Forum Discussion

Leonardo_39231's avatar
Leonardo_39231
Icon for Nimbostratus rankNimbostratus
Sep 11, 2012

LB_Failed when serverssl profile is used

I have a VS that is doing SSL offloading and re-encrypting to some URI's using irules. The problem I'm having is that I get a LB_Failed event in my logs when going to the unencrypted pool/"http_pool". If I remove the serverssl profile from the VS then it works fine and I don't get any events logged. The problem loading the page seems to be intermittant, sometimes it works just fine; other times I have the error. (Of course my re-encryption doesn't work which is fine during my testing)

 

Also I noticed when in this error condition; using Firefox/Firebug to look at the HTTP data, the POST doesn't time out until 60 seconds have passed. If I adjust the "Handshake Timeout" on the serverssl profile to say 10 seconds then it still fails but after 10 seconds vs. the 60 seconds.

 

I did a tcpdump to see what was coming into the F5 and going out to the servers. I think I noticed is that the POST coming into the VS isn't being send to the server correctly... it's not sending the POST correctly to the intended http_pool member.

 

BigIP version 9.4.5

 

 

 

b rule test_https_irule '{

 

when HTTP_REQUEST {

 

set http_uri [HTTP::uri]

 

set http_host [HTTP::header "Host"]

 

set client_addr [IP::client_addr]

 

 

if { [HTTP::uri] starts_with "/http" } {

 

SSL::disable serverside

 

use pool http_pool

 

}

 

elseif { [HTTP::uri] starts_with "/https" } {

 

use pool https_pool

 

}

 

else {

 

SSL::disable serverside

 

use pool http_pool_default

 

}

 

}

 

}

 

 

virtual test_https '{

 

destination 10.10.10.1:443

 

ip protocol 6

 

rules

 

header_insert_https_indicator

 

test_https_irule

 

profiles

 

http_redirect_rewrite_profile

 

serverssl

 

tcp-lan-optimized

 

serverside

 

tcp-wan-optimized

 

clientside

 

wildcard_worldkat.dev.oclc.org clientssl profile

 

}

 

 

Thanks for looking and for any advice/direction!!

 

Leonardo

 

application delivery
dev
devops
iRules
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 12, 2012
    Hi Leonardo,

     

     

    Do you have port and address translation enabled on the virtual server? I don't remember what the defaults are for these two settings in 9.4.x.

     

     

    Aaron
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 12, 2012
    Also, a URI of /https would match the first check in your rule for a URI starting with /http. You might want to check for /https first if those are the literal URI tokens you're testing with.

     

     

    Aaron
  • Michael_Yates's avatar
    Michael_Yates
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2012
    Could you send us what the error is that you are seeing in the LTM Log?

    This is what Hoolio is suggesting: 

    
when HTTP_REQUEST {
set http_uri [HTTP::uri]
set http_host [HTTP::header "Host"]
set client_addr [IP::client_addr]

if { [HTTP::uri] starts_with "/https" } {
use pool https_pool
}
elseif { [HTTP::uri] starts_with "/http" } {
SSL::disable serverside
use pool http_pool
}
else {
SSL::disable serverside
use pool http_pool_default
}
}
  • Leonardo_39231's avatar
    Leonardo_39231
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2012
    Hi Leonardo,

     

     

    Do you have port and address translation enabled on the virtual server? I don't remember what the defaults are for these two settings in 9.4.x.

     

    I'm not 100% sure I understand your question... I do have SNAT set up that translates everything to 1 IP address when going to the server side. The VS does sit at port 443 and the pool servers are on port 20500.

     

     

     

    Also, a URI of /https would match the first check in your rule for a URI starting with /http. You might want to check for /https first if those are the literal URI tokens you're testing with.

     

    Sorry the irule code isn't what I have on the LTM, it was pseudo code of which I didn't do a very good job of ordering the if statements; I just used http & https as examples but that isn't what I'm actually looking for in my rule

     

     

    Could you send us what the error is that you are seeing in the LTM Log?

     

    I have a log irule on the VS that if there is a LB_Failed event it spits out the VS name, Pool name, Server name & port, Client Addr, Protocol & port, VS IP and Port

     

    Example:

     

    /var/log/user.log.1.gz:Sep 11 15:06:23 tmm tmm[1678]: Rule log_http_kco : VS:ocwms.worldkat.dev.oclc.org; pool:worldkat_opensocial_20500 10.10.10.18 20500; IP client addr:132.174.33.127; TCP client port:56008; IP local addr 132.174.87.139; TCP local port:443

     

     

     

    As always thanks!!

     

    Leonardo

     

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 12, 2012
    Leonardo

     

     

    If I understand the issue correctly it's the ssl::disable serverside command failing - as you see the fail event following the timeout value of the server ssl profile you're trying to disable.

     

     

    I see from askf5 that there was an issue with ssl:disable command in 9.x versions of LTM but 9.4.5 should've corrected this. I can't see any other references in newer version release notes.

     

     

    With all this in mind, is it worth disabling the ssl profile using the SERVER_CONNECTED event, something on the lines of the 2nd example in the ssl::disable wiki:

     

     

    https://devcentral.f5.com/wiki/iRules.ssl__disable.ashx

     

     

    Hope this helps,

     

    N
  • Leonardo_39231's avatar
    Leonardo_39231
    Icon for Nimbostratus rankNimbostratus
    Sep 17, 2012

    I tried disabling the SSL in SERVER_CONNECTED event and looks like it's working now! Thanks for the suggestion Nathan and thanks for everyone else's input. Not sure why it didn't work the other way but I'm happy to have a way for this to work as expected. Thanks everyone!