For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ingebrigt_Maurs's avatar
Ingebrigt_Maurs
Icon for Nimbostratus rankNimbostratus
Jun 15, 2015

ERR_SPDY_PROTOCOL_ERROR when enabling SPDY

Hi !

I use BIG-IP 11.6.0 and try to enable SPDY. I have a VS with an Access Policy that uses an 'External Logon Page' action.

My config:

ifile with a custom login page

VS with:

  • No Client SSL profile
  • An AP that starts with an 'External Logon Page' action with a Server URI '/login'
  • A pool select irule used to direct traffic to the login ifile

:

switch -regexp -- [string tolower [HTTP::path]] {
    "^/login(/|$)" {
    HTTP::respond 200 content [ifile get login-form] ...
    }
    ... (pool selects for actual services) ...
}
  • In front of this VS I have another VS. It has a Client SSL profile

Without SPDY

When I don't have SPDY enabled on my front VS everything works:

  • /myservice 302 ->
  • /my.policy 200 OK (APM will initiate a POST to the external logon page, /login)
  • /login 200 OK. (/login is an iFile)
  • user enters credentials (/login POST's these to /my.policy) ->
  • /my.policy 302 ->
  • /myservice (and I'm logged in)

With SPDY

When I enable SPDY on the front VS, things break:

  • /myservice 302 ->
  • /my.policy 200 OK (APM will initiate a POST to the external logon page, /login)

  • /login ( This request is made, but bad/no response is received by the client)

  • Chrome shows 'not available, ERR_SPDY_PROTOCOL_ERROR'. dev tool shows 'CAUTION: Provisional headers are shown' in place of request headers. No reponse headers are shown

  • FF shows 'Secure Connection Failed'
  • IE works

In the ltm log I can see:

  • the AP in the inner VS has started
  • the /login ifile has been served
  • the outer VS has fired a HTTP_RESPONSE event

  • There are no log entries in apm or ltm other than those i make myself

  • if I go directly to the custom login page (i.e. https://mysite.no/login) I get the same error.

  • If I repeat the request for the custom login page, it works (!)

I make no other change than enabling SPDY. If I disable SPDY again everything works normally.

Any tips on how to figure out this issue? I find nothing in the BIG-IP logs, error messages from the browsers are very generic, and since SPDY only works over HTTPS listening in on the traffic is difficult.

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security
spdy
No RepliesBe the first to reply