BIG-IP DNS SNI monitoring
We are trying to get a SNI monitor to work on a BIG-IP DNS to a generic host. Using the external ADFS monitors the checks fail. When running a CURL to the destination servers we receive Unknown SSL protocol error in connection while a openssl test returns the cert and the CN we are grepping for but the moniotr still fails. We have tried with the standard ADFS external monitor provided by F5 along with the amended version for TLS1.1 and above. Also tried another custom one from Devcentral. Can anyone provide any pointers in how we could get this to work? Monitor 1: !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${HOST}_${PORT}_${NODE}.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE (echo -e "GET $URI HTTP/1.1\r\nHost: $HOST\r\nConnection: Close\r\n\r\n"; sleep 2) | openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -servername '$HOST' STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Monitor 2 !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${HOST}_${PORT}_${NODE}.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -k -i --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" > /dev/null 2>&1 STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Monitor 3 !/bin/bash pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" if [ -f $pidfile ] then kill -9 - cat $pidfile > /dev/null 2>&1 fi echo "$$" > $pidfile node_ip= echo $1 |sed 's/::ffff://' node_port=$2 getscript () { echo 'GET / HTTP/1.1' echo 'Host: ..*.com' echo '' while sleep 0; do echo 'quit\n' done } docurl () { IFS=$'\n' arr=($(getscript | openssl s_client -connect ...:443 -servername ...com 2>/dev/nul |grep -E CN=...com)) unset IFS } docurl echo ${arr[0]} if [ -n "${arr[0]}" ] then Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" fi Remove the pidfile before the script ends rm -f $pidfile
LTM - Setting dependancy between monitors
Not sure if this is even possible but here is the scenario: I have a pool of IIS servers configured as members of two sets of pools based on TCP ports configured in IIS. (I was told that you need to create a separate VS per port you want to load balance). So... per the web devs, port 10000 is for responding to TCP traffic (restful web calls, etc.). Port 10001 is responding to http requests. Virtual Server 1 (TCP port 10000) Virtual Server 2 (TCP port 10001) Pool 10000 (has Servers 1-3/port 10000 as members) Pool 10001 (has Servers 1-3/port 10001 as members) I have an http monitor which is working correctly which monitors pool 10001 for successful get responses and works as expected. Disable web service on Server1, the Pool 10001 shows Server1 as down. My problem is that Pool 10000 shows Server 1 as still being up as its just using the standard icmp monitor, thus traffic is still being passed to that server. Is it possible to set a dependency on the icmp monitor to the http monitor associated with pool 10001? So if the web server is down on a server, no traffic is sent to that server regardless if its still responding to ping? If it's not responding to ping, then obviously the web monitor would be down as well. Sorry, really new to LTM concepts so still learning this awesome system. Thanks, George
tmsh test-monitor : external executable not found
Hi, I'm trying to use the "test-monitor" function in tmsh but every time I use it I get the same answer: root@(lb07067)(cfg-sync In Sync)(Active)(/Common)(tmos) test-monitor http address 10.221.62.23 port 8180 can't run 'http' monitor manually: external executable not found (http) Even on the basic http default monitor. Any clue ? Thanks
Monitoring Individual Application Tiers
We have a web application which consists of two web servers: webserverA and webserverB. The web servers are in a pool which is assigned to a VS. Each web server is tied to its own application server and its own processing server. The web server communicates to the application server over tcp/8825 and the processing server over tcp/8925. I have been requested to mark the web server down if either the application or processing servers are down. The application and processing servers cannot be load balanced according to the third party developers. VS >> webserverA and webserverB webserverA >> appserverA and procserverA webserverB >> appserverB and procserverB Can and should this monitoring reside on the F5? My inital thought is to setup a monitoring service on each of the two web servers which would shut down the HTTP service in the event the APP or processing servers were down. The F5 would no longer send traffic to the web server once the HTTP service was down. Any help would be appreciated.
