So need to make sure they remove those profiles or add right profile before turning on in-tmm monitoring.
I'm sure with the latest bug fixes, it should be stable, make sure your infra is on that version. Don't start off with the production and later have a face palm π
- Lidev
Hi ErikM,
On my part, I use In-TMM monitoring on a version v14.x to be able to use Authenticate Name option on Server SSL profile to perform a CN check of the backend server certificates
No problem for the past 2 years, it's stable and does the job well π 
DevBabu
ErikMCheck βοΈ and thanks!
But actually the thing i'm curious to find out is what your experiences are. In our case it would mean a conversion from our installed base of HM's towards something that is very sparsly documented. And that's a real jump into deep water in a production environment. One thing that is not documented for instance is what kind of monitors are actually supported. And how will existing HM's converse -if even- when in-TMM is the chosen way.
Thanks,
Erik
- ErikM
Thanks to you all for sharing your thoughts! Much appreciated!
Since we have some space left on our vcmp host i will spin up another guest in order to do some testing with this.
Again, wondering why something so mainstream as SNI is not natively supported in HM-land. Or in the case of in-TMM: not being fully documented yet. Perhaps someone from F5 could pls comment on this.
Erik
thecarrionkindAltostratus
I've started to use in-TMM monitoring to SNI in non-production and noticed this:
- less verbosity in logs when enabling health check monitor logs on a member of a pool.
- before you have a message when you have response that doesn't match the receive string defined in a http health check, now it's only up or down.
- an specific application health check goes UP when using bigd monitoring. Goes DOWN when switching to In-TMM monitoring.
So I'm not so happy about less verbosity with In-TMM monitoring.
- Lidev
ErikM wrote:
Or in the case of in-TMM: not being fully documented yet. Perhaps someone from F5 could pls comment on this.
I also wondered about this, I had to open a case at the time to find out that I needed to change the in-TMM-in variable for my purpose as nothing was documented.
JRahm : Any ideas ? π