I'm currently working on a situation whereby HTTPS load-balancing is inconsistently not working against IBM HTTP Server 8.5.5.
To help me help the client's network team debug this, I've been tinkering with a F5 Local Traffic Manager (LTM) using VMware Fusion on my Mac.
I found a slew of excellent articles on the F5 site including: -
Load balancing got its start in the form of network-based load balancing hardware. It is the essential foundation on which Application Delivery Controllers (ADCs) operate. The second iteration of purpose-built load balancing (following application-based proprietary systems) materialized in the form of network-based appliances. These are the true founding fathers of today's ADCs. Because these devices were application-neutral and resided outside of the application servers themselves, they could load balance using straightforward network techniques. In essence, these devices would present a "virtual server" address to the outside world, and when users attempted to connect, they would forward the connection to the most appropriate real server doing bi-directional network address translation (NAT).
Monitors determine the availability and performance of devices, links, and services on a network. Health monitors check the availability. Performance monitors check the performance and load. If a monitored device, link, or service does not respond within a specified timeout period, or the status indicates that performance is degraded or that the load is excessive, the BIG-IP system can redirect the traffic to another resource.
More importantly, this link: -
was just what I need to get a developer version of F5 VE installed and working.
I ended up with a working F5 Health Monitor probing my IHS server ( on a different Linux VM ), over SSL.
Two things that made a difference: -
(1) Getting the RIGHT cipher
openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Note that this particular version of the F5 software does NOT support my preferred ECDHE/RSA/GCM ciphers :-(
On my VM, I am running: -
BIG-IP 11.3.0 Build 39.0 VE Trial 11.3.0-HF1 (based on BIGIP 11.3.0HF6)
(2) Getting the Monitor configuration correct
Specifically the send string and the receive response are mega-important
tmsh list ltm monitor https
ltm monitor https davehttps {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from https
destination *:pcsync-https
interval 5
recv 200
send "GET /index.html HTTP/1.1\\r\\nHost: www.example.com\\r\\nConnection: Close\\r\\n\\r\\n"
time-until-up 0
timeout 16
}
ltm monitor https davehttps {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from https
destination *:pcsync-https
interval 5
recv 200
send "GET /index.html HTTP/1.1\\r\\nHost: www.example.com\\r\\nConnection: Close\\r\\n\\r\\n"
time-until-up 0
timeout 16
}
I inferred the send string using openssl on the device itself: -
openssl s_client -connect 192.168.153.200:8443
and pasted this string: -
into the terminal, and pressed [Enter].
This returned, in part: -
...
HTTP/1.1 200 OK
Date: Wed, 22 Jun 2016 05:26:41 GMT
Last-Modified: Tue, 06 Jan 2015 17:02:04 GMT
ETag: "da5-50bfec4265b00"
Accept-Ranges: bytes
Content-Length: 3493
…
Date: Wed, 22 Jun 2016 05:26:41 GMT
Last-Modified: Tue, 06 Jan 2015 17:02:04 GMT
ETag: "da5-50bfec4265b00"
Accept-Ranges: bytes
Content-Length: 3493
…
which confirms the recv string of 200 ( HTTP 200 OK ).
Now my IHS server is showing regular GET requests from the F5 Monitor: -
…
192.168.153.1 - - [22/Jun/2016:06:26:54 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:26:59 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:04 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:09 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:14 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:19 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:24 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:29 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:34 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:39 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:44 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:49 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:54 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:26:59 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:04 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:09 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:14 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:19 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:24 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:29 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:34 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:39 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:44 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:49 +0100] "GET /index.html HTTP/1.1" 200 3493
192.168.153.1 - - [22/Jun/2016:06:27:54 +0100] "GET /index.html HTTP/1.1" 200 3493
...
in the access.log.
Now I need to go and configure the F5 "front door" to allow me to actual send traffic to/through the load-balancer to the downstream IHS box.
These links were also of use: -