F5 Health Monitor Receive String as JSON
Hello, We have to set up Health Monitor where the received string in response header is in json format. And therefore, I am wondering, how to configure the proper string that F5 will understand: Received String: {"status":"started","services":[{"name":"nae-kmip","status":"started"}]} It seems to except RegEx like the following: HTTP/1.1 200 OK|name:name-kmip,status:started However, I am not sure if this would match. I would appreciate any advise. Thanks,Simplifying Application Health Monitoring with F5 BIG-IP
A simple agreement between BIG-IP administrators and application owners can foster smooth collaboration between teams. Application owners define their own simple or complex health monitors and agree to expose a conventional /health endpoint. When a /health endpoint responds with an HTTP 200 request, BIG-IP assumes the application is healthy based on the application owners' own criteria. The Challenge of Health Monitoring in Modern Environments F5 BIG-IP administrators in Network Operations (NetOps) teams often work with application teams because the BIG-IP acts as a full proxy, providing services like: TLS termination Load balancing Health monitoring Health checks are crucial for effective load balancing. The BIG-IP uses them to determine where to send traffic among back-end application servers. However, health monitoring frequently causes friction between teams. Problems with the Traditional Approach Traditionally, BIG-IP administrators create and maintain health monitors ranging from simple ICMP pings to complex monitors that: Simulate user transactions Verify HTTP response codes Validate payload contents Track application dependencies This leads to several issues: Knowledge Gap: NetOps may not fully grasp each application's intricacies. Change Management Overhead: Application updates require retesting monitors, causing delays. Production Risk: Monitors can break after application changes, incorrectly marking services as up/down. Team Friction: Troubleshooting failed health checks involves tedious back-and-forth between teams. A Cloud-Native Solution The cloud-native and microservices communities have patterns that elegantly solve these problems. One widely used pattern is the [health endpoint], which adapts well to BIG-IP environments. The /health Endpoint Convention Cloud-native applications commonly expose dedicated health endpoints like /health, /healthy, or /ready. These return standard status codes reflecting the application's state. The /health endpoint provides a clear contract between NetOps and application teams for BIG-IP integration. Implementing the Contract This approach establishes a simple agreement: Application Team Responsibilities: Implement /health to return HTTP 200 when the application is ready for traffic Define "healthy" based on application needs (database connectivity, dependencies, etc.) Maintain the health check logic as the application changes BIG-IP Team Responsibilities: Configure an HTTP monitor targeting the /health endpoint Treat 200 as "healthy", anything else as "unhealthy" Benefits of This Approach Aligned Expertise: Application teams define health based on their knowledge. Less Friction: BIG-IP configuration stays stable as applications evolve. Better Reliability: Health checks reflect true application health, including dependencies. Easier Troubleshooting: The /health endpoint can return detailed diagnostic info, but this is ignored by the BIG-IP and used strictly for troubleshooting. Implementation Examples F5 BIG-IP Health Monitor Configuration ltm monitor http /Common/app-health-monitor { defaults-from /Common/http destination *:* interval 5 recv 200 recv-disable none send "GET /health HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n" time-until-up 0 timeout 16 } Node.js Health Endpoint Implementation const express = require('express'); const app = express(); const port = 3000; app.get('/', (req, res) => { res.send('Application is running'); }); app.get('/health', async (req, res) => { try { const dbStatus = await checkDatabaseConnection(); const serviceStatus = await checkDependentServices(); if (dbStatus && serviceStatus) { return res.status(200).json({ status: 'healthy', database: 'connected', services: 'available', timestamp: new Date().toISOString() }); } res.status(503).json({ status: 'unhealthy', database: dbStatus ? 'connected' : 'disconnected', services: serviceStatus ? 'available' : 'unavailable', timestamp: new Date().toISOString() }); } catch (error) { res.status(500).json({ status: 'error', message: error.message, timestamp: new Date().toISOString() }); } }); async function checkDatabaseConnection() { // Check real database connection return true; } async function checkDependentServices() { // Check required service connections return true; } app.listen(port, () => { console.log(`Application listening at http://localhost:${port}`); }); Adopting this health check pattern can greatly reduce friction between NetOps and application teams while improving reliability. The simple contract of HTTP 200 for healthy provides the needed integration while letting each team focus on their expertise. For apps that can't implement a custom /health endpoint, BIG-IP admins can still use traditional ICMP or TCP port monitoring. However, these basic checks can't accurately reflect an app's true health and complex dependencies. This approach fosters collaboration and leverages the specialized knowledge of both network and application teams. The result is more reliable services and smoother operations.
HTTPS health monitor with binary values
We have security appliances behind F5 as pool members. These requires probing with binary strings. We have configured "TCP" health monitor with send/receive strings as binary values in BIG-IP syntax as mentioned in article- K01524704 This tcp monitor is working as expected. However the new requirement is to setup mTLS between F5 and pool members. I have installed server-side certificate and the same has been installed at pool member servers (with mTLS feature enabled at pool member servers). The same TCP binary health monitor making the pool members down, however it is working with default tcp monitor (only tcp handshake to check port status). I have tried using HTTPS health monitor with same binary values in send/receive strings with server SSL profile in monitor advance setting but it didn't work. Any advise would be appreciated.
