Forum Discussion
NimbostratusClient Connection Issue with SSL Cert
I configured my VIP as 443, and the servers in the pool are port 80. I just need the client to have a secured connection via port 443, but the backend communication just needs to be port 80. I configured my VIP as 443, The 'HTTP Profile' is 'http' and the SSL Profile (client) has the ssl cert and the SSL Profile (server) is set to 'none'. I try to bring up the web page via the IP address and no luck. Any suggestions?
Thank you in advance.
-Ron
4 Replies
- Kevin_Stewart
Employee
Before digging into potential SSL issues, I'd start at the basics. If you configure the VIP for port 80 HTTP with no SSL profiles, does it work?
If it works, and you re-enable client side SSL/HTTPS, how does it fail? If you place a tcpdump capture on the server side of the proxy (between the F5 and the server), do you see any traffic? If you see client traffic then there's a good indication that client side SSL isn't the problem.
If you don't see server side traffic, do you see anything in the LTM log? If you enable debug for SSL, do you see anything in the LTM logs? In your client SSL profile, do you have a server certificate AND corresponding private key configured? You could also run an ssldump on the client side interface to see if there's an issue in the handshake:
ssldump -AdNn -i 0.0 port 443 and host [IP of VIP]This will show you the cleartext portion of the SSL handshake. If there are any errors in the negotiation, those errors will show up here.
- Kevin_Stewart
You're seeing "application_data" traffic, so that indicates the handshake is successful, but then the client sends an alert. Do you see any server side traffic?
- Kevin_Stewart
Do a tcpdump on the server side interface going to the application to see what that looks like. SSH into the management console and do this:
tcpdump -lnni 0.0 port 80 and host [IP of application server]Try your external test again and watch this capture. If you see traffic flying from the BIG-IP to the server, then client side SSL is probably not the issue. The next thing I'd do is firing up Fiddler or HTTWatch on the client side and watch the HTTP communications. You'll see your initial GET request and probably a server HTTP response or two before things go haywire.
- Kevin_Stewart
If you have SNAT applied, then you're looking for packets coming from the BIG-IP self-IP to the application. Packet in/out stats are great, but they're not giving you enough information here to properly troubleshoot this issue. You need to see traffic on the wire to know where it's coming from and where it's going. The fact that you see application_data traffic in the ssldump means that the SSL handshake was good and completed, and that actual (encrypted) application data was flowing from the client. I also see server-to-client application data, so it would seem suspect if there was no data seen on the server side of the proxy.
Did you by chance enable debug logging for SSL on the BIG-IP? If so, do you see anything unusual in the LTM logs?
