Forum Discussion
VMWARE VIEW health monitor SG/Connection broker mapping
We have F5 Big IP 3600 LTM running verision 11.1 HF2
The F5 currently is acting as a front-end for the VMWare security servers which do the authentication. Let’s say 2 physical servers per VIP. A client connects to the VIP (and a security server) and then the security server authenticates the client and pushes them to a Connection Broker (also 2 of them) with a 1:1 mapping of a security server interacts only with its assigned connection broker.
So the problem we’re having is that the node in F5 is still marked up (box and services are responding) even when it’s paired connection broker is down. Would it be possible to configure a health monitor on the F5 to monitor a node other than the ones that it’s assigned to use in the load balancing pool?
Quick mock-up of our setup…
(there’s 3 VIPs for each IP… tcp/443, udp/4172 and tcp/4172)
VIP: 10.2.1.101
VS: view.example.com_sslvpn_tcp_443
VMView_sslvpn_pool
Nodes
172.26.15.20:0
172.26.15.31:0
Health Monitors
tcp/443
tcp/4172
udp/4172
172.26.15.20 is “paired” with connection broker 10.26.15.20
likewise for .31
- mendoza_60364Historic F5 AccountTesting the View Servers
echo -en "GET /view/ HTTP/1.1\r\nHost: example.server.com\r\nConnection: Close\r\n\r\n" | nc 10.133.84.120 80
HTTP/1.1 200 OKcache-control: no-cacheContent-Length: 1268Expires: Thu, 01 Jan 1970 00:00:00 GMTSet-Cookie: JSESSIONID=16692AA68187DB39E1D5B69F3CBFCD6E; Path=/Content-Type: text/html;charset=UTF-8pragma: no-cacheConnection: closeVary: Accept-EncodingCONNECTED(00000003)depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.comverify error:num=20:unable to get local issuer certificateverify return:1depth=0 /O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.comverify error:num=21:unable to verify the first certificateverify return:1---Certificate chain0 s:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.comi:/O=VMware, Inc./OU=VMware View default certifcate/CN=view5-con1.view5.tc.f5net.com---HTTP/1.1 200 OKcache-control: no-cacheContent-Length: 1268Expires: Thu, 01 Jan 1970 00:00:00 GMTSet-Cookie: JSESSIONID=36941E985BCD22421591BD52FA6CA0BC; Path=/; Secure;HttpOnlyContent-Type: text/html;charset=UTF-8pragma: no-cache - Paul_PindellEmployee
In VMware View 5.1 the receive string for the HTTPS Monitor needs to be updated to "VMware.*View Portal". (without he quote marks) This string will work for versions 4.6-5.1
We had to add the regex .* between VMware and View because the version 5.1 success page title changed to VMwareView Portal.
This receive string will test to make sure that both the security server and the paired connection server are both up and functioning. If either of them are not functioning then the monitor will fail.
Paul
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com