No server hello, no pool packets

Can you telnet from LTM to server:443 and do an HTTP GET?

Posted By Chris Miller on 10/05/2010 09:10 AM

 

Can you telnet from LTM to server:443 and do an HTTP GET?

 

May I suggest you re-read my query. Especially the openssl client test part.

 

 

many thanks.

 

Posted By strongarm on 10/05/2010 09:29 AM

 

Posted By Chris Miller on 10/05/2010 09:10 AM

 

Can you telnet from LTM to server:443 and do an HTTP GET?

 

May I suggest you re-read my query. Especially the openssl client test part.

 

 

many thanks.

 

 

Doing an openssl test doesn't simulate SNAT. When you sniffed, did you simply sniff from the pool member? I'd capture on the F5 while telnetting to :443 on your Virtual Server to make sure the first half of the connection works fine. With that capture, you should also see the F5 translate the source address and connect to the pool member.

Like I said, the first part of the connection( to Virtual) works fine, I see the client & server cert being exchanged. Its the pool connection which shows no packets, nothing.

 

 

Funny part is changing everything to port 80 works.

 

 

 

Could it be a Network firewall blocking packet to the SNAT address on port 443? but then why would i be able to receive the server cert (pool side).

 

 

 

thanks.

 

Posted By strongarm on 10/05/2010 10:09 AM

 

Like I said, the first part of the connection( to Virtual) works fine, I see the client & server cert being exchanged. Its the pool connection which shows no packets, nothing.

 

 

Funny part is changing everything to port 80 works.

 

 

 

Could it be a Network firewall blocking packet to the SNAT address on port 443? but then why would i be able to receive the server cert (pool side).

 

 

 

thanks.

 

 

It could certainly be a firewall blocking traffic. That's why I recommend doing the capture from the F5 as that'll show whether the source address translation is working properly and if you're getting a RST or silent-drop for the traffic to the pool members:443.

Sounds like you've got just about everything covered in your original post, but I'll give it a shot.

 

 

Have you made sure that neither the client or server certificates used in the profiles are expired? Are you doing any certificate validation on the origin servers? If the answer is no to all of those, I'd start dumping packets on origin server (looking for packets from the automap address) and see where they are being returned. If nothing pops up there, I'd start checking error logs on the origin server.

 

 

Hope this helps,

 

 

George

Also make sure that you do indeed have a floating self-IP assigned to the egres VLAN and that your origin server has a route back.

 

 

-George

Thanks, I'll watch out for those silent drops, certainly appears to be a blocked snat 443 port through firewall.

 

 

 

 

 

 

 

Awesome strongarm, glad you found the smoking gun! :-)

Posted By strongarm on 10/05/2010 11:18 AM

 

Thanks, I'll watch out for those silent drops, certainly appears to be a blocked snat 443 port through firewall.

 

 

 

 

 

 

 

 

Good deal...snat is a fun one. Health checks originate from the unit's self-ip while snat auto-map uses the floating IP. That can get a bit weird since your pool members might appear up since health check traffic gets through but real traffic can't.