Forum Discussion

Luca_55898's avatar
Icon for Nimbostratus rankNimbostratus
Aug 01, 2011

LTM SSL VIP Forward to node on port 81




I have a VIP which is used for HTTPS access to a website.


I have applied the SSL cert and selected the cert in the SSL Client profile. All that looks to be working fine.



The pool that is assigned to the VIP just has one pool member and is added to the pool on port 81. The F5 forwards traffic to the server on port 81. This is needed because the server hosts multiple sites and the web developers use different ports to differentiate between the sites.



So the website starts with a logon screen, after someone puts in the credentials the page sits there for a minute, then just times out. The error is "Internet Explorer cannot display the webpage"



This only happens with the VIP is configured to listen on HTTPS and the SSL cert is in use.


If i configure the VIP to use HTTP then the users are authenticated and the page loads..



The web server actually queries another server for authentication, i can see all this traffic on our firewalls, and as i said this works when using HTTP only



So what am i doing wrong with the HTTPS VIP?


Are you able to use HTTPS and then forward traffic to the pool on a different port?


Do i need any other configs to get this working with SSL?



Port translation is enabled and is set to preserve the source port... not sure if that is relevent or not. I have mucked around with a few different settings but no luck.





7 Replies

  • nathe's avatar
    Icon for Cirrocumulus rankCirrocumulus



    You can certainly translate the port from 443 to 81.



    In the VS config have you got anything set for SSL Profile (Server)? If you have then this may be the culprit. Depends if you plan to re-encrypt the server side transaction of course. I think I had a similar issue once when I'd added a Chain to the Client SSL Profile. I didn't in fact need it and once I removed it the connection worked.



    Perhaps an output of your VS will help?





  • Hi Nathan,



    No i do not have a Server SSL Profile configured. There is not much config on the VS\









    Service Port-443









    Protocol Profile (Client)-TCP


    Protocol Profile (Server)-(Use client profile)


    One connect profile-None


    NTLM Conn Pool-None


    HTTP Profile-None


    FTP Profile-None


    Stream Profile-None


    XML Profile-None


    SSL Profile(Client)


    SSL Profile(Server)None


    Authentication Profiles-None


    RSTP Profile-None


    Diamater Profile-None


    SIP Profile-None


    Statistics Profile-None


    VLAN and Tunnel Traffic - Enabled on relevent interface


    SNAT Pool-Auto Map


    Rate Class--None


    Traffic Class-None


    Connection Limit-0


    Address Translation-Enabled


    Port Translation-Enabled


    Source Port-Presereve


    Clone Pool (Client)-None


    Clone Pool (Server)--None



    So thats it the VIP config.


    As mentioned the node is added to the pool on port 81.


    Using the same pool with a HTTP VIP works.
  • nathe's avatar
    Icon for Cirrocumulus rankCirrocumulus



    Thanks - seems fine to me. Have you tried a tcpdump on both client and server side? Be good to compare both the http vip and https vip.





  • There is a huge difference in the output between HTTP and HTTPS, when i do tcpdump on the HTTP connection the screen fills up instantly with heaps of data.


    When i do HTTPS i only get a couple of lines of output. I'm not too sure what i should be looking for here to be honest.
  • Logs on the F5 show this error





    Packet rejected remote IP port 24490 local IP port 80 proto TCP: Port closed"


  is the VIP - Why is it trying to connect on port 80?