genseek_32178
Apr 17, 2012Nimbostratus
Monitor showing Down
I have 2 DIPs configured with monitors on port 80 working fine.
But the same monitor on port 443 for the same DIPs is showing as Inactive, Down.
Any ideas..would help here.
genseek
But the same monitor on port 443 for the same DIPs is showing as Inactive, Down.
Any ideas..would help here.
genseek
2.The monitor status for https for the 2 DIPs shows as Inactive, Down. - Is it necessary that DIPs gateway should be F5 for monitor to work?if pool member is able to return health monitor traffic to bigip, it is fine.
3.There is no receive string configured on the monitor? - Is the receive string mandatory to be defined?it is not mandatory.
4. Can you use " openssl s_client -connect 1.1.1.1:443" - you mean execute this cmd from the F5 prompt ?yes
and for sending request, are you suggesting i use only, " GET /HeartBeat/Heartbeat.htm" and NOT the part "HTTP/1.0\r\n\r\n" ?you have to put HTTP/1.0 but \r\n\r\n is just hitting enter twice.
openssl s_client -connect 1.1.1.1:443
GET /HeartBeat/Heartbeat.htm HTTP/1.0
is the curl command supported on LTM with version 10.2.1?yes
by the way, can you also show us the https_default_mn health monitor configuration?
1. It is the response from the pool member and the F5 self IP on the same pool member vlan. I used the below tcpdump cmd to get it
tcpdump -nni 0.0 -X -s0 host 10.41.0.77 and port 80 and host 10.41.0.50
Is thr any other way to check and verify, health monitor traffic?
2. Not sure if pool member is able to return traffic. But am able to telnet on port 443 from F5 to the pool member. Gwy on the pool member is the upstream router IP.
3. What is the command to display the https_default_mn health monitor configuration?
4. One more information - I have another 2 pool members in a different pool having same monitor configured for port 443 and monitor is
working fine.
Could this be pool member server side issue? If yes, is thr a way to check and verify it.
3. What is the command to display the https_default_mn health monitor configuration?b monitor https_default_mn list
Could this be pool member server side issue? If yes, is thr a way to check and verify iti think it had better do more troubleshooting e.g. openssl s_client, curl, etc.
monitor https_default_mn {
defaults from https
recv "200 OK"
send "GET /smoketest/test.htm HTTP/1.0\r\n\r\n"
}
Looks like there is a mismatch of "Send string" between the default monitor and the below
Port 443 - Not Working Monitor
DeviceA b monitor https_443_pqr_mn list
monitor https_443_pqr_mn {
defaults from https_default_mn
send "GET /HeartBeat/Heartbeat.html HTTP/1.0\r\n\r\n"
Could this be the issue?
Port 443 - Not Working Monitor but the same send string in http monitor is working, isn't it?
Meanwhile i executed the openssl cmd an the output as below
openssl s_client -connect 10.11.70.77:443
CONNECTED(00000005)
depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify return:1
depth=2 /CN=Microsoft Internet Authority
verify return:1
depth=1 /DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
verify return:1
depth=0 /C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
GET /HeartBeat/Heartbeat.htm HTTP/1.0
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Apr 2012 00:33:40 GMT
Connection: close
Content-Length: 315
Not Found
Not Found
HTTP Error 404. The requested resource is not found.
read:errno=0
openssl s_client -connect 10.11.70.78:443
CONNECTED(00000005)
depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify return:1
depth=2 /CN=Microsoft Internet Authority
verify return:1
depth=1 /DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
verify return:1
depth=0 /C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/L=Redmond/O=Microsoft/OU=RXP Security/CN=rxpsws
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
GET /HeartBeat/Hearbeat.htm HTTP/1.0
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 19 Apr 2012 00:46:20 GMT
Connection: close
Content-Length: 315
Not Found
Not Found
HTTP Error 404. The requested resource is not found.
read:errno=0
can you try "404 Not Found" as receive string in the https_443_pqr_mn monitor? i understand currently the https_443_pqr_mn monitor inherits receive string from the https_default_mn monitor which is "200 OK".