HTTP Health Monitor in LTM
Hi Folks, We've following requirement to configure HTTP health monitor and this is what we need to implement. Type Send Receive HTTP GET /Sample/healthchecksimple HTTP/1.1 200|OK HTTP GET /Sample123/servlet/fcs/ping HTTP/1.1 200|System Current Time HTTP GET /sample456/test-alive HTTP/1.1 200|OK HTTP GET /Sample789/manager?query=monitoring HTTP/1.1 302 HTTP GET /Sample459/monitoring/healthcheck HTTP/1.1 200|OK HTTP GET /Sample324/servlet/fcs/ping HTTP/1.1 200|System Current Time HTTP GET /Sample438/monitoring/healthcheck HTTP/1.1 200|OK HTTP GET /healthcheck HTTP/1.1 200|OK Would like to know if this is correct syntax for Send and Receive string or need to modify? we need to associate this to pool.
Health Monitor issue
Hi, I am facing a weird issue. We renewed our SSL certificate and our health monitor uses this renewed certificate. Post renewal , our pool member went down. For Tshooting, i enabled monitor logging and the weird part is LTM was not showing any logs in the /var/log/monitor path. So i tried to debug manually by telnetting to the server port and issued the GET string commands, but as soon i paste it, the cli closes the connection (not sure why??) Eg: String in health montior :GET /keepAlive.html\r\n HTTP/1.1\r\nHost: \r\nConnection: close\r\n\r\n in CLI: 1) [Active F5] # telnet 10.177.222.35 15000 Trying 10.177.222.35... Connected to 10.177.222.35. Escape character is '^]'. GET /keepAlive.html HTTP/1.1 (As soon as i put this line, immediately connection closes) Host: Connection closed by foreign host 2) I tired another method, through openssl openssl s_client -connect 10.177.222.35:15000 GET /keepAlive.html HTTP/1.1 Host: Connection: Close I get a 400 bad request. 3) Tried curl :curl -vk https://10.177.222.35:15000/keepAlive.html, now i get a 403 So kinda confused, if i am doing anything wrong. I more interested in the first one why the connection closes as soon as i paste it. Note : Reverted to old certificate and the Pool came up. And after this only the montior logging started to work. Now even after the pool member is up, i tried the above methods, and i still get the same results. We are checking internally on the certificate, why this is happening, as its the same cert , just the validity is extended . But i am concerned about the montior tshoot steps i did.
GTM (DNS) Monitoring of LTM Virtual Servers with LTM Virtual Server IPs are NAT via Firewall
I'd like to share my experience of a specific scenario in deploying GTM and LTM and open it up to the community if we could find a better way to do this than what I've come up with. My company recently purchased some F5 LTMs and GTMs and there were a couple of design requirements / constraints that we had to follow. Scenario & Network Design Requirements: All Self-IPs and Virtual Servers on the F5 LTM must use private IP addresses and must not use public IP addresses For applications that are served via F5 LTM Virtual Servers which needs to be accessed over the internet, the public IP will be NAT-ed from an internet facing firewall to the private IP that is configured on the F5 LTM virtual server GTM will need to be able to monitor the status of Virtual Servers on the LTM using iQuery but when GTM responds to public DNS queries, GTM must return the public IP. As you can see, we already have a problem here because the Virtual Server Discovery will populate the LTM Server Object on the GTM with all the Virtual Servers on the LTM but they're all configured with private IPs. You cannot link these virtual servers to Wide IP Pools and onwards to Wide IPs because then GTM will return private IPs when it receives DNS queries. The solution that I came up with was to do this: Establish iQuery between the LTM and GTM and also enable Virtual Server Discovery Manually create Server objects of product Generic Host for each Virtual Server that needs to be reached over the internet, use the public IP that has been allocated by the Network Team which will be NAT-ed at the Firewall (eg. 1.1.1.1), do not apply any Health monitors, do not fill in the "Translation" field Manually create Virtual Server objects under the Server object created in 2 above, use the public IP that has been allocated by the Network Team which will be NAT-ed at the Firewall (eg. 1.1.1.1), switch the "Configuration" drop down menu to "Advanced", apply a simple gateway_icmp monitor, in the Dependency List - search for the actual virtual server which will accept the traffic (eg. 10.1.1.1), this virtual server would have been discovered earlier in 1 by Virtual Server Discovery. This means the diagram now becomes like this: When we do 3 above, what happens is that the GTM will ping the public NAT-ed IP of the Virtual Server (1.1.1.1), the firewall will NAT the IP to the private IP (10.1.1.1), the ping will reach the LTM Virtual Server and if the ping is successful, the object will be green on the GTM. This alone is not enough however