Forum Discussion
Luca_55898
Nimbostratus
NimbostratusLTM SSL VIP Forward to node on port 81
Hi,
I have a VIP which is used for HTTPS access to a website.
I have applied the SSL cert and selected the cert in the SSL Client profile. All that looks to be working fine.
The pool that is assigned to the VIP just has one pool member and is added to the pool on port 81. The F5 forwards traffic to the server on port 81. This is needed because the server hosts multiple sites and the web developers use different ports to differentiate between the sites.
So the website starts with a logon screen, after someone puts in the credentials the page sits there for a minute, then just times out. The error is "Internet Explorer cannot display the webpage"
This only happens with the VIP is configured to listen on HTTPS and the SSL cert is in use.
If i configure the VIP to use HTTP then the users are authenticated and the page loads..
The web server actually queries another server for authentication, i can see all this traffic on our firewalls, and as i said this works when using HTTP only
So what am i doing wrong with the HTTPS VIP?
Are you able to use HTTPS and then forward traffic to the pool on a different port?
Do i need any other configs to get this working with SSL?
Port translation is enabled and is set to preserve the source port... not sure if that is relevent or not. I have mucked around with a few different settings but no luck.
thanks.
7 Replies
natheCirrocumulus
Luca
You can certainly translate the port from 443 to 81.
In the VS config have you got anything set for SSL Profile (Server)? If you have then this may be the culprit. Depends if you plan to re-encrypt the server side transaction of course. I think I had a similar issue once when I'd added a Chain to the Client SSL Profile. I didn't in fact need it and once I removed it the connection worked.
Perhaps an output of your VS will help?
Rgds
N
Luca_55898Hi Nathan,
No i do not have a Server SSL Profile configured. There is not much config on the VS\
Name-SiteOnline
Partition-Online
Address-192.168.67.104
Service Port-443
Configuration
Type-Standard
Protocol-TCP
Protocol Profile (Client)-TCP
Protocol Profile (Server)-(Use client profile)
One connect profile-None
NTLM Conn Pool-None
HTTP Profile-None
FTP Profile-None
Stream Profile-None
XML Profile-None
SSL Profile(Client)-www.oursite.com-clientssl
SSL Profile(Server)None
Authentication Profiles-None
RSTP Profile-None
Diamater Profile-None
SIP Profile-None
Statistics Profile-None
VLAN and Tunnel Traffic - Enabled on relevent interface
SNAT Pool-Auto Map
Rate Class--None
Traffic Class-None
Connection Limit-0
Address Translation-Enabled
Port Translation-Enabled
Source Port-Presereve
Clone Pool (Client)-None
Clone Pool (Server)--None
So thats it the VIP config.
As mentioned the node is added to the pool on port 81.
Using the same pool with a HTTP VIP works.- natheLuca
Thanks - seems fine to me. Have you tried a tcpdump on both client and server side? Be good to compare both the http vip and https vip.
Rgds
N - Luca_55898There is a huge difference in the output between HTTP and HTTPS, when i do tcpdump on the HTTP connection the screen fills up instantly with heaps of data.
When i do HTTPS i only get a couple of lines of output. I'm not too sure what i should be looking for here to be honest. - Luca_55898Logs on the F5 show this error
"
Packet rejected remote IP 144.xxx.xxx.xxx port 24490 local IP 192.168.67.104 port 80 proto TCP: Port closed"
192.168.67.104 is the VIP - Why is it trying to connect on port 80? - Anthony_Graber
Employee
Luca, you may want to use Fiddler or Firebug to see what's going on as well. You could try assigning an http profile with redirect rewrite enabled.
EDIT: Here's a solution for you: http://support.f5.com/kb/en-us/solu...r=15816890
Anthony - Luca_55898Yep that sorted it.
Cheers.
