Forum Discussion

f5mkuDefault's avatar
f5mkuDefault
Icon for Cirrus rankCirrus
Sep 04, 2020

Health monitor using https profile issue

Hi Experts, I have 1 issue that until now I still cannot find a definite answer after googling for a long time.

I have an HA F5, active and standby unit. I created 1 VS and the pool health monitor uses https profile with default settings, see attached image for the health monitor settings.

 

The results where.

In active unit the pool is down, the health monitor it uses tlsv1 to communicate with the server causing a fatal error protocol version

If I define the port 443 instead of using * All Ports, the pool comes up.

 

In standby unit the pool is up. the health monitor it uses tls1.2 to communicate with the server and no issues.

This is also using * All Ports and I do not have issue with this standby unit.

 

See my tcpdump attached here as well.

 

Now I do not understand why my active unit uses tls1 while standby unit uses tls1.2.

 

I also understand the ciphers used are DEFAULT that is why the F5 tries to negotiate using tls1.

But how come in standby unit it offers tls1.2?

 

Please help to enlighten me. What is the best practice?

Any answer is very much appreciated, thank you in advance.

 

 

application delivery
BIG-IP
Health-Monitors
LTM
monitor

2 Replies

Sort By
  • Samir's avatar
    Samir
    Icon for MVP rankMVP
    Sep 05, 2020

    Which BIGIP version you are running? As such not observed such behaviour in BIG-IP.

     

    Gone through both wireshark image and found that one of the connection is going on x.x.x.12 and other is x.x.x.11. To narrow done issue, keep one member in pool and isolate the issue.

     

    Try below options?

    • Remove the https monitor from pool , save the config and add back same monitor in pool
    • openssl s_client -connect x.x.x.x:443 -tls1_2
    • openssl s_client -connect x.x.x.x:443 -tls1

     

    Hope this will help you.

  • f5mkuDefault's avatar
    f5mkuDefault
    Icon for Cirrus rankCirrus
    Sep 05, 2020

    Hi Samir, this is an HA, active, standby.

    Now .12 is the active unit while .11 is the standby unit.

     

    We are using version 12.1.3

     

    What I dont understand is why on .12 the ltm is negotiating using tls1 while in .11 is tls1.2.

    In .12 the pool is down while in .11 the pool is up.

    I did openssl on both using the default cipher list on the health monitor profile and the ltm by right is not supposed to use tls1 as there is no tls1 in the list.

     

    • Remove the https monitor from pool , save the config and add back same monitor in pool
    • I did this already. The only fix is to define the port 443 instead of using * All Ports.

     

    I'm sorry I am not able to do this at the moment.

    •  openssl s_client -connect x.x.x.x:443 -tls1_2
    • openssl s_client -connect x.x.x.x:443 -tls1