HTTPS Monitor not working as expected

Not sure if it'll help, but since it looks like you're using a non-standard port (8443), you may try to set a Client Certificate and Client Key in your monitor definition (change the drop down from Basic to Advanced to see the options).

Also, maybe try a different send string, like

GET /idauth/isAlive.jsp HTTP/1.1\r\nHost: domain.com\r\nConnection: Close\r\n\r\n

If that doesn't work, here's how I've done some monitor debugging in the past (taken from this answer)

There's SOL12531 that talks about monitors a little bit, and then this article that adds a little extra information.

Whenever I'm having monitor issues, I try a couple different things.

1:

curl

2:

• Open the pool that is having the problem (let's call it MY_POOL)
• Make sure the monitor is active on the pool (let's call it MY_MONITOR)
• On the

  Members

  tab in the pool settings, click on one of the members (let's call it 10.0.0.1:3389)

• Enable the checkbox for

  Monitor Logging

  • Open an SSH session (I use Putty to connect) to the device and log in to the shell.
  • Run the command

    cd /var/log/monitors

  • Run the command

    ls -l

  • Look for the file referencing your pool and member (most likely in our example it'd be something like

    _Common_MY_MONITOR__Common_10.0.0.1_3389.log

    )
  • Run the command

    tail -f FILENAME

    (where FILENAME is the log filename)
  • It may be visible immediately, but you should see where the monitor sends the request to the server (and you'll see the

    send

    string), and you're looking for the

    recv

    string that comes back.
  • Take that

    recv

    string and update the monitor and see if the pool member(s) show up green again.

• Go back in and disable the monitor logging for that member so you don't have excessive logging filling up space.

Hopefully, this will help figure it out. If your log file ever looks like it's not updating, delete the log file and remove the monitor from the pool and re-add it. I've found that will kick it back off again.

LyonsG, unless I am missing something, I don't see an "Alive" string from the first server. The monitor should mark this down as expected.

Can you also try running this monitor separately on each pool member instead of at the pool level?

LyonsG, unless I am missing something, I don't see an "Alive" string from the first server. The monitor should mark this down as expected.

Can you also try running this monitor separately on each pool member instead of at the pool level?

1. When you use curl -k, the server certificate is being accepted. Make sure the monitor will also accept the server certificate if the certificate is signed by an Internal CA for example.

    

2. Check if your server responds to specific "Host:" header or "User-Agent:" header. Try setting both these headers to what curl sets.

    

Best.

have you tried the curl tests with the node IP address instead of the hostname? curl will automatically set the host header to the hostname entered in curl, which technically makes the curl test different than the f5's send string.

you could also use:

openssl s_client -connect member-ip:port

have you tried the curl tests with the node IP address instead of the hostname? curl will automatically set the host header to the hostname entered in curl, which technically makes the curl test different than the f5's send string.

you could also use:

openssl s_client -connect member-ip:port

[admin@bigip:Active:Changes Pending] ~ curl -k https://172.31.151.143:8443/idauth/isAlive.jsp

OpenAM


Server is ALIVE: 

[admin@bigip:Active:Changes Pending] ~ curl -k https://172.31.251.141:8443/idauth/isAlive.jsp

OpenAM


Server is DOWN

Monitor looks for ALIVE and both servers get flagged as available.

Change monitor to DOWN and both servers get flagged as unavailable.

[admin@bigip:Active:Changes Pending] ~ curl -k -vv https://172.31.251.141:8443/idauth/isAlive.jsp

* About to connect() to 172.31.251.141 port 8443 (0)
*   Trying 172.31.251.141... connected
* Connected to 172.31.251.141 (172.31.251.141) port 8443 (0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
*    SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: C=GB; ST=Scotland; O=company; OU=IS; CN=slglvmfi.internal.standardlife.com
*        start date: 2014-11-12 11:42:01 GMT
*        expire date: 2028-07-21 11:42:01 GMT
*        common name: slglvmfi (does not match '172.31.251.141')
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /idauth/isAlive.jsp HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5
> Host: 172.31.251.141:8443
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 01:00:00 GMT
< Set-Cookie: JSESSIONID=0785483496A1B74384AB4DA3E287A91F; Path=/idauth/; Secure; HttpOnly
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 112
< Date: Mon, 09 Feb 2015 16:05:12 GMT
< Server: Anonymous
<




 OpenAM






Server is DOWN






* Connection 0 to host 172.31.251.141 left intact
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):

[admin@bigip:Active:Changes Pending] ~ curl -k -vv https://172.31.151.143:8443/idauth/isAlive.jsp

* About to connect() to 172.31.151.143 port 8443 (0)
*   Trying 172.31.151.143... connected
* Connected to 172.31.151.143 (172.31.151.143) port 8443 (0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: C=GB; ST=Scotland; O=; OU=IS; CN=slglvmfk
*        start date: 2014-11-11 21:48:09 GMT
*        expire date: 2028-07-20 21:48:09 GMT
*        common name: slglvmfk (does not match '172.31.151.143')
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET /idauth/isAlive.jsp HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8y zlib/1.2.3 libidn/0.6.5
> Host: 172.31.151.143:8443
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 01:00:00 GMT
< Set-Cookie: JSESSIONID=2EB50E91CD9C6DAB9298DF12C3FA6EE8; Path=/idauth/; Secure; HttpOnly
< Content-Type: text/html;charset=ISO-8859-1
< Content-Length: 115
< Date: Mon, 09 Feb 2015 16:08:37 GMT
< Server: Anonymous
<











 OpenAM






Server is ALIVE: 






* Connection 0 to host 172.31.151.143 left intact
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):

Also - I am on version 11.4.1 so cannot enable monitor debugging via GUI