issue with default server ssl profile, TCP RSTs send by BIG-IP

Question

ok, weird situation, anyone seen this before?&nbsp;
virtual server listening on 443 with client and server SSL profile. when i use a debug profile (cipher: NONE:RC4+RSA) everything is fine. when i use the default ssl server profile parts of the website dont load. when i look at packet captures i see the BIG-IP is actively RSTing connections to the pool member with the defauls ssl server profile. this appears to happen when the response is larger then a few packets. so some of the traffic gets through, but not everything.&nbsp;
i assume the is some issue with the SSL on the pool member, but how can i explain that it works until the amount of data send by the pool member becomes "too" large? why does the big-ip send a reset on this?&nbsp;
the big-ip version is too low to enable reset packet logging :(&nbsp;

boneyard · Answer

anyone?&nbsp;

boneyard · Answer

this turned out to be related to:
bug 224279 - Previously, if HTTP version responses were split across multiple packets, the connection could stall.  This issue has been corrected.

which was caused by the client side BEAST mitigation based on (1/n-1) record splitting.

Forum Discussion

issue with default server ssl profile, TCP RSTs send by BIG-IP

2 Replies

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

HA Failover between two Datacenters

LTM issue Openning new web browser tab

F5 asm/awaf

Cannot ping external interface

AST Configuration Assistance

Related Content

A Closer Look at mTLS and the Default Server in F5 NGINX

SSL Profiles Part 7: Server Name Indication

iControl REST Cookbook - Virtual Server Profile (LTM Virtual Profiles)

Server Profile SNI

SSL Profiles Part 9: Server Authentication

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS