Forum Discussion

Manu_Nair's avatar
Manu_Nair
Icon for Cirrus rankCirrus
Mar 21, 2022

Health Monitor issue

Hi, 

I am facing a weird issue. We renewed our SSL certificate and our health monitor uses this renewed certificate. Post renewal , our pool member went down.  For Tshooting, i enabled monitor logging and the weird part is LTM was not showing any logs in the /var/log/monitor path.  So i tried to debug manually by telnetting to the server port and issued the GET string commands, but as soon i paste it, the cli closes the connection (not sure why??)

Eg:

String in health montior : GET /keepAlive.html\r\n HTTP/1.1\r\nHost: \r\nConnection: close\r\n\r\n 

in CLI: 

1) [Active F5] # telnet 10.177.222.35 15000
Trying 10.177.222.35...
Connected to 10.177.222.35.
Escape character is '^]'.
GET /keepAlive.html HTTP/1.1 (As soon as i put this line, immediately connection closes)
Host: Connection closed by foreign host

 

2) I tired another method, through openssl

openssl s_client -connect 10.177.222.35:15000
GET /keepAlive.html HTTP/1.1
Host:
Connection: Close

I get a 400 bad request.

 

3) Tried curl  : curl -vk https://10.177.222.35:15000/keepAlive.html, now i get a 403

So kinda confused, if i am doing anything wrong. I more interested in the first one why the connection closes as soon as i paste it. 

 

Note : Reverted to old certificate and the Pool came up. And after this only the montior logging started to work. Now even after the pool member is up, i tried the above methods, and i still get the same results.  

We are checking internally on the certificate, why this is happening, as its the same cert , just the validity is extended . But i am concerned about the montior tshoot steps i did. 

 

 

application delivery
health monitor

4 Replies

Sort By
  • SamCo's avatar
    SamCo
    Icon for Cirrus rankCirrus
    Mar 21, 2022

    Hello,

    As the only thing that change with your monitor is the client authentication certificate, my advice is to focus on the SSL Layer, both on your side and on the server side, but mainly focus on the certificate authentication configuration of the server. If the new certificate is issued by a new AC, it could be important to check if the server is trusting it.

    Regarding your test, all of them have some miss :

    1\ Telnet can only be used to test plain text http, not https so the reset is expected if the server is expecting ssl.

    2\ The http 400 is probably here because the request in not well formed. Anyhow, you do not replicate the bigip monitor because there is no client certificate in your request,

    3\ Same as below, but the payload seems fine. Anyhow, you do not replicate the bigip monitor because there is no client certificate in your request,

     

    For curl, the synthax to used a client cert is :

    $ curl --cert client.crt --key client.key --cacert ca.crt

     Cheers,

    Sam

    • Manu_Nair's avatar
      Manu_Nair
      Icon for Cirrus rankCirrus
      Mar 21, 2022

      Hi Samco, 

      Thanks for the reply!!.  The certificate CA is the same and all the Cert Parameters is also the same.  But not sure why it did not work which we are investigating. 

      I Understood , that telnet will not work due to https but do we need to specifically mention the certificate and key for the other two methods.??. Cos i am getting http 400 series error, which means SSL is passed right and i assume something else causing this. 

       

       

      • SamCo's avatar
        SamCo
        Icon for Cirrus rankCirrus
        Mar 21, 2022

        Yes, the HTTP 400 and 403 response mean you managed to established the SSL/TLS connection. But it does not mean the certificate check is ok for the server, it could establish the connection then inspect the certificate (IIS can make this from my experience).

        Anyhow, if your health monitor need the client certificate to work, it mean you need it to replicate it with curl.

        good luck,

        Cheers,

        Sam