Hello, Up until now using the F5 has been fairly straight forward. Adding HTTPS certificate support for incoming IE connections however has got me stumped. I have watched the online webinar and tried many variations to get it working without success. What I am trying to do is to take a working HTTP connection through the F5 to a pool consisting of a pair of Tomcat servers and convert the virtual server connection from HTTP to HTTPS. Wireshark traces show the F5 and the Tomcat communicating with each other and all of the status balls are green. How do I go about debugging my problem? Where do I look to find out what is not happening? Regards, Mark

MarkM, Quick question, are you talking about putting SSL on the front side of the connection or the back side: Client ---> Virtual server (front side) Virtual Server ------> Apache pool members (back side) Joshm

Front side, client to F5. Not F5 to the balanced server in the pool.

Sweet! Alright, here's my favorite way to do it, everyone has a flavor of it I'm sure. 1. Create a new virtual server, a clone of the port 80 Virtual server. For this example, I'll call it clone-https --Key difference: This one listens on port 443. 2. Import the certificate and key into the F5. Local Traffic -> certificate list ->import 3 . Create a client SSL profile , local traffic ->profiles -> ssl -> client (http://support.f5.com/kb/en-us/solutions/public/10000/100/sol10167.html?sr=18888170) . That is where you are going to define the certificate and key. For the example, I'll call the profile coolssl 4. Assign the client ssl profile to the Virtual server clone-https. Go into the virtual server properties, change it from basic to advanced, and there you should see the client ssl profile option. Click update... and boom. Try to hit the ssl version of the site. workie? hopefully. joshm

Hello Josh, Thank you for the clear instructions. Unfortunately, no workie. I even created a new certificate using openssl. I get the following error "Internet Explorer cannot display the webpage". If I change the service port back to 80 and then remove the ssl client profile, then it works. I need some advice on how to debug this one. I installed wireshark on my backend tomcat 6 server and it shows tcp connections going between the tomcat server and the F5. Mark

MarkM, Huh. So when I am troubleshooting ssl, I typically use openssl to see if the certificate is being handed out: openssl s_client -connect VIPIP:443 If the client is being handed out, then the front end connection is most likely good, and there is just an issue with the pool. For further checking, you can run tcpdump on the F5 unit itself. tcpdump -s0 -ni 0.0:nnn host and port 443 -w /var/tmp/external.pcap That file can be openned in wireshark. Does the openssl connection work? -Josh

HTTPS Problem | DevCentral

34 Replies

MarkM_63051
Nimbostratus
Jan 24, 2012
root@f5-loadbalancer2(Active)(/Common)(tmos) show /ltm virtual SSLTest2

---------------------------------------------------------

Ltm::Virtual Server: SSLTest2

---------------------------------------------------------

Status

Availability : available

State : enabled

Reason : The virtual server is available

CMP : enabled

CMP Mode : all-cpus

Destination : 16.124.133.211:443

Traffic ClientSide Ephemeral General

Bits In 445.9K 0 -

Bits Out 1.1M 0 -

Packets In 508 0 -

Packets Out 481 0 -

Current Connections 0 0 -

Maximum Connections 4 0 -

Total Connections 72 0 -

Min Conn Duration/msec - - 143

Max Conn Duration/msec - - 26.2K

Mean Conn Duration/msec - - 4.5K T

otal Requests - - 0

CPU Usage Ratio (%)

Last 5 Seconds 0

Last 1 Minute 0

Last 5 Minutes 0

root@f5-loadbalancer2(Active)(/Common)(tmos)
nitass
Employee
Jan 24, 2012
tmsh list ltm virtual virtual_server_name

tmsh list ltm pool pool_name

curl -Ik https://16.124.133.211/

curl -I http://pool_member_ip/
nathe
Cirrocumulus
Jan 24, 2012
Mark

Try all-properties at the end to get the configuration e.g. show /ltm virtual SSLTest2 all-properties

N
MarkM_63051
Nimbostratus
Jan 24, 2012
root@f5-loadbalancer2(Active)(/Common)(tmos) list /ltm pool

ltm pool SSLTEST {

members {

10.15.255.241:webcache {

address 10.15.255.241

session monitor-enabled

state up

}

}

monitor tcp

}

root@f5-loadbalancer2(Active)(/Common)(tmos)
MarkM_63051
Nimbostratus
Jan 24, 2012
[root@f5-loadbalancer2:Active] config curl -lk https://16.124.133.211/

Apache Tomcat It works on hap_tomcat1!

If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!

