HTTPS monitor (and curl on a LTM/GTM) fails to connect full

Question

All, 
&nbsp;   apologies as I realise this may not be 100% F5 but I'm only getting the issue on F5 devices so was hoping someone would be friendly enough to point me in the right direction for troubleshooting. I'm trying to setup a simple HTTPS health monitor on a LTM which matches 'SEND' on a page. (quick background this is not a actual webserver but an app built on the openSSL packages and displays in a web browser without issue). As the monitor fails I tried using curl, from my curl on my windows box it works without issue (using curl -vk https://208.16.209.148 and its curl/7.19.4). However when trying curl from several LTM's at different location I just get: 
&nbsp;  
&nbsp; * About to connect() to 208.16.209.148:443 
&nbsp; * Connected to 208.16.209.148 (208.16.209.148) port 443 
&nbsp;  
&nbsp; and then no more, it doesn't show a handshake on the SSL etc. If this was plain HTTP I'd run a packet sniffer but a its HTTPS I presume there is no point as I can't see inside the communication. Can anyone suggest a way to trouble shoot this further? 
&nbsp;  
&nbsp; thanks in advance 
&nbsp; Matt

mw1 · Answer

Just as an update I've tested curl from a fedora 10 box against the IP and that works without issue as well.

mw1 · Answer

Further update I was dropping out of the curl session too early on the LTM/GTM's and it appears to be a SSL handshake issue as I get the following if I leave it at the connected msg (see below) for about 3-4 mins): 
&nbsp;  
&nbsp; curl -vk https://208.16.209.148:443              * About to connect() to 208.16.209.148:443 
&nbsp; * Connected to 208.16.209.148 (208.16.209.148) port 443 
&nbsp; * SSL: error:00000000:lib(0):func(0):reason(0) 
&nbsp; * Closing connection 0 
&nbsp; curl: (35) SSL: error:00000000:lib(0):func(0):reason(0) 
&nbsp;  
&nbsp; As previously stated this works with versions of curls I've tested on  both fedora and windows (and now redhat) so I presumed to go the heart fo the issue I needed to use openSSL's s_client which gives similar: 
&nbsp; Loading 'screen' into random state - done 
&nbsp; CONNECTED(00000774) 
&nbsp; 3560:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:188: 
&nbsp;  
&nbsp; So from testing it may well an issue with the openSSL packages which I presume F5 calls to use for their HTTPS health monitor. 
&nbsp;  
&nbsp;  &nbsp;

mw1 · Answer

Just as an update it appears there was a slight difference between curl on windows/fedora and the one on the F5 and I had to force SSLv3 and it works. The same goes for the the openssl s_client. However forcing SSLv3 on the F5 monitor still fails. 
&nbsp;  
&nbsp; Does anyone know how to debug a health monitor further?

dennypayne · Answer

LTM does have ssldump, so that might help in digging into the payload to see what's going on.  Nothing else is jumping out at me so far though.. 
&nbsp;  
&nbsp; Denny

hooleylist · Answer

You might be able to get more detailed info by enabling debug on the monitoring daemon, bigd: 
&nbsp;  
&nbsp; b db bigd.debug enable 
&nbsp;  
&nbsp; The output is written to /var/log/bigdlog 
&nbsp;  
&nbsp; Make sure to disable debug (b db bigd.debug disable) when you're done as the log file can get out of hand quickly. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

HTTPS monitor (and curl on a LTM/GTM) fails to connect full

6 Replies

Recent Discussions

iRule resulting in too many redirects

When F5OS r2800 appliance reboots, interfaces configured at tenant level for VLAN are lost

cat and grep command for rst messages

iControl for Gtm wideip

Telemetry streaming to Elasticsearch

Related Content

add LTM to GTM

'Monitoring for Everyone' Next Time on DevCentral Connects

Custom DNS Service health monitoring for GTM and LTM

DNS load balancing to backend servers using GTM/LTM.

GTM health monitor connection refuesd