cancel
Showing results for 
Search instead for 
Did you mean: 

Health monitor using https profile issue

f5mkuDefault
Cirrus
Cirrus

Hi Experts, I have 1 issue that until now I still cannot find a definite answer after googling for a long time.

I have an HA F5, active and standby unit. I created 1 VS and the pool health monitor uses https profile with default settings, see attached image for the health monitor settings.

 

The results where.

In active unit the pool is down, the health monitor it uses tlsv1 to communicate with the server causing a fatal error protocol version

If I define the port 443 instead of using * All Ports, the pool comes up.

 

In standby unit the pool is up. the health monitor it uses tls1.2 to communicate with the server and no issues.

This is also using * All Ports and I do not have issue with this standby unit.

 

See my tcpdump attached here as well.

 

Now I do not understand why my active unit uses tls1 while standby unit uses tls1.2.

 

I also understand the ciphers used are DEFAULT that is why the F5 tries to negotiate using tls1.

But how come in standby unit it offers tls1.2?

 

Please help to enlighten me. What is the best practice?

Any answer is very much appreciated, thank you in advance.

 

0691T000009iItdQAE.png

 

0691T000009iIu2QAE.png

2 REPLIES 2

Samir
Nacreous
Nacreous

Which BIGIP version you are running? As such not observed such behaviour in BIG-IP.

 

Gone through both wireshark image and found that one of the connection is going on x.x.x.12 and other is x.x.x.11. To narrow done issue, keep one member in pool and isolate the issue.

 

Try below options?

  • Remove the https monitor from pool , save the config and add back same monitor in pool
  • openssl s_client -connect x.x.x.x:443 -tls1_2
  • openssl s_client -connect x.x.x.x:443 -tls1

 

Hope this will help you.

f5mkuDefault
Cirrus
Cirrus

Hi Samir, this is an HA, active, standby.

Now .12 is the active unit while .11 is the standby unit.

 

We are using version 12.1.3

 

What I dont understand is why on .12 the ltm is negotiating using tls1 while in .11 is tls1.2.

In .12 the pool is down while in .11 the pool is up.

I did openssl on both using the default cipher list on the health monitor profile and the ltm by right is not supposed to use tls1 as there is no tls1 in the list.

 

  • Remove the https monitor from pool , save the config and add back same monitor in pool
  • I did this already. The only fix is to define the port 443 instead of using * All Ports.

 

I'm sorry I am not able to do this at the moment.

  •  openssl s_client -connect x.x.x.x:443 -tls1_2
  • openssl s_client -connect x.x.x.x:443 -tls1