Forum Discussion
RBS_79242
Jan 30, 2014Nimbostratus
Hi Hamish,
When the HealthCheck is set to:
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*"
TCPDump shows a single \r\n being inserted by the F5 HealthCheck.
0x0080: 726d 2d74 6573 742e 6465 762e 696e 7465 rm-test.dev.inte
0x0090: 726e 616c 0d0a 4163 6365 7074 3a20 2a2f rnal..Accept:.*/
0x00a0: 2a0d 0a41 7574 686f 7269 7a61 7469 6f6e *..Authorization
0x00b0: 3a20 4261 7369 6320 5a47 5632 5848 4e32 :.Basic.ZGV2XHN2
When the Health Check is set to:
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-testdev.internal\\r\\nAccept: */*\\r\\n"
tcpdump still shows a single \r\n being inserted
0x0080: 726d 2d74 6573 742e 6465 762e 696e 7465 rm-test.dev.inte
0x0090: 726e 616c 0d0a 4163 6365 7074 3a20 2a2f rnal..Accept:.*/
0x00a0: 2a0d 0a41 7574 686f 7269 7a61 7469 6f6e *..Authorization
0x00b0: 3a20 4261 7369 6320 5a47 5632 5848 4e32 :.Basic.ZGV2XHN2
Now comes the interesting part! When the HealthCheck is set to:
send "GET /F5Dynamics/main.aspx HTTP/1.1\\r\\nUser-Agent: F5 Health-Check\\r\\nHost: crm-test.dev.internal\\r\\nAccept: */*\\r\\n\\r\\n"
TCPDump has this (which is not good)
0x0080: 726d 2d74 6573 742e 6465 762e 696e 7465 rm-test.dev.inte
0x0090: 726e 616c 0d0a 4163 6365 7074 3a20 2a2f rnal..Accept:.*/
0x00a0: 2a0d 0a0d 0a41 7574 686f 7269 7a61 7469 *....Authorizati
0x00b0: 6f6e 3a20 4261 7369 6320 5a47 5632 5848 on:.Basic.ZGV2XH
But now the F5 actually sends an NTLM Request! But the end node closes the connection because of the malformed HTTP Auth request. So SSLDump looks like this:
New TCP connection 1: 10.228.128.10(55320) <-> 10.106.0.15(80)
1391124364.9248 (0.0036) C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check
Host: crm-test.dev.internal
Accept: */*
Authorization: Basic ZGV2XHN2Y19GNWFjY2Vzczp1cmlkRW9OUVZqV3VCUHdwbnhPdHFPM0s=
---------------------------------------------------------------
1391124364.9306 (0.0057) S>C
---------------------------------------------------------------
HTTP/1.1 401 Unauthorized
Cache-Control: private
Transfer-Encoding: chunked
Content-Type: text/plain
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
Set-Cookie: ReqClientId=1dac24c6-98a5-4649-bc8b-e036e08bfb54; expires=Wed, 30-Jan-2064 23:26:05 GMT; path=/; HttpOnly
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Thu, 30 Jan 2014 23:26:04 GMT
31
HTTP Error 401 - Unauthorized: Access is denied
---------------------------------------------------------------
1391124364.9306 (0.0000) S>C
---------------------------------------------------------------
0
---------------------------------------------------------------
1391124364.9306 (0.0000) S>C
---------------------------------------------------------------
HTTP/1.1 400 Bad Request
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 30 Jan 2014 23:26:04 GMT
Connection: close
Content-Length: 326
Bad Request
Bad Request - Invalid Verb
HTTP Error 400. The request verb is invalid.
---------------------------------------------------------------
1 1391124364.9306 (0.0000) S>C TCP FIN
1391124364.9312 (0.0006) C>S
---------------------------------------------------------------
GET /F5Dynamics/main.aspx HTTP/1.1
User-Agent: F5 Health-Check
Host: crm-test.dev.internal
Accept: */*
Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
---------------------------------------------------------------
1 1391124364.9316 (0.0003) C>S TCP FIN
So in conclusion behavior is the same for 0 or 1 trailing \r\n's when two \r\n's are set on the send string - the F5 actually tries to follow through with NTML Auth but the server disconnect because of the extra \r\n that is presented.
- mikeshimkus_111Jan 31, 2014Historic F5 AccountOne thing you could try is to modify the the authentication providers in IIS so that NTLM is first in the list, instead of Negotiate. We've seen OneConnect have issues with that in the past, maybe your monitor is as well? F5Dynamics is the name of your CRM deployment? That's also the example we give in the deployment guide. thanks