cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 

Native SNI support for Health Monitoring

ErikM
Altostratus
Altostratus

Hi all,

Back in 2018 i was wondering why there was no native Bigd process based SNI support in Health Monitoring. It turned out that the only way to achive this was with the help of the famous external curl script.

The other option was to change to in-TMM monitoring. And that probably for a good reason. This would require setting a database key :  modify sys db bigd.tmm value enable - according to K11323537.

Has anyone tried this in-TMM option and would you please share your experiences?

I was still hoping F5 would incorporate this very useful option as native, but haven't found this in any new version yet. Or perhaps i missed it somehow? πŸ™‚

Thanks,

Erik

 

 

 

 

 

2 ACCEPTED SOLUTIONS

I have tried this in the past on v13.x πŸ™‚ and it showed unexpected behaviours. The in-tmm monitoring was brought up and it caused multiple other pools to go down. Later investigation showed that it consumed huge memory as the version was having a bug. So we turned it off and sticked back to external monitor.

 

Also to note, if once upgrades from v11 to v13, the upgry process by default appends a SSL profile to the monitor. So need to make sure they remove those profiles or add right profile before turning on in-tmm monitoring.

 

I'm sure with the latest bug fixes, it should be stable, make sure your infra is on that version. Don't start off with the production and later have a face palm πŸ˜‰

View solution in original post

Lidev
MVP
MVP

Hi ErikM,
On my part, I use In-TMM monitoring on a version v14.x to be able to use Authenticate Name option on Server SSL profile to perform a CN check of the backend server certificates
No problem for the past 2 years, it's stable and does the job well πŸ™‚

View solution in original post

6 REPLIES 6

DevBabu
Cirrus
Cirrus

Please check out this article.

https://support.f5.com/csp/article/K65219243

Hope this helps.

Check β˜‘οΈ and thanks!

But actually the thing i'm curious to find out is what your experiences are. In our case it would mean a conversion from our installed base of HM's towards something that is very sparsly documented. And that's a real jump into deep water in a production environment. One thing that is not documented for instance is what kind of monitors are actually supported. And how will existing HM's converse -if even- when in-TMM is the chosen way.

Thanks,

Erik

I have tried this in the past on v13.x πŸ™‚ and it showed unexpected behaviours. The in-tmm monitoring was brought up and it caused multiple other pools to go down. Later investigation showed that it consumed huge memory as the version was having a bug. So we turned it off and sticked back to external monitor.

 

Also to note, if once upgrades from v11 to v13, the upgry process by default appends a SSL profile to the monitor. So need to make sure they remove those profiles or add right profile before turning on in-tmm monitoring.

 

I'm sure with the latest bug fixes, it should be stable, make sure your infra is on that version. Don't start off with the production and later have a face palm πŸ˜‰

Lidev
MVP
MVP

Hi ErikM,
On my part, I use In-TMM monitoring on a version v14.x to be able to use Authenticate Name option on Server SSL profile to perform a CN check of the backend server certificates
No problem for the past 2 years, it's stable and does the job well πŸ™‚

ErikM
Altostratus
Altostratus

Thanks to you all for sharing your thoughts! Much appreciated!

Since we have some space left on our vcmp host i will spin up another guest in order to do some testing with this.

Again, wondering why something so mainstream as SNI is not natively supported in HM-land. Or in the case of in-TMM: not being fully documented yet. Perhaps someone from F5 could pls comment on this.

Erik



@ErikM wrote:

Or in the case of in-TMM: not being fully documented yet. Perhaps someone from F5 could pls comment on this.


I also wondered about this, I had to open a case at the time to find out that I needed to change the in-TMM-in variable for my purpose as nothing was documented.


@JRahm : Any ideas ? πŸ”