HTTPS monitor failure - timeout during SSL handshake stage

[Michael Auerbach1709153770]

Hi All,

I'm trying to configure a servicegroup with https monitor but I keep getting a timeout during SSL handshake stage and have tried everything that normally works for me to workaround this problem.

I have server added to the servicegroup with FQDN to public internet site:  www.developer.interact-lighting.com ,  which internal backend-servers with no Internet access need to access through the netscaler.

 

I have a custom https monitor with custom header:

HOST: www.developer.interact-lighting.com\r\n

 

I have a custom ssl profile with ciphers matching scan from ssllabs bound to servicegroup and monitor - but still gets the handshake error!

 

Is there any guru's here that have tip on how to workaround this timeout during SSL handshake stage problem? :)

 

Thanks!!

 

BR
Michael

 

[Manoj Rana]

Hi Michael,

 

You can use HTTP or HTTP-ECV, create a regular HTTP monitor. Regular HTTP monitors look for status codes instead of patterns.

 

Thanks

Manoj

 

[Michael Auerbach1709153770]

Hi Manoj,

I'm already doing that and normally works for me - but in this case it does not work. That's why I need help.

 

BR
Michael

[Manoj Rana]

Hi Michael,

 

I had an issue when I was using my monitor with Custom Header. So I Change to HTTP Request
 

HEAD  /health.html

 

Can you try use HTTP Request ? if you can.

 

Thanks

Manoj

 

[Michael Auerbach1709153770]

Hi Manoj,

That won't work in this case, as this is a ssl issue between netscaler (back) and the internet site www.developer.interact-lighting.com.
I have the same solution working with other internet sites, but this site was fails everything that I try!

 

BR

Michael 

[Rhonda Rowland1709152125]

 

Can you clarify what you want your monitor to confirm?
It sounded like you are determining the UP/DOWN state of your servicegroup (aka your own internal server destinations) by whether they can or can't see an external destination?

 

 

You may need two monitors:

1) regular monitor that determines if the actual service is UP/DOWN by its own details.

2) a second monitor that determines if the dependency works.  Usually this might include a destination override, but if I understand you directly, you want to see if your SERVICE can resolve a different destination?

I'm not sure that you can write a monitor to Service1 and ask it to probe ExtWeb1 and get a response back. Now, if there was an existing page where the server does this call on the backend and you use a monitor to check the status of this service, it would be easier.

And you don't need to test if the ADC can reach externalweb, just the backend service?  (Or am I reading that wrong?)  If you are trying to get the ADC to probe the externalweb destination and then bring the service up/down you need a Destination IP and/or Destination Port to make the ADC probe a location other than the service it is bound to.

 

See if this article assists with the proxy call:  https://support.citrix.com/article/CTX120921  (Its not your exact scenario at all, but may help tweak the ecv parameters.)

 

But, I would try to make the backend server have a test page that returns a /health page up/down where it makes the call itself and your ADC just has to probe the /health page to see if it works.  This would also let you test if the dependency works per service destination and not a blanket works for everyone or not.

 

 

 

 

 

[Nikolay Dimitrov1709159278]

For SSL Hanshake issues check nstrace option. If the SSL hanshake works but this issue is after that then it is in HTTP and what the server returns.

 

 

https://support.citrix.com/article/CTX135889