Forum Discussion

RAQS's avatar
RAQS
Icon for Cirrus rankCirrus
Jan 31, 2023

F5 | LTM | Server Hello packet is not coming

Hi Team,

Hope you all are doing great!

i have an issue, where i have F5 LTM VS (Standard - SSL Passthrough (no client/server SSL profile).

Issue - URL is not accessible, getting error message site can't be reach. 

Bypassing LB it works properly. I took packet capture and observed that TCP Hnadshake is happeing but SSL handshake is not happening. Client hello is coming but Server hello is not happenning and no error message in packet capture.

Please let me know if issue is with F5 or not.

Regards,

RAQS

 

  • Paulius ==> updated packet capture screenshot. Connectivity is in place. TCP handshake is happening. But SSL Handshake is not happening. Regarding that tcp timeout, its all default value, only idle timeout is set as 600 seconds.

    • RAQS can you run the following tcpdump on the F5 please? For a bit more accurate tcpdump you can replace the IP in the following command with the IP of the client.

      tcpdump -nni 0.0:nnp host 10.11.11.1

      As boneyard has stated I would also ensure that you can curl from the F5 to the pool members as well and receive a valid response from them.

      • Can you do the curl command via the CLI from the BIG-IP toward the pool member?

        To be honest if you send a client helo and there is no response it would start with looking at the server. Does it perhaps have certain ACLs or such?

  • RAQS can you please provide the configuration of the virtual server so we can look at this a bit more in depth? My first guess is that because you aren't performing SSL termination you most likely have a configuration option applied that is attempting to look at the at the traffic, such as an HTTP profile, and those settings might cause this behavior for you.

    • RAQS's avatar
      RAQS
      Icon for Cirrus rankCirrus

      destination 10.11.11.1:443
      ip-protocol tcp
      mask 255.255.255.255
      persist {
      abc_Dest_Addr {
      default yes
      }
      }
      pool abc.com_https
      profiles {
      abc.com.com_TCP_Timeout { }
      }
      serverssl-use-sni disabled
      source 0.0.0.0/0
      source-address-translation {
      type automap
      }
      translate-address enabled
      translate-port enabled
      vs-index 477
      }

      • RAQS May I have the configuration of that abc.com.com_TCP_Timeout profile because based on the rest of that configuration this should work, this is all assuming that the appropriate firewall rules are in place to allow you to reach the F5 and the F5 to reach the pool members on the self-IP closest to the destination pool members.