BIG-IP DNS SNI monitoring
We are trying to get a SNI monitor to work on a BIG-IP DNS to a generic host. Using the external ADFS monitors the checks fail. When running a CURL to the destination servers we receive Unknown SSL protocol error in connection while a openssl test returns the cert and the CN we are grepping for but the moniotr still fails. We have tried with the standard ADFS external monitor provided by F5 along with the amended version for TLS1.1 and above. Also tried another custom one from Devcentral. Can anyone provide any pointers in how we could get this to work? Monitor 1: !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${HOST}_${PORT}_${NODE}.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE (echo -e "GET $URI HTTP/1.1\r\nHost: $HOST\r\nConnection: Close\r\n\r\n"; sleep 2) | openssl s_client -cipher 'ECDHE-RSA-AES256-SHA' -servername '$HOST' STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Monitor 2 !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${HOST}_${PORT}_${NODE}.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -k -i --resolve $HOST:$PORT:$NODE https://$HOST$URI | grep -i "${RECV}" > /dev/null 2>&1 STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Monitor 3 !/bin/bash pidfile="/var/run/$MONITOR_NAME.$1..$2.pid" if [ -f $pidfile ] then kill -9 - cat $pidfile > /dev/null 2>&1 fi echo "$$" > $pidfile node_ip= echo $1 |sed 's/::ffff://' node_port=$2 getscript () { echo 'GET / HTTP/1.1' echo 'Host: ..*.com' echo '' while sleep 0; do echo 'quit\n' done } docurl () { IFS=$'\n' arr=($(getscript | openssl s_client -connect ...:443 -servername ...com 2>/dev/nul |grep -E CN=...com)) unset IFS } docurl echo ${arr[0]} if [ -n "${arr[0]}" ] then Remove the pidfile before the script echoes anything to stdout and is killed by bigd rm -f $pidfile echo "up" fi Remove the pidfile before the script ends rm -f $pidfile377Views0likes0CommentsLTM - Setting dependancy between monitors
Not sure if this is even possible but here is the scenario: I have a pool of IIS servers configured as members of two sets of pools based on TCP ports configured in IIS. (I was told that you need to create a separate VS per port you want to load balance). So... per the web devs, port 10000 is for responding to TCP traffic (restful web calls, etc.). Port 10001 is responding to http requests. Virtual Server 1 (TCP port 10000) Virtual Server 2 (TCP port 10001) Pool 10000 (has Servers 1-3/port 10000 as members) Pool 10001 (has Servers 1-3/port 10001 as members) I have an http monitor which is working correctly which monitors pool 10001 for successful get responses and works as expected. Disable web service on Server1, the Pool 10001 shows Server1 as down. My problem is that Pool 10000 shows Server 1 as still being up as its just using the standard icmp monitor, thus traffic is still being passed to that server. Is it possible to set a dependency on the icmp monitor to the http monitor associated with pool 10001? So if the web server is down on a server, no traffic is sent to that server regardless if its still responding to ping? If it's not responding to ping, then obviously the web monitor would be down as well. Sorry, really new to LTM concepts so still learning this awesome system. Thanks, George608Views0likes6Commentstmsh test-monitor : external executable not found
Hi, I'm trying to use the "test-monitor" function in tmsh but every time I use it I get the same answer: root@(lb07067)(cfg-sync In Sync)(Active)(/Common)(tmos) test-monitor http address 10.221.62.23 port 8180 can't run 'http' monitor manually: external executable not found (http) Even on the basic http default monitor. Any clue ? Thanks356Views0likes1CommentHTTPS health monitor with username and credential check
on F5 12.1.1 I would like to check the functionality of a login page and noticed the health monitors have a username/password field. If I have a user account for the webpage how do I word the send/receive string? I'm assuming I have to use POST but I don't know what format I need to put it in. I found an article saying the username:password needs to be changed to base64. I just want some guidance on how to format a monitor that logs into a URL. Looking this up I found that you can test logging into a webpage from the shell using: openssl s_client -host -port <443> but I don't know what POST I should do after that.Solved1.1KViews0likes2CommentsMonitoring Individual Application Tiers
We have a web application which consists of two web servers: webserverA and webserverB. The web servers are in a pool which is assigned to a VS. Each web server is tied to its own application server and its own processing server. The web server communicates to the application server over tcp/8825 and the processing server over tcp/8925. I have been requested to mark the web server down if either the application or processing servers are down. The application and processing servers cannot be load balanced according to the third party developers. VS >> webserverA and webserverB webserverA >> appserverA and procserverA webserverB >> appserverB and procserverB Can and should this monitoring reside on the F5? My inital thought is to setup a monitoring service on each of the two web servers which would shut down the HTTP service in the event the APP or processing servers were down. The F5 would no longer send traffic to the web server once the HTTP service was down. Any help would be appreciated.177Views0likes1CommentHealth Monitor with NTLM authentication - iApp generated vs Custom built
I have been working on creating a Health Monitor for SharePoint which uses NTLM authentication. I basically mirrored an existing HTTPS Health Monitor that the Exchange 2010 iApp generated and then adjusted for the SharePoint application. After hours of troubleshooting it was determined that I can't specify "domain\username" in the username field and I needed to remove the trailing "/r/n" on the send string. I have seen other forum topics regarding this but can someone explain why the Exchange 2010 iApp monitor generated\included both "domain\username", as well as, the trailing "/r/n" and it works. I ran the iApp generated monitor from the CLI using cUrl and I didn't specify username and password. The receive string that the iApp expected "OutlookSession=" is returned. Is the Exchange monitor somehow not using the "domain/username" account and was just placed there by the iApp template? iApp generated: ltm monitor https exchange_2010.app/exchange_2010_testmail_owa_https_monitor { app-service /Common/exchange_2010.app/exchange_2010 cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination : interval 30 password pswd-removed recv OutlookSession= send "GET /owa/auth/logon.aspx\?url=https://removed/owa/&reason=0 HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: host-removed\r\n" time-until-up 0 timeout 91 username domain-removed\user-removed Custom Built: ltm monitor https sharepoint_2010_https_monitor { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination : interval 30 password pswd-removed recv "Home" send "GET /removed HTTP/1.1\r\nUser-Agent: Mozilla/4.0\r\nHost: host-removed" time-until-up 0 timeout 91 username user-removed I also have a TAC case on this topic as well.Solved371Views0likes3Comments