Forum Discussion

LA_Medina_32319's avatar
LA_Medina_32319
Icon for Nimbostratus rankNimbostratus
Oct 04, 2017

ADFS monitor not working

We have an external monitor created for ADFS using iApps template for ADFS () ADFS version is 3.0.

Currently The VS/Pool/Pool Member are all down. Upon checking the pool member status, i can see the Availability status: offline (Enabled) /Common/Ext_ADFS.app/Ext_ADFS_adfs_eav: No successful responses received before deadline.

With this, I assume the issue is on the server side as it seems like F5 is not getting the expected response from the Server which is why the pool member was marked as down. But want to make sure it is not the monitoring having issue.

The actual server is up. I can also ping the node IP from F5.

I checked the http header to see if we are getting the response from the server and below is output i got.

curl -vk https://x.x.x.x [VSIP]
* About to connect() to x.x.x.x port 443 (0)
*   Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 443 (0)
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-GCM-SHA384
* Server certificate:
*        subject: C=[xx]; L=[country]; O=[company name]; CN=[adfs domain]
*        start date: 2017-08-15 08:03:09 GMT
*        expire date: 2018-08-15 08:33:08 GMT
*        common name: [adfs domain] (does not match 'x.x.x.x [VSIP]')
*        issuer: C=US; O=Entrust, Inc.; OU=See www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K
*        SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1j zlib/1.2.3 libidn/0.6.5
> Host: x.x.x.x[VSIP]
> Accept: */*
> 
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0

Below is the variable string for the monitor:

HOST=[adfs domain]
RECV = 200 OK
URI = [string]
BIG-IP
devops
iApps

2 Replies

Sort By
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 04, 2017

    Hi,

     

    In monitor, the host must be the exact host, not the domain!

     

    It is used by SNI to send server name CLIENTHELLO extension to ADFS server.

     

  • Jay_Spell's avatar
    Jay_Spell
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2018

    Hi,

     

    Could you point the direction to some more information? I'm having a similar issue. What I'm seeing is that the ADFS does not respond unless hostname utilized.

     

    Thanks