http profile breaks down my virtual server

Francisco,

Are you able to share the virtual server configuration? Anonymised of course.

I've seen this before when the VIP is listening on port 443 (HTTPS) but there is no clientssl profile, ie the bigip is not decrypting the traffic. In that scenario adding a http profile can break the application.

Hope this helps,

N

by the way the server behind F5 appliances is an Oracle GlassFish Server

This article doesn't have a http profile selected. See https://docs.oracle.com/cd/E24290_01/coh.371/e22839/appendix_f5.htmCOHCG5171

Also, a std VS with http profile needs an initial GET request from the client before selecting a pool member. Without a http profile it doesn't. I wonder if this is a client imcompability issue. If you decrypt the tcpdump does the client send a Get?

you can review the ltm log [tailf /var/log/ltm]and verify what is returned when you have the http profile.

also, you can try to decrypt the packet capture so you see what is being exchanged.

use the syntax: tcpdump -nni 0.0:nnnp -s0 host -w /var/tmp/vs_http_fail.pcap -vv

use this to decrypt: K10209: Overview of packet tracing with the ssldump utility

or use the irule - apply it first to vs before running the pcap. also, make sure your session is fresh - so start from scratch - fresh browser session: see https://devcentral.f5.com/questions/ssldump-and-internal-hsm

when CLIENTSSL_HANDSHAKE {

try until you get the decrypted data, then, analyse further

good luck

Hi Nathan,

Looks like you're right...I didn't see any GET request from the client...this is why wont see any traffic passing through my F5 whenever I apply my http profile.

I guess I'll have limited option to protect my service behind.

Thanks for the help, Francisco

OK Francisco, thanks for the update. Glad we could help.