Forum Discussion
Nimbostratususe port 443 for VIP and pool members
Hi,
i need help..not sure why the port 443 created is not working.
created a VIP--> 443 and pool members-->443, the health status shows Failed. For e.g, 10.1.20.70:443 However, vip and pool member used http 80 is ok. Below are the settings configure
- No client and server SSL profiles applied to the virtual server
- No HTTP profiles applied to the virtual server
However, I found previous settings VIP and pool member created for port 443 are accessible and health status show green but not the recent created for VIP --> 443
Checked the port 443 already opened, not sure if the node webserver required to configure ssl access?
9 Replies
TechTThong, whats the health monitor you used ?
Thong_196816i tried use the option for custom monitor for tcp, icmp and https...all shows red color.- Kevin_Stewart
Employee
What happens if you remove the health monitor? Does traffic flow?
Can you ping this server IP from the BIG-IP? If so, can you access the application (via cURL) from the BIG-IP?
curl -k https://[IP of server] - Thong_196816
curl -k https://[IP of server]
--->> curl: (35) Unknown ssl protocol error in connection to 10.1.20.60:443
pls help..
- Kevin_Stewart
That last SSL protocol error seems serious. Let's focus on the port 80 web server instance first then. If you cURL the HTTP IP do you get a page response?
curl http://[IP of server]And if works, can you accessing it from behind a port 80 HTTP VIP? 443 VIP -> 443 server
- Kevin_Stewart
BUT, when I unplug the the standby unit cable, I unable to access the active unit using port 443 , and can access port 80
Very curious. So you're saying that if you disconnect the standby unit you can no longer access the 443 VIP? Do you have multiple traffic groups enabled? And if so are you sure that the 443 VIP is alive on the active unit (vs. the standby unit)? When you disconnect the active unit, do you see a failover event in logs or any indication that the VIPs are being enabled on the standby unit?
- Kevin_Stewart
inline.
2. Do you have multiple traffic groups enabled? >> can explain bit or example pls?What BIG-IP version is this? In 11.x you have the concept of traffic groups that allow you to bind different services into different service groupings that can move between HA devices.
3. And if so are you sure that the 443 VIP is alive on the active unit (vs. the standby unit)? >> yes, 445 VIP is alive on both units. In addition, i found the nodes connectivity (health monitor status) up and down status very frequently.That may be a tell-tale indication of the problem. I'd start troubleshooting this health monitor.
4. When you disconnect the active unit, do you see a failover event in logs or any indication that the VIPs are being enabled on the standby unit? >> there no failover occurred. I still can access using port 443/80 VIP when disconnect LAN cable for active unit. this is the additional 3rd VIP created in f5 unit...(in active-standby mode)A failover event will get logged, and you'll see an active unit go to standby in the GUI (and a stanby unit go active). Do you not see these things when you disconnect the active unit? It could be that what you think is the standby unit is actually the active unit, or perhaps that your HA is misconfigured and both devices are active.
- Kevin_Stewart
Inline again.
3.) That may be a tell-tale indication of the problem. I'd start troubleshooting this health monitor. >> i can see the nodes become red or green in short seconds..not sure if this cause the issue. any correct param tcpdump can use to collect?Generally speaking, there's a few places to look. The LTM log (/var/log/ltm) should report health monitor outages. You can also tcpdump on the internal network of the BIG-IP where the servers are and simply watch the monitor traffic. It may be that the server isn't responding exactly as you'd expect it, or that the monitor is misconfigured.
4.) A failover event will get logged, and you'll see an active unit go to standby in the GUI (and a stanby unit go active). Do you not see these things when you disconnect the active unit? It could be that what you think is the standby unit is actually the active unit, or perhaps that your HA is misconfigured and both devices are active. >> No, I not see the active device become standby when unplug the lan cable for e.g. lan cable connected to interface 1.3 and 1.4 in f5 active unit. could this due to the web server teaming are not working properly which connecting directly to both f5 units?HA status has nothing to do with how the web servers are connected to the BIG-IPs. It has to do with how the BIG-IPs are connected to each other and how HA is configured. If you don't see a state change when you do something that should force a failover, then there's something wrong with the HA configuration, or perhaps that you're HA config isn't listening for the event that you think should be causing a failover.
- Kevin_Stewart
3.) can know what tcpdump command u will use or run wireshark command for this ? weird port443 unable to access....Always tricky, but if you have access to the server's private key you can use ssldump to decrypt that monitor traffic.
https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html?sr=47312878
can know where i can get a pair of virtual f5 for lab test?You can download an evaluation version of VE directly from the website, contact an F5 sales representative and request an evaluation license, or purchase the $98 lab version.
4.) i gonna go through the HA config again... note: both units no trunk or lacp configured...there are more than 3 vips use in f5That would be my recommendation.
