Forum Discussion
NimbostratusSecure site giving problems
I have a secure site going through a LTM with cookie persistence, but after you logged into the site everything you click on returns to the home screen. i tested directly yo the backend and everything works but through the LTM i'm getting this behaviour.
20 Replies
Mohamed_LrhaziAltocumulus
I'd use http://www.fiddler2.com/fiddler2/ or https://getfirebug.com/
to find out what URLs the clicks are generating, then find out why they result in a redirect.
Angelothis is what i get after i log and test the connection it goes to the next URI then returns to the previous...
Sep 19 09:20:40 tmm2 info tmm2[12149]: Rule /Common/CRM : 10.200.205.25:59323 -> 10.217.235.116:20176 -> 10.200.205.25:59323 | pool: /SOA/pool_soa_bpm_prd | URI: /bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=212ff9bkc_14
Sep 19 09:20:44 tmm2 info tmm2[12149]: Rule /Common/CRM : 10.200.205.25:59323 -> 10.217.235.116:20176 -> 10.200.205.25:59323 | pool: /SOA/pool_soa_bpm_prd | URI: /bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=212ff9bkc_14&Adf-Rich-Message=true&unique=1348039284754&oracle.adf.view.rich.STREAM=wlctdc:j_id_id14:r1:0:vldc:vtpdc:viewTree,wlctdc:j_id_id14:r1:0:tldc:taskTable&javax.faces.ViewState=!ztqd42pux
Sep 19 09:20:44 tmm2 info tmm2[12149]: Rule /Common/CRM : 10.200.205.25:59323 -> 10.217.235.116:20176 -> 10.200.205.25:59323 | pool: /SOA/pool_soa_bpm_prd | URI: /favicon.ico
Sep 19 09:20:44 tmm1 info tmm1[12148]: Rule /Common/CRM : 10.200.205.25:59324 -> 10.217.235.116:20176 -> 10.200.205.25:59324 | pool: /SOA/pool_soa_bpm_prd | URI: /favicon.ico
Sep 19 09:20:58 tmm3 info tmm3[12150]: Rule /Common/CRM : 10.200.205.25:59333 -> 10.217.235.116:20176 -> 10.200.205.25:59333 | pool: /SOA/pool_soa_bpm_prd | URI: /bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=212ff9bkc_14
Sep 19 09:21:14 tmm3 info tmm3[12150]: Rule /Common/CRM : 10.200.205.25:59333 -> 10.217.235.116:20176 -> 10.200.205.25:59333 | pool: /SOA/pool_soa_bpm_prd | URI: /bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=212ff9bkc_14
Sep 19 09:21:27 tmm3 info tmm3[12150]: Rule /Common/CRM : 10.200.205.25:59333 -> 10.217.235.116:20176 -> 10.200.205.25:59333 | pool: /SOA/pool_soa_bpm_prd | URI: /bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=212ff9bkc_14- Kevin_Stewart
Employee
Your log verifies that it is going back to the same URIs, but doesn't tell us what the client is asking for and what it's getting. As Mohamed suggested, can you use something like Fiddler2, Firebug, or Wireshark on the client side? - Angelohi Kevin
this is what i get but i'm not sure what it means
CONNECT esf.mtn.co.za:20176 HTTP/1.1
Host: esf.mtn.co.za:20176
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.79 Safari/535.11
A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.
Major Version: 3
Minor Version: 1
Random: 50 59 94 FA EE FD 92 A2 92 AC 9A 36 34 A9 01 B2 81 4F 1C 57 84 D6 63 FA 57 85 F0 86 9D DD 4F A8
SessionID: D5 91 33 41 E8 7C DB 6C 3E 70 EE F5 C3 82 AB 93 74 B8 76 72 D9 59 88 4D 6E 1F 7A EF 2E 82 90 8F
Ciphers:
[C00A]TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C014]TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[0088]TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
[0087]TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
[0039]TLS_DHE_RSA_WITH_AES_256_SHA
[0038]TLS_DHE_DSS_WITH_AES_256_SHA
[C00F]TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
[C005]TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
[0084]TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
[0035]TLS_RSA_AES_256_SHA
[C007]TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[C009]TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[C011]TLS_ECDHE_RSA_WITH_RC4_128_SHA
[C013]TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[0045]TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
[0044]TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
[0066]TLS_DHE_DSS_WITH_RC4_128_SHA
[0033]TLS_DHE_RSA_WITH_AES_128_SHA
[0032]TLS_DHE_DSS_WITH_AES_128_SHA
[C00C]TLS_ECDH_RSA_WITH_RC4_128_SHA
[C00E]TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
[C002]TLS_ECDH_ECDSA_WITH_RC4_128_SHA
[C004]TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
[0096]TLS_RSA_WITH_SEED_CBC_SHA
[0041]TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
[0004]SSL_RSA_WITH_RC4_128_MD5
[0005]SSL_RSA_WITH_RC4_128_SHA
[002F]TLS_RSA_AES_128_SHA
[C008]TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
[C012]TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[0016]SSL_DHE_RSA_WITH_3DES_EDE_SHA
[0013]SSL_DHE_DSS_WITH_3DES_EDE_SHA
[C00D]TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
[C003]TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
[FEFF]SSL_RSA_FIPS_WITH_3DES_EDE_SHA
[000A]SSL_RSA_WITH_3DES_EDE_SHA
Compression:
[01]DEFLATE
[00]NO_COMPRESSION
Extensions:
server_nameesf.mtn.co.za
renegotiation_info00
elliptic_curves00 06 00 17 00 18 00 19
ec_point_formats01 00
SessionTicket TLSempty
next_proto_neg(SPDY)empty
status_request01 00 00 00 00 - Kevin_StewartWhat you're looking at is the SSL negotiation and probably the encrypted traffic. Because Fiddler is a proxy you must configure it to be able to manage the SSL data.
