Hi, One of our customers has an application that doesn't appear to perform very well when load-balanced by the F5. The application is currently using a Standard VS profile, which is not doing SSL offload, uses cookie persistence and a SNAT pool with a single IP address and pretty much everything else is default. We have recently applied a Web Acceleration profile to the VS to attempt to address the problem but it doesn't appear to have solved anything. The WA profile is only set to cache and serve up static CSS and JS files. The major issue, we believe, is that the client fails to receive some of the Javascript that is necessary for the page to render correctly. This was the case prior to the WA profile being applied as well as after. The application used to be load-balanced, in a very rudimentary way, by iptables and these issues were not seen then. I'm very keen to find any clue as to where to look on the F5 for what could be causing the problem. I'm considering changing the profile to Perf L4 to see if it helps but there are two problems with that: 1. I don't get to learn what was causing the problem 2. I think the client wants to have the F5 do SSL offload in the near future Any help would be greatly appreciated. Thanks in advance, Ben

A few thoughts: One of the most prevalent "reverse proxy problems" is when an application doesn't understand that it's behind a reverse proxy and either serves up object references (images, JavaScript, style sheets, etc.) and redirect URLs with HTTP:// when the VIP is listening on HTTPS://, or the application serves up (absolute) object references for the server name that it thinks it is, versus the host name represented at the VIP. The easiest way to pin this down is to run a client side capture and see what the server is sending through the proxy. Not nearly as likely, but still a possibility, there could be TCP-related (and/or possible HTTP profile settings) issues between the F5 and the server. Again, a capture is your best bet for troubleshooting this one.

I've certainly suffered issues around what Kevin describes in 1). Just one thing to add, if you're not terminating the SSL on the F5 then cookie Persistence won't work. I'm not really sure a WA profile would either.

BASE URL's in the code seem to be a particular favourite for some sites. The good news is that these can be fixed with a single rewrite... You really need to open the pages with firebug or similar and find the URI's that are failing. From there you can usually find where they are in the source stream and implement a suitable rewriting policy to cover them.

Hi guys, Thanks for the suggestions. Just to clarify a couple of things: 1. The application doesn't actually use SSL, which is why there's no SSL termination 2. The problem is actually intermittent in that it's not a certain page that "always" fails to load properly and there's no way we've found to consistently reproduce the issue It's quite difficult to troubleshoot in that respect. As I said, we think we've narrowed it down to a specific piece of Javascript that isn't being received at the client end...sometimes...and the result is that certain buttons on the app web page are greyed out rather than active. If it helps, the application is written in Delphi and is being served up by IIS at the back end. It's an ugly application but it did seem to work OK behind iptables. Any further thoughts most welcome. Cheers, Ben.

As Kevin mentioned already, it could be caused on transport layer as well. If you have assigned a tcp-profile with 'nagle´s algorithm' enabled it could cause serious delays as the virtual server is 'collecting' data to fill a paket / segment to avoid signalling overhead. Switching to a lan_optimized_tcp profile or turning off 'nagle´s' may solve the problem without in-depth analysis. Having a look at the object load times in a browser plugin as HTTPfox as recommended by Hamish may also help to figure out the problem.

Application Web Pages Not Being Served Correctly by F5

king555_51103
Nimbostratus
Oct 04, 2013
Hi, we have exactly the same problem. I turned off caching, compression and sets the default tcp profile, but problem remained. We use SSL on client and server side so troubleshooting is quite difficult. When client (browser) send request randomly some resources (like css, js, gif, ...) aren't transmitted. After defined period (default 300 s. Idle Timeout) BIG-IP send reset packet (TCP - RST, ACK) When problem occured request is not present in ASM log (full request and response logging is enabled) We use HA pair (active-pasive) release version 11.3 hotfix 7. Any ideas?
nitass
Employee
Oct 04, 2013
besides tcpdump or irule logging, you may try http analyzer tool such as httpfox, fiddler. it may be able to give clue where the problem is.