as on the LTM, a "Standard" type virtual server will still respond to pings even if all the pool members are unavailable and the virtual server is also unavailable (this is where I think Virtual Server status as updated via iQuery is superior to a normal monitor), so to solve this problem I used the Dependency List option below the Health Monitor section and I chose the corresponding Virtual Server that was discovered by the Virtual Server Discovery (VS1 10.1.1.1). This way, should all the pool members become unavailable on the LTM, the LTM will update the status of the virtual server to the GTM via iQuery and the GTM will make the 1.1.1.1 Virtual Server object unavailable even if the pings are still successful. So my question to the community is: Given the restrictions above, is this the correct way to make GTM give out Public IPs when the Virtual Servers on the LTMs are configured with private IPs? There was another question on this same topic from 2016 (linked below), but it sort of died out without a resolution: https://devcentral.f5.com/questions/gtm-to-give-away-public-ip-address-while-monitoring-the-private-ltm-vs-49835 Update 15 Mar 2019: I learnt that when adding an LTM that's separated from the GTM via a Firewall that does NAT translation, the GTM will not perform Virutal Server Discovery: https://support.f5.com/csp/article/K9138health monitor IIS
Hello, I was wondering if someone can shed some light on a health monitor I am trying to setup. Ill give a brief overview of the setup. We have an application that gets proxied via apache ( apache are the nodes in the pool being monitored, acts as proxy nothing more) to IIS where the application actually lives. I am trying to setup a monitor so that it monitors say an index.html page on the IIS server something along the lines of Send string - http://Portal/dir/index.html receive string - IIS is up Tried to use this but nodes fail the health check when applying the monitor to the pool The service ports that its monitoring for are https Any help is greatly appreciated ThanksHealth Monitor being sourced from Management interface causing async routing
I have a health monitor that is being sourced from the management interface - this was discovered by accident when i was doing a TCPDUMP on the vlan interface the traffic should have been sourced from. example vlan 10 interface on f5 10.0.0.1 destination ip address of device being monitored = 10.0.0.6 when i did a tcpdump on the vlan to troubleshoot a separate problem i didnt see the traffic - i could see other health monitor traffic using the vlan for devices on the subnet and i know the routing and connectivity is working fine. Wondering what reason there would be for the health monitor not to use the vlan associated with the subne t and use the management ip address to source the health traffic. FYI the health monitor is working and responding as expected but would just like the traffic to use the correct path - via the connected vlan instead of sending around the world and through various firewalls to reach its destination (lucky the firewalls are permitting the traffic. ThanksGTM https health monitor has never worked
I'm trying to construct a health monitor in GTM 11.5.4 that looks for text on an https web page. I have never been able to get the monitor to go green so I am trying to troubleshoot it. gtm monitor https mhconnect_https { cert /Common/default.crt cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https description "Look for specific text" destination *:* interval 30 key /Common/default.key probe-timeout 5 recv "Please sign in to begin your secure session." send "GET /dana-na/auth/url_default/welcome.cgi" timeout 120 } The /var/log/gtm log shows this: 011ae0f2:1: Monitor instance /Common/mhconnect_https x.x.x.x:443 UNKNOWN_MONITOR_STATE --> DOWN from x.x.x.x (connect: server error search result false) From the GTM in question, I can use CURL and see the text in the HTML page that the health monitor keys on: curl --insecure -v https://x.x.x.x/dana-na/auth/url_default/welcome.cgi This returns many lines of text, including HTML containing the text I'm looking for. A telnet test fails: [root@F5-GTM-MC-01:Active:Standalone] monitors telnet x.x.x.x 443 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. GET /dana-na/auth/url_default/welcome.cgi Connection closed by foreign host. [root@F5-GTM-MC-01:Active:Standalone] monitors I have also tried using this as the send string, to force HTTP 1.0: GET /dana-na/auth/url_default/welcome.cgi HTTP/1.0\r\n ..and that doesn't work either. If I open the IP and path () in a web browser, it works fine. I have used tcpdump to capture the traffic, and I can see the regular health monitor TCP traffic flowing, but the application data is all encrypted so that's been no help. The "011ae0f2:1" error seems to be somewhat well documented but I've seen nothing that relates to my problem. What should I do next to troubleshoot this?
