Forum Discussion
NimbostratusEnd-End SSL with default serverssl profile.
The 3 way handshake is not getting completed, the F5 keeps on sending resets. I have a VIP listening on 443, Auto-Map turned on, the back end is a Weblogic server. I have previously configured end-end SSL & it works with Apache. is there anything special setting required with Weblogic?
12 Replies
NikhilBEmployee
Hi, where is the 3 way handshake not getting completed? (Client side or server side) Are you using default crts?
Nitin2014_16246Server Side, from F5 to the server there is a [SYN], then Server sends a [SYN, ACK] & now the F5 sends [RST].
- NikhilBwith or without a profile? have you executed a tcpdump or an ssldump if you are indeed connecting on port 443?
shaggyif you are seeing F5 [SYN], server [SYN-ACK], F5 [RST] on the server-side, the transaction isn't even making it to the SSL handshake. Are you sure that's the application traffic and not an F5 tcp-half-open monitor?
- Nitin2014_16246
Wont the tcp-half open monitor traffic come from the Shared-IP of the guest-vCMP? Based on the IP its not the monitor traffic.
- shaggymonitor traffic will come from the non-floating self-IP of each vCMP guest based on the guest's routing-table.
- Nitin2014_16246
I have taken tcp dump, I see resets in the captures, when I use firefox, it says 'Connection was reset'.
- NikhilBdo you have snat configured by any chance?
- Nitin2014_16246
Yes. If I remove the client profile & sslserver profile, & instead go to https://abc.xyz.com:7000 it works. since I am not offloading on the F5.
- Nitin2014_16246
Yes. If I remove the client profile & sslserver profile, & instead go to https://abc.xyz.com:7000 it works. since I am not offloading on the F5.
- NikhilBpls respond to the comments inline so we know who your answering back to. Ensure you have address and port translation turned on the VS? have you removed the default crt on the server end? (what are the results?) Have you tried using ssldump to analyse the traffic?
- shaggy
can you post the VS configuration and the ssl-profile configurations?
- tmsh list ltm virtual (vs-name)
- tmsh list ltm profile client-ssl (client-ssl profile-name)
- tmsh list ltm profile server-ssl (server-ssl profile-name)
you might try assigning the server-ssl profile "serverssl-insecure-compatible". Although, as I mentioned earlier, if you see that the server-side TCP 3-way handshake being reset before the SSL handshake occurs, then the server-side SSL handshake should make no difference.
