Forum Discussion
PJ_72486
Nimbostratus
NimbostratusProtecting SAP Web Dispatcher with F5 ASM
I am working with a customer to insert an F5 ASM in front of their SAP Web Dispatcher. The ASM is terminating SSL via a client SSL profile, and the re-encrypts traffic back to the SAP Web Dispatcher via a generic Server SSL profile. The SAP Web Dispatcher in turn terminates the SSL connection established by the F5 ASM. This is, however, not working. I see the establishment of the TCP connection via TCP/443 for both health monitors and client connections. The client connections get a Reset though right after the handshake completes. In summary: 1) SYN, 2) SYN ACK, 3) ACK 4) Client sends SSL Continuation Data, 5) Web Dispatcher ACKs the packet, 6) Web Dispatcher sends a RST, ACK 7) Error in browser results.
All the documentation regarding SAP and F5 certifications, setup, etc. all indicate that the F5 replaces the SAP Web Dispatcher, and nothing mentions integrating the F5 ASM into the an environment that includes the Web Dispatcher. Has anyone set up an F5 ASM in front of an SAP Web Dispatcher?
Thanks.
hoolioCirrostratus
Hi PJ,
Whenever there are issues in the initial implementation of a VIP with ASM, I'd suggest removing the HTTP class with ASM enabled from the VIP and making sure the load balancing is working first. Once that is confirmed, you can add ASM and ensure you're only troubleshooting one issue at a time.
Can you remove the HTTP class from the VIP and retest?
Aaron
PJ_72486Aaron,
Thanks for your response. I did try that, but it did not help. As it turns out, the back end Web Dispatcher is now listening on a non-encrypted port and all is working now. I still do wonder if terminating SSL on the front end and establishing SSL on the back end (to the Web Dispatcher) is supported.
sandip_bhor_813We also face same problem. We have deployed SSL certificate on F5 and two Web dispatcher are behind it. They are running on unsecured port. It works fine if we deploy SSL on Web dispatcher. Did any one have solution ?
Thanks- Sandip, am I understanding your issue correctly? In the earlier post in this thread, the issue was that SSL re-encrypt was not working. If I understand your issue, you would like to only encrypt on the F5.
Are you are also using ASM or are you using LTM? Do you have a server ssl profile and client ssl profile ? Also, are you using the HTTP profile?
Can you run a tcpdump on the web dispatcher and see what the connection looks like?