Load balancing based on file content
Hi All, I've done some reading but I can't seem to find a solution to what I'm trying to achieve. I would like to set up load balancing based on the receive string from a file on a server. My setup is as follows: 2 Servers in a pool, A & B Each server has a file that needs to be queried. If the receive string is "ok" traffic is distributed based on the round robin method. If the receive string from 1 of the servers is changed load balancing is then based on priority group setting, where server A=1 and B=5. Unlike like a health monitor, I need both servers to be able to received traffic, but distributed based on the priority group setting for the server. Somehow this was accomplished on the A10, but I'm having a hard time trying to replicate it on the F5. Any thoughts or suggestions on our I can achieve. Thanks in advance for your help. Cheers DeenaHealth Monitor
Hi comminity, I have a puzzling health monitor that I can't get working. I can curl to the server from CLI # curl server-name.domain:1936/healthz -k ok But when I try to produce a health monitor via the GUI to do the same/similar I get no valid response and the pool is marked down. This is an OpenShift server that doesn't respond to a request on 1936 so I need to craft some form of https command to mimic the above. If I point directly at https I get the folloiwng error: # curl https://server-name.domain/healthz -k returns curl: (35) Unknown SSL protocol error in connection to server-name.domain:443 Has anyone seen similar issues when monitoring OpenShift pools and got a working solution / suggestion? I need something better than TCP-half-open monitoring.
WSDL Url monitor issues
Hi Friends, I am facing some weird behaviour from F5 while using health monitor for wsdl url. I am using the health monitor as follows Send String: GET /app/xyz/AdminService.wsdl HTTP/1.1\r\nHost: myapp.myname.com \r\nConnection: Close\r\n\r\n Revieve String: HTTP/1.1 200 OK Health monitor works fine but the end server is loaded with so many HTTP 500 error while F5 performing health checks. I have verified and found the wsdl respond back with a complete x ml page and this xml page contains url which in turn give HTTP 500 Error. How can we solve this issue? Any idea? -JinshuHow to create a External Monitor?? Please help
Hi, how to create an external monitor for below curl command. Below curl command giving an output "200" when running manually from F5 curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:http://mybase.xyz.com/mybaseService/HealthCheck" --data "" -o /dev/null -s -w %{http_code} http://servername:8080/mybaseWS/mybaseService Please help. -Jinshu
GTM https health monitor has never worked
I'm trying to construct a health monitor in GTM 11.5.4 that looks for text on an https web page. I have never been able to get the monitor to go green so I am trying to troubleshoot it. gtm monitor https mhconnect_https { cert /Common/default.crt cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https description "Look for specific text" destination *:* interval 30 key /Common/default.key probe-timeout 5 recv "Please sign in to begin your secure session." send "GET /dana-na/auth/url_default/welcome.cgi" timeout 120 } The /var/log/gtm log shows this: 011ae0f2:1: Monitor instance /Common/mhconnect_https x.x.x.x:443 UNKNOWN_MONITOR_STATE --> DOWN from x.x.x.x (connect: server error search result false) From the GTM in question, I can use CURL and see the text in the HTML page that the health monitor keys on: curl --insecure -v https://x.x.x.x/dana-na/auth/url_default/welcome.cgi This returns many lines of text, including HTML containing the text I'm looking for. A telnet test fails: [root@F5-GTM-MC-01:Active:Standalone] monitors telnet x.x.x.x 443 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. GET /dana-na/auth/url_default/welcome.cgi Connection closed by foreign host. [root@F5-GTM-MC-01:Active:Standalone] monitors I have also tried using this as the send string, to force HTTP 1.0: GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0\r\n ..and that doesn't work either. If I open the IP and path () in a web browser, it works fine. I have used tcpdump to capture the traffic, and I can see the regular health monitor TCP traffic flowing, but the application data is all encrypted so that's been no help. The "011ae0f2:1" error seems to be somewhat well documented but I've seen nothing that relates to my problem. What should I do next to troubleshoot this?Notifications via External Monitor
Hi, I have an external monitor that sends a notification (email) when it fails. I don't want it failing so I just had it create a file when if fails. If that file doesn't exist, it will notify. If it does exist, it just marks it down but doesn't send the alert. The way I thought to clean it up was just to rm-f the file when the status goes back to UP. This works fine if the script is run manually, but will not work when it runs through F5. Here are the basics of the script: curl -s -v -k -H "Host: ${HOST}" -k https://${NODE}${URI} 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then rm -f /shared/tmp/service-${NODE} echo "UP" else if [ ! -f /shared/tmp/service-${NODE} ] then touch /shared/tmp/service-${NODE} chmod 777 /shared/tmp/service-${NODE} curl -s -o /shared/tmp/service-${NODE}.html -H "Host: ${HOST}" -k https://${NODE}${URI} EMAIL NOTIFICATION PART fi fi exit Is there something that I am missing? Is there a better way?
