Forum Discussion

Nikson_M's avatar
Nikson_M
Icon for Cirrus rankCirrus
Jun 20, 2019

https monitor issue on the F5, https monitor no longer works.

Team,

We have pool setup which makes a health check on "https" protocol. Since a few days this is not working and shows the pool members as down.

 

Now, we know that the pool members that are being monitored have gone through some certificate changes and the difference between the old certificate and the new certificate is as below:

  1. The old certificate had "Dual Stack RSA+ECDSA" disabled and the new certificate has "Dual Stack RSA+ECDSA" enabled.
  2. The old certificate had "SNI only" as Off and the new certificate has "SNI only" as On.

 

If I set the health monitor as tcp 443 or ICMP it works, but that is not what we want as it breaks the working. What do you suggest could have gone wrong here or what could be the direction we can take to fix this?

 

The VIP that calls this pool has a serverSSL profile configured and I somehow feel that we need to make some changes in that profile but we are not sure.

 

Thanks!!!

N

application delivery
BIG-IP
LTM

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Jun 20, 2019

    Nikson M,

     

    The RSA+ECDSA is the certificate digital signature so shouldn't be an issue as the client (f5) would use either one which works. I can't say for certain but could it be the SNI Only setting? Is your monitor sending a hostname in the request? I wonder if it isn't and the pool member is rejecting as it doesn't have a hostname to check.

     

    Just a thought.

     

    N

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Jun 21, 2019

    You might want to check with the app server admin to enable the non-SNI SSL function. SNI is a Web server's option, not a function of a certificate itself.