genseek_32178
Apr 17, 2012Nimbostratus
Monitor showing Down
I have 2 DIPs configured with monitors on port 80 working fine.
But the same monitor on port 443 for the same DIPs is showing as Inactive, Down.
Any ideas..would help here.
genseek
But the same monitor on port 443 for the same DIPs is showing as Inactive, Down.
Any ideas..would help here.
genseek
curl -v https://10.20.30.20/HeartBeat/Heartbeat.htm
* About to connect() to 10.20.30.20 port 443
* Trying 10.20.30.20... connected
* Connected to 10.20.30.20 (10.20.30.20) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES128-SHA
* Server certificate:
* subject: /C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws
* start date: 2011-04-29 13:42:40 GMT
* expire date: 2013-04-28 13:42:40 GMT
* SSL: certificate subject name 'rxpsws' does not match target host name '10.20.30.20'
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'rxpsws' does not match target host name '10.20.30.20'
curl -v https://10.20.30.10/HeartBeat/Heartbeat.htm
* About to connect() to 10.20.30.10 port 443
* Trying 10.20.30.10... connected
* Connected to 10.20.30.10 (10.20.30.10) port 443
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES128-SHA
* Server certificate:
* subject: /C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws
* start date: 2011-04-29 13:42:40 GMT
* expire date: 2013-04-28 13:42:40 GMT
* SSL: certificate subject name 'rxpsws' does not match target host name '10.20.30.10'
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
curl: (51) SSL: certificate subject name 'rxpsws' does not match target host name '10.20.30.10'
e.g.
curl -kv https://x.x.x.x/something
any specific reason why you want "404 Not Found" to be used as receive string in the https monitor?
The fact that it shows:404 not found, does it not mean that there is server end issue.
I will post you the out put from updated curl cmd.
b monitor https_default_mn list
monitor https_default_mn {
defaults from https
recv "200 OK"
send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"
}
If you can show the configuration cmd, it would be helpful?
[root@ve1023:Active] config b monitor https_443_pqr_mn list
monitor https_443_pqr_mn {
defaults from https_default_mn
send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"
}
[root@ve1023:Active] config b monitor https_443_pqr_mn '{ defaults from https_default_mn recv "404 Not Found" }'
[root@ve1023:Active] config b monitor https_443_pqr_mn list
monitor https_443_pqr_mn {
defaults from https_default_mn
recv "404 Not Found"
send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"
}
root@ve1023(Active)(tmos) list ltm monitor https https_443_pqr_mn
ltm monitor https https_443_pqr_mn {
cipherlist "DEFAULT:+SHA:+3DES:+kEDH"
compatibility "enabled"
defaults-from https_default_mn
interval 5
send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"
time-until-up 0
timeout 16
}
root@ve1023(Active)(tmos) modify ltm monitor https https_443_pqr_mn defaults-from https_default_mn recv "404 Not Found"
root@ve1023(Active)(tmos) list ltm monitor https https_443_pqr_mn
ltm monitor https https_443_pqr_mn {
cipherlist "DEFAULT:+SHA:+3DES:+kEDH"
compatibility "enabled"
defaults-from https_default_mn
interval 5
recv "404 Not Found"
send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"
time-until-up 0
timeout 16
}
So after the recv string is modified, the pool member should show as UP, right?
do you want me to again run openssl and curl?
do you want me to again run openssl and curl?i think it is not needed.