Forum Discussion

RAQS's avatar
RAQS
Icon for Cirrus rankCirrus
Jan 31, 2023

F5 | LTM | Server Hello packet is not coming

Hi Team,

Hope you all are doing great!

i have an issue, where i have F5 LTM VS (Standard - SSL Passthrough (no client/server SSL profile).

Issue - URL is not accessible, getting error message site can't be reach. 

Bypassing LB it works properly. I took packet capture and observed that TCP Hnadshake is happeing but SSL handshake is not happening. Client hello is coming but Server hello is not happenning and no error message in packet capture.

Please let me know if issue is with F5 or not.

Regards,

RAQS

 

application delivery
f5 ltm
  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Jan 31, 2023

    RAQS can you please provide the configuration of the virtual server so we can look at this a bit more in depth? My first guess is that because you aren't performing SSL termination you most likely have a configuration option applied that is attempting to look at the at the traffic, such as an HTTP profile, and those settings might cause this behavior for you.

    • RAQS's avatar
      RAQS
      Icon for Cirrus rankCirrus
      Jan 31, 2023

      destination 10.11.11.1:443
      ip-protocol tcp
      mask 255.255.255.255
      persist {
      abc_Dest_Addr {
      default yes
      }
      }
      pool abc.com_https
      profiles {
      abc.com.com_TCP_Timeout { }
      }
      serverssl-use-sni disabled
      source 0.0.0.0/0
      source-address-translation {
      type automap
      }
      translate-address enabled
      translate-port enabled
      vs-index 477
      }

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Feb 01, 2023

        RAQS May I have the configuration of that abc.com.com_TCP_Timeout profile because based on the rest of that configuration this should work, this is all assuming that the appropriate firewall rules are in place to allow you to reach the F5 and the F5 to reach the pool members on the self-IP closest to the destination pool members.

  • RAQS's avatar
    RAQS
    Icon for Cirrus rankCirrus
    Feb 01, 2023

    Paulius ==> updated packet capture screenshot. Connectivity is in place. TCP handshake is happening. But SSL Handshake is not happening. Regarding that tcp timeout, its all default value, only idle timeout is set as 600 seconds.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP
        Feb 05, 2023

        Can you do the curl command via the CLI from the BIG-IP toward the pool member?

        To be honest if you send a client helo and there is no response it would start with looking at the server. Does it perhaps have certain ACLs or such?

    • Paulius's avatar
      Paulius
      Icon for MVP rankMVP
      Feb 06, 2023

      RAQS can you run the following tcpdump on the F5 please? For a bit more accurate tcpdump you can replace the IP in the following command with the IP of the client.

      tcpdump -nni 0.0:nnp host 10.11.11.1

      As boneyard has stated I would also ensure that you can curl from the F5 to the pool members as well and receive a valid response from them.