Open SSL error on ltm logs since v11 upgrade

usually related to using wrong SSL version or send normal http traffic instead of https.

is it clear to you which virtual server causes this? does it work normally for you?

has all config been checked? nothing new been added? every 5 seconds might indicate a monitor which causes this.

I saw this problem related to monitoring with an HTTPS monitor.

Thank you for your answers. We suspected a monitor problem, but we have more than 1200 pools, this is very difficult to know which ones are generating this kind of log. Is there a way to activate debug on these log? Thank you for your help.

You could set SSL logging to debug and see if that gives you more information, but don't leave it in debug mode for very long. Turn it on only for as long as you need to gather information on the problem and then set it back to its default.

To turn on debug logging: tmsh modify sys db log.ssl.level value "Debug"

To set it back to the default: tmsh modify sys db log.ssl.level value "Error"

In our case the poolmembers were just marked down by the monitor as they did not enter the SSL handshake. So parsing the list of all poolmembers for their status was answering the question for us.

Hi Hassan,

the tmsh 'one-line' option is very helpful in case you want to grep.

Let´s sort out your https based monitors first:

tmsh list ltm monitor one-line | grep https | awk '{print $4}'

Now you can look for all poolmembers configured on port 80|http in state down with one of your suspect monitors:

tmsh list ltm pool one-line | grep -E ':(80|http) .*session monitor-enabled state down.*(your_monitor_here)' | awk '{print $3}'

Good luck,

Stephan

Putting it into a script should make life easier:

! /bin/bash

i=0
for line in `tmsh list ltm monitor one-line | grep https | awk '{print $4}'`
do
  arr[$i]=$line
  i=`expr $i + 1`
done

for i in "${arr[@]}"
do
   tmsh list ltm pool one-line | grep -E ":(80|http) .*session monitor-enabled state down.*${i}" | awk '{print $3}'
done

Or a bit shorter:

! /bin/bash

for line in `tmsh list ltm monitor one-line | grep https | awk '{print $4}'`
do
  tmsh list ltm pool one-line | grep -E ":(80|http) .*session monitor-enabled state down.*${line}" | awk '{print $3}'
done

I have written a fairly comprehensive script that should root out these troubled pool members. I have included it in the DevCentral CodeShare in hopes that it can help others out. Let me know if you have any issues with the script.

Clean Up Monitor Error: "SSL23_GET_SERVER_HELLO:unknown protocol" https://devcentral.f5.com/wiki/TMSH.Clean-Up-Monitor-Error-SSL23-GET-SERVER-HELLO-unknown-protocol.ashx

I've seen multiple solutions that require to run multiple tmsh command on the running BigIP.

I've made a (dirty) script that parse the bigip.conf and return a CSV list of node on port 80 with a https monitor. The only downside is all the monitor doing https check must have the word "https" in it.

! /usr/bin/sh

nbl=0 ;

runningPool=""
runningIRule="" 
runningVS=""
runningNode=""
while IFS= read -r bigipconf
do

    if [[ $bigipconf == ltm\ pool\ \/Common\/* ]]
    then
        runningPool=$(echo $bigipconf | awk '{print $3}' | awk -F '/' '{print $3}')
        echo $runningPool
        poolNode=""
    fi

    if [[ $runningPool != "" ]] 
    then
        if [[ $bigipconf == *\/Common\/*\:80* ]] 
        then
            runningNode=$(echo $bigipconf | awk -F '/' '{print $3 }' | awk '{ print $1 }')
            poolNode=$(echo "$poolNode;$runningNode") 
        fi
        if [[ $bigipconf == *monitor*  ]]
        then
            monitor=$(echo $bigipconf   | awk -F '/' '{ print $3 }')
            if [[ $monitor == *https* ]] 
            then
                echo -e "$runningPool;$monitor;$poolNode" | grep ':'

            fi
        fi

    fi

    if [[ $bigipconf == ltm\ virtual\ \/Common\/* ]]
    then
        runningPool=""
    fi
done < input/bigip.conf