Let's try this: tell us a little more about your environment.
How is the virtual server configured?
Are you terminating the SSL and then re-encrypting with client and server SSL profiles?
Do you have an iRule applied, and I'd so can you share it? 
What_Lies_Bene1Cirrostratus
Rather than use Fiddler, you might want to use the Live HTTP Headers add-in with Firefox or HTTPWatch with IE and use either of those to capture the HTTP traffic between your client host and the F5. In particular you probably want to look out for 3XX redirects with http:// instead of https:// in the path. You'll also be able to confirm you are receiving and sending the persistence cookie.
- Angelo
this is what i get from http watch
Started Page Title Warnings Comment Flag Time Sent Received Method Result Type URL
Business Process Workspace (N/A) 0.193 1940 853
24:12.5 0.193 1940 853 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.21 1721 799
24:18.9 0.21 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.21 1721 799
24:21.1 0.21 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.202 1721 799
24:22.4 0.202 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.205 1721 799
24:23.3 0.205 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.218 1721 799
24:23.7 0.218 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.187 1721 799
24:24.0 0.187 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.178 1721 799
24:24.2 0.178 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.222 1721 799
24:24.6 0.222 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.18 1721 799
24:24.9 0.18 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.194 1721 799
24:25.1 0.194 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.725 1721 799
24:25.3 0.725 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.201 1721 799
24:55.3 0.201 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.2 1721 799
24:58.3 0.2 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.215 1721 799
24:59.0 0.215 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.195 1721 799
24:59.5 0.195 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.185 1721 799
24:59.7 0.185 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.178 1721 799
24:59.9 0.178 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.179 1721 799
25:00.1 0.179 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
Business Process Workspace (N/A) 0.174 1721 799
25:00.3 0.174 1721 799 POST 200 xml https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9
- Kevin_StewartBecause the connection is encrypted to the client, you'll either need to use a browser-based plugin (Live HTTP Headers, IEWatch, HTTPWatch), or configure a proxy (Fiddler) or wire capture (Wireshark) to be able to intercept and decrypt the SSL.
However you do it, you need to be able to inspect the underlying HTTP data to see what the client is receiving and what it's asking for.
Wireshark's SSL decryption instructions are here: http://wiki.wireshark.org/SSL
You can also use SSLDUMP in the BIG-IP shell to decrypt and inspect the data:
ssldump -k -i 0.0 -AdnN
where:
-k is the private used in the client SSL profile
-i is the interface (0.0 is all interfaces)
-A means get everything
-d means decrypt the traffic
-n means don't try to resolve
-N means parse ASN.1 data
is a required TCPDUMP-style filter
ex. ssldump -k
You need to be in front of SSL negotiation, so clear the SSL state in your browser between tests.
** You could also try turning off SSL on the client side just long enough to see if (a it works without SSL or b) what the client is sending/receiving. - Kevin_StewartYou beat me to the punch...
So you're saying that there are repeated POSTs to https://esf.mtn.co.za:20176/bpm/workspace/faces/jsf/worklist/worklist.jspx?_adf.ctrl-state=xod1w2im6_9?
Is the browser making these requests by itself or are you refreshing or retrying? I guess the next step is to look at the logic of the app. Does it work if you turn off SSL on the client side of the BIG-IP? Is there anything in the 200 response that the application logic wouldn't like (compare the responses between the encrypted and non-encrypted access)?
What type of persistence are you using? If cookie-based do you see the cookie being transmitted back to the server? - What_Lies_Bene1Angelo,
This doesn't look like the complete transaction. I don't see anything other than the same POST request being repeatedly sent and a 200 being received. I'd expect to see an initial GET and something around your authentication etc and then a return to the home page?
