Forum Discussion

mikemich_131967's avatar
mikemich_131967
Icon for Nimbostratus rankNimbostratus
Jun 10, 2014

HTTPS Monitor not working but same monitor for HTTP does

I am running an HTTPS monitor below. When i apply the health check in HTTP it works fine but when I add it to HTTPS Monitor it doesn't work. I have used HTTPS monitors before and I am stuck on why this is happening

 

Send String GET /monitor/status_check \r\n\r\n

 

ReceivePASS

 

8 Replies

  • Do the following command from your F5. This assumes the pool member is on port 443. If not then add :port to then end of pool_member_ip with the port of the pool member you are testing.

    curl -k https://pool_member_ip/monitor/status_check
    

    Do you get something back?

    • Ellison_Zhang_2's avatar
      Ellison_Zhang_2
      Icon for Nimbostratus rankNimbostratus
      I got expected string "OK" when I use curl -k. but HTTPS monitor still failed.
  • additionally, you may try tcpdump/ssldump to see what is going on.

     tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x and host y.y.y.y and port zzz -v
    
    x.x.x.x is non floating self ip on server vlan
    y.y.y.y is server (pool member) ip
    zzz is server (pool member) port number
    

    sol10209: Overview of packet tracing with the ssldump utility

    http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html
    • Ellison_Zhang_2's avatar
      Ellison_Zhang_2
      Icon for Nimbostratus rankNimbostratus
      What version of TLS/SSL does F5 use(11.3). Here is my ssldump output. Seems Service directly send FIN to client after two tries to use SSL2.0 and SSL3.0. would you help me to check what's wrong? New TCP connection 1: xxx.xxx.xxx.xxx(44432) <-> xxx.xxx.xxx.xxx(8175) 1 1 0.0022 (0.0022) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_3DES TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL2_CK_RC2 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 SSL2_CK_RC4 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC2_EXPORT40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL2_CK_RC4_EXPORT40 Unknown value 0xff 1 0.0067 (0.0044) S>C TCP FIN New TCP connection 2: xxx.xxx.xxx.xxx(44433) <-> xxx.xxx.xxx.xxx(8175) 2 1 0.0022 (0.0022) C>S Handshake ClientHello Version 3.0 cipher suites SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA SSL_RSA_WITH_CAMELLIA_256_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA Unknown value 0x45 Unknown value 0x44 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xff compression methods unknown value NULL 2 0.0058 (0.0035) S>C TCP FIN New TCP connection 3: xxx.xxx.xxx.xxx(44465) <-> xxx.xxx.xxx.xxx(8175) Version 2 Client. 3 0.0049 (0.0049) S>C TCP FIN 3 0.0118 (0.0068) C>S TCP FIN 2 0.0355 (0.0297) C>S TCP FIN 1 0.0545 (0.0477) C>S TCP FIN
    • Ellison_Zhang_2's avatar
      Ellison_Zhang_2
      Icon for Nimbostratus rankNimbostratus
      What version of TLS/SSL does F5 use(11.3). Here is my ssldump output. Seems Service directly send FIN to client after two tries to use SSL2.0 and SSL3.0. would you help me to check what's wrong? New TCP connection 1: xxx.xxx.xxx.xxx(44432) <-> xxx.xxx.xxx.xxx(8175) 1 1 0.0022 (0.0022) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA SSL2_CK_3DES TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x45 Unknown value 0x44 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL2_CK_RC2 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 SSL2_CK_RC4 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA SSL2_CK_DES TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL2_CK_RC2_EXPORT40 TLS_RSA_EXPORT_WITH_RC4_40_MD5 SSL2_CK_RC4_EXPORT40 Unknown value 0xff 1 0.0067 (0.0044) S>C TCP FIN New TCP connection 2: xxx.xxx.xxx.xxx(44433) <-> xxx.xxx.xxx.xxx(8175) 2 1 0.0022 (0.0022) C>S Handshake ClientHello Version 3.0 cipher suites SSL_DHE_RSA_WITH_AES_256_CBC_SHA SSL_DHE_DSS_WITH_AES_256_CBC_SHA SSL_RSA_WITH_AES_256_CBC_SHA SSL_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA SSL_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA SSL_RSA_WITH_CAMELLIA_256_CBC_SHA SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_AES_128_CBC_SHA SSL_DHE_DSS_WITH_AES_128_CBC_SHA SSL_RSA_WITH_AES_128_CBC_SHA Unknown value 0x45 Unknown value 0x44 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 SSL_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xff compression methods unknown value NULL 2 0.0058 (0.0035) S>C TCP FIN New TCP connection 3: xxx.xxx.xxx.xxx(44465) <-> xxx.xxx.xxx.xxx(8175) Version 2 Client. 3 0.0049 (0.0049) S>C TCP FIN 3 0.0118 (0.0068) C>S TCP FIN 2 0.0355 (0.0297) C>S TCP FIN 1 0.0545 (0.0477) C>S TCP FIN
  • Thanks for the feedback everyone. When I was adding or removing the monitor on the HTTPS monitor to the pool. The pool would never change status. I found out that on this the node was being individually monitored within the pool which is not something we normally do. I should have noticed sooner.