Forum Discussion

SteveD1979's avatar
SteveD1979
Icon for Cirrostratus rankCirrostratus
Aug 01, 2024

Help with SNI for multiple VIPs hosted on same server

Hi I wanted to see if someone could help me with this setup.  I've configured other VIPs in the past to use SNI by running this command and then creating the ssl profile with the hostname.

 

tmsh modify ltm virtual <virtual server> serverssl-use-sni enabled
tmsh save sys config

 

I have an engineer asking me to set his apps/ VIPs up for now but it is a different type of setup and I can't get it working.  First there is one share pool with two servers that host 8 different sites.  Each site has their own VIP with it's own IP address.  As soon as the engineer checks the boxes on his server for SNI in the bindings the health monitor on the F5 breaks.  I get around that by enabling the icmp monitor a basic tcp over 443 monitor but I'd like a better way.  I run the command to enable SNI for the first VIP/site and create the profile with the hostname and it works fine.  Then when I go to the second app and configure all the same it works but the first stops working and I get a service unavailable 500 error and so on and so on.  I realize this isn't what SNI is meant to do but the application engineer was requesting it be set up like this because of our certificate management software Venafi.  The software depends on SNI being checked to be able to push the certificates to the individual servers and update the bindings with the new cert.

 

Any guidance would be much appreciated.

 

 

  • Are you having an issue with the health monitor or the virtual server SSL profile configuration? If it's the monitor, you will need to create a unique health monitor per FQDN you need to check and then use the relevant SSL profile in the health monitor for that specific FQDN. For the virtual server you enable SNI and make sure to mark down the default SSL cert for SNI, which is configured in the SSL profile. After you have done the previous piece you should be able to associate the additional SSL profiles for SNI to work on the virtual server, assuming the client is capable of SNI and is using it.

    • SteveD1979's avatar
      SteveD1979
      Icon for Cirrostratus rankCirrostratus

      The monitor is failing but I'm not really worried about that.  I don'5t know what it is but the applications are failing.  All except for the last one I i configure.

      app 1 VS IP 10.1.1.1

      app 2 VS IP 10.1.1.2

      app 3 VS IP 10.1.1.3

      so on for the next 5

       

      They all share 1 pool which is a Windows server with IIS installed and web applications working and the same client SSL cert with each FQDN for each VS IP in the SAN.  The server side SSL cert is unique with each apps FQDN in the server name field and this command run for each VIP.

       

      tmsh modify ltm virtual <virtual server> serverssl-use-sni enabled

       

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        If you can provide a topology, your existing configuration, and then the failing configuration I might be able to assist you further but I'm have a difficult time understanding the issue here and where the failure is occurring without this information.

  • i suggest simply use the gui instead of tmsh cli.
    you can see much more relevant config items in the gui.
    f5 bigip is very application layer oriented, not network layer ones like cisco routers.

    • SteveD1979's avatar
      SteveD1979
      Icon for Cirrostratus rankCirrostratus

      I'm doing it through the GUI as well.  I'm following these two articles the same as i set it up for two other applications.  This one is just kind of different because all of the apps on the server have their own FQDN pointed to a different IP address so there really isn't the standard need for SNI.  Maybe if i just remove the SSL profiles all together and let it passthrough and the server handle the routing?

       

       

      https://my.f5.com/manage/s/article/K39408450

       

      https://my.f5.com/manage/s/article/K13452

      • zamroni777's avatar
        zamroni777
        Icon for Nacreous rankNacreous

        yes, you dont need sni setting in the client side ssl profile.

        however, it is still better to do client side ssl termination in f5
        so f5 can do http layer optimization such as httpv2/v3, compression offload, caching, etc.