Hello I am seeing a weird issue I have a "Performance(Layer 4)" VIP and the issue I see is when I do a - time openssl s_client -connect : I see a 4 sec delay on the initial SSL handshake after Client Hello. I don't see this delay when hitting the back-end server directly. Any clues or suggestions? The back-end servers are Linux so no net-bios setting in play.

Hello Domai! That's really odd... I have implemented this type of configuration on some clients and there was no delay. The BIG-IP is just forwarding at L4... Can you do a tcpdump of the entire flow? Just to double-check that it's the BIG-IP introducing this delay? It would be something like this: tcpdump -nni 0.0 -s0 'host %vip_ip or host %node_ip' -w capture.pcap' That way we will see the entire conversation.... If you can, please post the VIP configuration... Cheers!

Please enable TCP loose initiation in the TCP profile associated to this VIP.

I agree with rafaelbn, run a tcpdump from the BigIP and compare the traffic timings from Client to BigIP, and BigIP to backend pool member. This way you can isolate and see if the delay is with the BigIP. Take a look at Overview of TCP connection setup for BIG-IP LTM virtual server types.

Slow SSL handshake on "Performance(Layer 4)" VIP.

rafaelbn
Cirrostratus
Mar 07, 2019
Hello Domai!

That's really odd... I have implemented this type of configuration on some clients and there was no delay. The BIG-IP is just forwarding at L4...

Can you do a tcpdump of the entire flow? Just to double-check that it's the BIG-IP introducing this delay?

It would be something like this:

tcpdump -nni 0.0 -s0 'host %vip_ip or host %node_ip' -w capture.pcap'

That way we will see the entire conversation....

If you can, please post the VIP configuration...

Cheers!
Amresh008
Nimbostratus
Mar 07, 2019
Please enable TCP loose initiation in the TCP profile associated to this VIP.
- rafaelbn_176840
  Altocumulus
  Mar 08, 2019
  Amy003, I'm curious about this. What is your thinking? To my knowledge, loose initiation is useful for quiet yet long lived connections, since the BIG-IP would accept the packet without seeing the 3-way-handshake. Can you explain? Cheers! Rafael
Amy003_314955
Cirrus
Mar 07, 2019
Please enable TCP loose initiation in the TCP profile associated to this VIP.
- rafaelbn_176840
  Altocumulus
  Mar 08, 2019
  Amy003, I'm curious about this. What is your thinking? To my knowledge, loose initiation is useful for quiet yet long lived connections, since the BIG-IP would accept the packet without seeing the 3-way-handshake. Can you explain? Cheers! Rafael
Amresh008
Nimbostratus
Mar 07, 2019
Please enable TCP loose initiation in the TCP profile associated to this VIP.
- rafaelbn_176840
  Altocumulus
  Mar 08, 2019
  Amy003, I'm curious about this. What is your thinking? To my knowledge, loose initiation is useful for quiet yet long lived connections, since the BIG-IP would accept the packet without seeing the 3-way-handshake. Can you explain? Cheers! Rafael
RossVermette_14
Nimbostratus
Mar 08, 2019
I agree with rafaelbn, run a tcpdump from the BigIP and compare the traffic timings from Client to BigIP, and BigIP to backend pool member. This way you can isolate and see if the delay is with the BigIP.

Take a look at Overview of TCP connection setup for BIG-IP LTM virtual server types.
Amresh008
Nimbostratus
Mar 11, 2019
F5 docs do not specify as such that the connections need to be long lived ones.Did running the captures establish anything?
George-Bai
Nimbostratus
Apr 29, 2024
Hi Domai

Can you share the solution for this issue ? We met the same issue which also cost much time (7-8 second) when SSL Handshake.
We already check the config and cert but not finding errors.
AaronJB
SIRT
Apr 29, 2024
Is the target server trying to do a reverse DNS lookup of the source IP before accepting the connection, or some other action like that which could take longer assuming the source IP of the traffic is now the BIG-IP's Self IP rather than your actual client?