For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Martin_Sharratt's avatar
Martin_Sharratt
Icon for Nimbostratus rankNimbostratus
Dec 08, 2015

SSL monitor fails after hotfix

We have two F5 LTM's in a Sync-Failover pair. They're load balancing some critical production services. They are automatically sync'ed. I've just applied Hotfix 6.0.442 to the standby.

 

After the reboot, one of our services failed. The service that failed is a web (Apache/Tomcat). The health monitor for the service pool uses an https get to check the content of a web page. I've enabled monitor logging and the log shows

 

(_recv_active_service_ping): read failed [ addr=::ffff:xxx.xxx.xxx.xxx:443 srcaddr=::ffff:xxx.xxx.xxx.xxx%0:56209 ] 2015-12-08 17:17:03.843802: ID 560 :(_recv_active_service_ping): Response did not match recv regex yet [ addr=::ffff:xxx.xxx.xxx.xxx:443 srcaddr=::ffff:xxx.xxx.xxx.xxx%0:56209 ].

 

Trying to get the url from the command line using curl also fails with a certificate error so I'm assuming that this is causing the problem although this was working before the application of the hotfix.

 

So, I've got a couple of questions:

 

  1. The primary has not had the hotfix applied - would applying this to thwe standby cause anything to change on the primary?
  2. Has anyone experienced issues with SSl certificates and health monitors?
  3. Is there anything in the hotfix that could cause this?

I'm now a bit nervous about applying the hotfix to the primary and considering rolling back the secondary.

 

application delivery
BIG-IP
LTM

6 Replies

  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Dec 08, 2015

    Check your http and https monitors. There's a bug where when upgrading to 11.6.0 HF6 all the backslashes get escaped with another backslash in the http/s monitors which causes monitors to fail. You'll see stuff like 

    \\r\\n
    when your expecting it to be 
    \r\n
    . Just remove the extra backslashes and you should be good to go.

    • Martin_Sharratt's avatar
      Martin_Sharratt
      Icon for Nimbostratus rankNimbostratus
      Dec 10, 2015
      Thanks Brad, that's fixed the problem. I'm still a little concerned about how this happened though. The standby is at HF6 but the primary is still at HF3. Should upgrading one of a pair cause the configuration to be changed? If so, is there a way to stop this happening?
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Dec 10, 2015
      As soon as your standby syncs with the primary after rebooting those affected monitors will be updated on the primary as well. I would recommend turning off auto sync before you update the other device if it is on. After you reboot it do an overwrite config back to fix the broken monitors.
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Dec 08, 2015

    Check your http and https monitors. There's a bug where when upgrading to 11.6.0 HF6 all the backslashes get escaped with another backslash in the http/s monitors which causes monitors to fail. You'll see stuff like 

    \\r\\n
    when your expecting it to be 
    \r\n
    . Just remove the extra backslashes and you should be good to go.

    • Martin_Sharratt's avatar
      Martin_Sharratt
      Icon for Nimbostratus rankNimbostratus
      Dec 10, 2015
      Thanks Brad, that's fixed the problem. I'm still a little concerned about how this happened though. The standby is at HF6 but the primary is still at HF3. Should upgrading one of a pair cause the configuration to be changed? If so, is there a way to stop this happening?
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Dec 10, 2015
      As soon as your standby syncs with the primary after rebooting those affected monitors will be updated on the primary as well. I would recommend turning off auto sync before you update the other device if it is on. After you reboot it do an overwrite config back to fix the broken monitors.