Forum Discussion
F5 | LTM | Server Hello packet is not coming
Hi Team,
Hope you all are doing great!
i have an issue, where i have F5 LTM VS (Standard - SSL Passthrough (no client/server SSL profile).
Issue - URL is not accessible, getting error message site can't be reach.
Bypassing LB it works properly. I took packet capture and observed that TCP Hnadshake is happeing but SSL handshake is not happening. Client hello is coming but Server hello is not happenning and no error message in packet capture.
Please let me know if issue is with F5 or not.
Regards,
RAQS
RAQS can you run the following tcpdump on the F5 please? For a bit more accurate tcpdump you can replace the IP in the following command with the IP of the client.
tcpdump -nni 0.0:nnp host 10.11.11.1
As boneyard has stated I would also ensure that you can curl from the F5 to the pool members as well and receive a valid response from them.
- RAQSCirrus
Any help ?
Can you do the curl command via the CLI from the BIG-IP toward the pool member?
To be honest if you send a client helo and there is no response it would start with looking at the server. Does it perhaps have certain ACLs or such?
RAQS can you please provide the configuration of the virtual server so we can look at this a bit more in depth? My first guess is that because you aren't performing SSL termination you most likely have a configuration option applied that is attempting to look at the at the traffic, such as an HTTP profile, and those settings might cause this behavior for you.
- RAQSCirrus
destination 10.11.11.1:443
ip-protocol tcp
mask 255.255.255.255
persist {
abc_Dest_Addr {
default yes
}
}
pool abc.com_https
profiles {
abc.com.com_TCP_Timeout { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vs-index 477
}RAQS May I have the configuration of that abc.com.com_TCP_Timeout profile because based on the rest of that configuration this should work, this is all assuming that the appropriate firewall rules are in place to allow you to reach the F5 and the F5 to reach the pool members on the self-IP closest to the destination pool members.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com