HttpFox

https://addons.mozilla.org/En-us/firefox/addon/httpfox/

Fiddler

http://fiddler2.com/

hope this helps.
- king555_51103
  Nimbostratus
  Oct 07, 2013
  I've tried these tools. But tools only show my what I already know: Browser sends requests to the page sources but some answers sometimes do not come back. I see trend: more client = bigger resources load problem.
nitass_89166
Noctilucent
Oct 04, 2013
besides tcpdump or irule logging, you may try http analyzer tool such as httpfox, fiddler. it may be able to give clue where the problem is.

HttpFox

https://addons.mozilla.org/En-us/firefox/addon/httpfox/

Fiddler

http://fiddler2.com/

hope this helps.
- king555_51103
  Nimbostratus
  Oct 07, 2013
  I've tried these tools. But tools only show my what I already know: Browser sends requests to the page sources but some answers sometimes do not come back. I see trend: more client = bigger resources load problem.
king555_51103
Nimbostratus
Oct 07, 2013
Hi, HW 3900. This is original configuration before attempting to correct problem: ltm virtual App-HTTPS { auto-lasthop disabled destination X.X.X.X:https fallback-persistence /Common/source_addr http-class { /Common/app1-httpclass /Common/app2-httpclass /Common/app2-httpclass } ip-protocol tcp mask 255.255.255.255 partition 1 persist { /Common/app-cookie { default yes } } pool /Common/APP-HTTPS profiles { /Common/app-dos { } /Common/app-optimized-caching { } /Common/app-serverssl { context serverside } /Common/app-clientssl { context clientside } /Common/app-http { } /Common/tcp-lan-optimized { context serverside } /Common/tcp-wan-optimized { context clientside } extmch-oneconnect { } } rules { /Common/NonSSL-To-SSL } security-log-profiles { /Common/log_illegal_req-w_resp } source 0.0.0.0/0 source-address-translation { type automap } vlans { /Common/App } vlans-enabled } I tried configuration without caching and set default tcp profile, but problems persists.
Kevin_Stewart
Employee
Oct 08, 2013
I've tried these tools. But tools only show my what I already know: Browser sends requests to the page sources but some answers sometimes do not come back. I see trend: more client = bigger resources load problem.

Just to be clear, what you're looking for are 1) the resource requests themselves, and 2) how the objects in the documents are being referenced. It's unfortunately a VERY common problem when an otherwise internal app references objects and other resources by names that an external client cannot access. I've even seen this inside of JavaScript and style sheets. Please verify that the objects being requested are accessible externally (by name and resolution).
SentinelPrime_1
Nimbostratus
Oct 08, 2014
I ran into the same issue. when I hit the VIP it displays the page but with some java components missing on the page, in comparison to hitting the server directly. I will have to admit that the back-end server is running some funky java script and was just wondering if the F5 is not compatible with the version of java.

I have done some captures Fiddler: when I hit the VIP i get the following from Fiddler

Result Protocol Host URL Body Caching Content-Type Process
1 200 HTTPS Server.domain /T1Dev/CiAnywhere/Web/Environments 7,016 private text/html; charset=utf-8 fiddler:12392 9 302 HTTPS Server.domain /T1Dev/CiAnywhere/Web/Dev/Workplace 210 private text/html; charset=utf-8 fiddler:12392 10 504 HTTPS Server.domain /T1Dev/CiAnywhere/Web/RedirectToLogOn?ReturnUrl=/T1Dev/CiAnywhere/Web/Dev/Workplace 512 no-cache, must-revalidate text/html; charset=UTF-8 fiddler:12392

which could be related to caching.

