server_name extension missing from Client Hello
I ran a trace recently on some traffic and while reviewing in Wireshark I see that in some instances the server_name extension details are visible in the client hello. However, seconds later in client hello the same extension is missing. This corresponds with the behaviour we're seeing in our testing. When the client hello contains the server_name extension we get a working 201 type response. However, when it is missing we get 503 errors.
Is there a configuration/explanation as to why this might be happening? How to we ensure that the server_name extension detail is always included in the client hello?
cmcnicholas These are the actual client connections failing or is this a log you are parsing through that shows the SSL error? The reason I ask is because it could be the health check from the F5 that is causing the error because health checks originate from the self IP while load balanced traffic originates from the floating IP of the F5. If it's the client IP it might be worth running some captures to see if the F5 receives the SNI because it could be a miss-configuration on the client side. If you want to enable SNI on the health monitor make sure you have the SSL profile associated to the health monitor and you fill in the SNI filed in the SSL profile shown below.