This is the default Tomcat home page. It can be found on the local filesystem at: /var/lib/tomcat6/webapps/ROOT/index.html

Tomcat6 veterans might be pleased to learn that this system instance of Tomcat is installed with CATALINA_HOME in /usr/share/tomcat6 and CATALINA_BASE in /var/lib/tomcat6, following the rules from /usr/share/doc/tomcat6-common/RUNNING.txt.gz.

You might consider installing the following packages, if you haven't already done so: tomcat6-docs:

This package installs a web application that allows to browse the Tomcat 6 documentation locally. Once installed, you can access it by clicking here. tomcat6-examples:

This package installs a web application that allows to access the Tomcat 6 Servlet and JSP examples. Once installed, you can access it by clicking here. tomcat6-admin: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the manager webapp and the host-manager webapp.

NOTE: For security reasons, using the manager webapp is restricted to users with role "manager". The host-manager webapp is restricted to users with role "admin". Users are defined in /etc/tomcat6/tomcat-users.xml. [root@f5-loadbalancer2:Active] config
nathe
Cirrocumulus
Jan 24, 2012
Mark

To be sure - are you seeing monitor traffic and / or production traffic from the F5 to the tomcat server as both, I expect will be using port 80 so it may not be obvious. You may be seeing the client - f5 production traffic but no f5 - server production traffic, only monitor traffic. Hope I'm making sense.

What I always do here is tcpdump the client side interface and the server side interface at the same time, BUT seperately, and you should see a match up of the traffic (if it's working of course). You will see a tcp and seperate ssl handshake on 443 clientside and then tcp handshake on 80 on the serverside.

I presume you've not got a serverside ssl profile enabled on the virtual have you? You mentioned earlier the f5 will terminate the ssl connection so you won't need one.

As nitass requested a good look at your VS setup may help here.

N
MarkM_63051
Nimbostratus
Jan 24, 2012
[root@f5-loadbalancer2:Active] config curl -l http://10.15.255.241/

curl: (7) couldn't connect to host

[root@f5-loadbalancer2:Active] config

Comments from Mark:

IP Address information:

-----------------------

IP Address of the Client/Browser: 15.253.58.161 (my PC)

IP Address of Virtual Server on the BIG-IP: 16.124.133.210

Self-IP of the BIG-IP: Mgmt IP = 16.124.134.131, internal = 10.15.255.246

IP Address of TomCat/Node: 10.15.255.241
MarkM_63051
Nimbostratus
Jan 24, 2012
[root@f5-loadbalancer2:Active] config curl -I http://10.15.255.241/

curl: (7) couldn't connect to host

[root@f5-loadbalancer2:Active] config
Mike_Maher
Nimbostratus
Jan 24, 2012
MarkM,

What is your Server Side SSL set to in your VS? If you are not doing SSL on the Tomcat servers then you need to make sure it is set to None. When you look at your client profile drop down to advanced and what options are you customizing?

To troubleshoot this you need to keep in mind that it is not all one connection. You have an SSL connection coming to the VS on the F5 that is terminating and then the F5 will do its own socket to the server. So you need to troubleshoot each side independently, I would personally start with the client side (client to VS) and rule it out first before looking at the server side (VS to Tomcat server).

Client Side troubleshoot:

Take a tcpdump on the F5 like Josh had stated, then run that through ssldump and see if the ssl handshake is completing successfully.

ex: ssldump -r external.pcap

If you want to decyrpt the session you will need to do this

ssldump -d -A -k /config/ssl/ssl.key/(the name of the key for your site) -r external.pcap

You basically want to confirm that the ssl handshake is completing and you see a GET request from the client.

Another tool to use to troubleshoot the client side would Fiddler or HTTPWatch plugins for IE for Firefox, they will show you what the browser sees.

From the server side, you keep saying you are seeing traffic in your wireshark trace, but what kind of traffic? Are you seeing a GET request to the web server? I ask because you should see traffic coming from the F5 in the form of whatever healthcheck you are doing on the pool to the web server, but that does not mean that it is actual client traffic.

This should work, as simply doing an SSL VS is not something that is uncommon on an F5 device, I run roughly a dozen of them on some ASM units I manage.
MarkM_63051
Nimbostratus
Jan 24, 2012
[root@f5-loadbalancer2:Active] config curl -Ik https://16.124.133.211/

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Accept-Ranges: bytes

ETag: W/"1901-1317214551000"

Last-Modified: Wed, 28 Sep 2011 12:55:51 GMT

Content-Type: text/html

Content-Length: 1901

Date: Tue, 24 Jan 2012 12:09:30 GMT

[root@f5-loadbalancer2:Active] config