I ran HTTPWatch and got the following Error

0.000 0.051 1947 526 GET 302 Redirect to /T1Dev/CiAnywhere/Web/Dev/Workplace https://Server.domain/T1Dev/CiAnywhere/Web/Dev/Workplace/Account/LogOn
0.051 1 2.535 1933 16433 GET 200 html https://Server.domain/T1Dev/CiAnywhere/Web/Dev/Workplace
2.604 1 0.045 1960 0 GET ERROR_HTTP_INVALID_SERVER_RESPONSE https://Server.domain/T1Dev/CiAnywhere/Web/Workplace/v-12.0.7.0/t/Base/Css/CombinedCss.WorkplaceFrontOffice.css
2.650 1 0.001 0 0 GET (Cache) css https://Server.domain/T1Dev/CiAnywhere/Web/Workplace/v-12.0.7.0/t/Base/Colours?c=pink
2.651 1 0.018 1975 0 GET ERROR_HTTP_INVALID_SERVER_RESPONSE https://Server.domain/T1Dev/CiAnywhere/Web/Workplace/v-12.0.7.0/Js/CombinedJs.WorkplaceFrontOffice.js
2.672 1 0.000 0 0 GET (Cache) css https://Server.domain/T1Dev/CiAnywhere/Web/Workplace/v-12.0.7.0/t/Base/Styles/Flow.css
2.672 1 0.000 0 0 GET (Cache) javascript https://Server.domain/T1Dev/CiAnywhere/Web/Workplace/v-12.0.7.0/Scripts/Flow.js 6 2.672 7815 16959 7 requests Which clearly states invalid server response for .css and .js.

Any Ideas? Cheers
Elie_Richa_2324
Nimbostratus
Dec 09, 2016
Hello Ben,

I am facing the same issue, could you please share how did you solved the problem.

Best Regards, Elie Richa
shange2000_3566
Nimbostratus
Mar 23, 2018
May I know any update of the solutions on this post? [https://devcentral.f5.com/questions/application-web-pages-not-being-served-correctly-by-f5?lc=1] I am also facing the same issue here and desperately looking for a solution. Error Description: When our web application (.NET 3.5) is accessed through F5 LB with https, we always intermittently hit the error of "sys is not defined". This error will NOT occur if we access the web application via the web server URL directly. That is why I suspect it is due to F5 LB configurations.

NOTE: I am not an F5 expert, and this is the first time I encounter a client using F5 LB.

Architecture background: This project has 1 F5 LB in front, behind F5 there are 2 Web server as reversed proxy and 2 application servers which are actually hosting the web application. The SSL cert is bind in the F5 LB.

Troubleshooting work done and findings so far:

The LB and servers are own by the client, and we have no access to the F5 LB. We have asked the client infra guy to ensure the sticky session in F5.

In the application servers, we have already install .NET Ajax Toolkit 1.0.

We have tried to disable compression for scriptResource.axd, but the problem remains.

My colleague uses Fiddler to troubleshoot the problem (unfortunately I couldn't go to client site with her today), and she discovered that the axd file is downloaded to the client browser successfully, but the browser cache value suddenly changed after some time. Details: When the browser cache is empty and the browser first time loads the axd file, everything work normally, she could see the axd file value from the cache, say "APPLE"; then she kept testing the web application again and again until the error occur, after that she checked the axd file in browser cache, it shows a wrong data, meaning "APPLE" now becomes "ADDLE". Then she cleared the cache, the browser retrieves the axd file again and the axd value becomes "APPLE" again, and the program ran fine again. Because of this finding, the client concludes that it is the browser issue not the F5 LB issue. But my point is that our web application has no error in all other test scenarios, only encounter error when it is accessed through F5 HTTPS, WHY?! And I don't believe a browser will change the cache value itself.

I am not an infra expert but a software programmer. And I have never encountered such a weird issue with other brands of LB before. Can any F5 expert here give me some advice? Or do you have any F5 contact in Singapore? I would like to contact the expert ASAP. Many thanks.

Forum Discussion

Application Web Pages Not Being Served Correctly by F5

Recent Discussions

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Client SSL Profile set to Require Client Certificate breaks RDP in APM

Related Content

Enhance your Application Security using Client-side signals

Making Android SSL Work Correctly.

Serving Moodle App - problem when using https

AS3 referencing objects across applications

Application page not loading correctly

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS