HTTPS Health Monitor Not working

Question

We are running v11.4.1 Build 685 (we will be upgrading shortly) on our LTM 2000 series Bigip.  I am having a problem getting an HTTPS Monitor to work on a Java Web Site that is hosted on our LTM.
I ran curl on the java site so I can see my options for the receive string.  This is the curl command:
curl -vk https://website.mycompany.com/webnow/index.jsp

A part of the curl result is listed below.  I want to use "Perceptive Content" as a receive string:
`
Perceptive Content

`
Now when I created the HTTPS monitor, I tried to use the Standard send string ('GET /
') but that doesn't work.  My guess is because this site redirects to a CAS server for authentication so the page is not built until after authentication.  However the TITLE of the TAB where the website was initiated has the title specified by the web server.  Therefore I want to use the TITLE of the TAB as a receive string.
I tried the following HTTPS Monitor send strings, but both of them disable the nodes in the pool: (The receive string is set to "Perceptive" - See Screenshot)
GET /webnow/index.jsp/ HTTP/1.1
Host: website.mycompany.com
Connection: Close

GET /webnow/index.jsp HTTP/1.1
Connection: Close
Host: website.mycompany.com

I've tried several different iterations of the send string without any success.  Can anyone tell me what I'm doing wrong?

danny_arroyo · Answer

Just for closure.&nbsp;
F5 technical support found the issue.  It was that I had the pool members configured to talk over port 80, not port 443.  Although I was using the https_443 monitor on the pool (which worked because port 443 is open on the members), the members were not configured for port 443 in the pool.
That was what I did wrong. &nbsp;
Thanks again for all your help, Boneyard.&nbsp;

samir_jha_52506 · Answer

F5 did change cipher behavior in v11.4. One thing that bit us after upgrading from v11.2 to v11.4.1 was TLS negotiation. The new code attempts to use TLS1.2 first, whereas v11.2 attempted TLS1.0 first. This increased security posture broke some of our applications that didn't support TLS1.2.

danny_arroyo · Answer

I'm sorry, but I don't understand your answer.  Are you saying that I should not make an HTTPS monitor?  How should I change my HTTPS monitor so that it works?&nbsp;
Thanks.&nbsp;

boneyard · Answer

your curl output doesn't show Perceptive to be returned, are you sure it is there?&nbsp;
as for the reply from Samir, he suggests that it might be your server doesn't like TLS1.2, but that might not be the issue.&nbsp;
i would start testing with openssl, do a &nbsp;
openssl s_client -connect [serverip]:[port]&nbsp;
then create the request like you did in your two examples, it should be the GET without a / at the end and ending with HTTP/1.1&nbsp;
then the Host and finally the connection close.&nbsp;
see how the server responds to that. put the output here for extra eyes.&nbsp;

janholtz · Answer

Change you cipher string from:&nbsp;
DEFAULT:+SHA:+3DES:+kEDH&nbsp;
to&nbsp;
ALL&nbsp;
PS:
I take no responsibility for what this may do to your security auditing team's blood pressure...&nbsp;
//Jan&nbsp;

Forum Discussion

HTTPS Health Monitor Not working

6 Replies

Recent Discussions

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Related Content

Health monitor question

F5 Distributed Cloud - Regional Edge Health Monitoring Insights

iRule based RADIUS Health Monitor Builder

GTM health Monitoring and Probe

monitor does not work https