LTM - how to setup a VS for service bus?

can you post a sanitized version of the virtual and pool and any relevant profiles?

What does a tcpdump on frontend and backend show? I would look to see that the TCP connection is happening on both sides and who is closing the connection. You mention certs, too, so I would also look closely at the SSL handshake; make sure the client/server on each side is negotiating properly and who is closing the connection, any SSL alerts, etc. Hope that helps.

@R Marc, any suggestions on how to get a get printout of the pool and vs profiles from the GUI?

@Mel, I am working on getting a tcpdump for both sides from the F5.

For a readable output you'd need to use tmsh:

list ltm virtual your-virtual-name list ltm pool your-pool-name list ltm profile client-ssl your-client-ssl-profile list ltm profile server-ssl your-server-ssl-profile

@R Marc, thanks for your help. Here is the output:

VS's (there are 2, 1 for each port): ltm virtual _vip_otv_svcbus_TEST_https_9354 { destination 10.11.8.11%60722:9354 ip-protocol tcp mask 255.255.255.255 partition DevTest_Domain_Default_Partition persist { /Common/source_addr { default yes } } pool _pool_otv_svcbus-TEST profiles { /Common/fastL4 { } /Common/http { } } rules { syslog_http_logging_debug } source 0.0.0.0/0 source-address-translation { type automap } vs-index 22 }

ltm virtual _vip_otv_svcbus_TEST_https_9355 { destination 10.11.8.11%60722:9355 ip-protocol tcp mask 255.255.255.255 partition DevTest_Domain_Default_Partition persist { /Common/source_addr { default yes } } pool _pool_otv_svcbus-TEST profiles { /Common/fastL4 { } /Common/http { } } rules { syslog_http_logging_debug } source 0.0.0.0/0 source-address-translation { type automap } vs-index 23 }

Pool: ltm pool _pool_otv_svcbus-TEST { members { ST-SVCBUS-001:any { address 10.11.31.43 session monitor-enabled state up } ST-SVCBUS-002:any { address 10.11.31.44 session monitor-enabled state up } ST-SVCBUS-003:any { address 10.11.31.45 session monitor-enabled state up } } monitor /Common/gateway_icmp partition DevTest_Domain_Default_Partition }

I don't think the client-ssl-profile is being used for these? How can I tell? (sorry, I'm new to the F5s).

Thanks for the help, Scott

@Mel, I went into the GUI and turned on TCPDUMP for both VLANs (in and out of the F5) and hit start and it spit out a file I downloaded and then uploaded into the BigIP iHealth site to view the qkview file, but the site says it failed to process the file. I tried it 2 more times with the same result. Any ideas?

I've never ran the tcpdump via the gui, I'll have to check that out. :)

I would run at the F5 console: "tcpdump -ni 0.0:nnn -s0 -v -w /var/tmp/svcbus.pcap host 10.11.8.11 or host 10.11.31.43 or host 10.11.31.43"

It looks like you're using route domains as indicated by the VS "10.11.8.11%60722". In this case, I'm not sure if you need to specify that in the tcpdump. Try the above first.

I then download to my PC and open in Wireshark. Confirm tcp 3 way handshake and I would guess from above that SSL negotiation would be next. Look for clienthello, serverhello, certificates, serverhellodone, etc. You may have to add port 9355 and 9344 to the HTTP port prefereces in Wireshark so those packets are translated properly.

Last thought; if you're using route domains ensure that domain can talk to those pool members, I think the setting is called "strict isolation".

@Mel, I was able to get the tcpdump using the console command you provided. I'm reviewing it now in Wireshark, and trying to make sense of it. As for the routing domains, I will ask the person who setup the F5.

Well, your virtuals don't have a client-ssl profile or a server-ssl profile, but your sb destination states it's https.

StsEndpoint=

So I see a couple options here.

1. Remove the http profile, so it becomes just a tcp pasthru (this will probably make the iRule useless)
2. add in a client/server ssl profile.

In both cases I'm not sure http and fastL4 are compatible. There is a fastHTTP feature that would probably be better for what you seem to be trying to do. Both the "fast" profiles limit the capabilities available to you in an iRule from what I understand. I would probably start with just tcp + http profiles adding in the ssl profiles. Unless you have a particular reason for using the fast* profiles.

@R Marc,

Thanks for the tips. I have removed the iRules and set the http profile to none, but I do not see where in the VS I set the client and server SSL profile. I will keep looking for that.

Thanks, Scott