Forum Discussion

Domai_23823's avatar
Domai_23823
Icon for Nimbostratus rankNimbostratus
Mar 06, 2019

Slow SSL handshake on "Performance(Layer 4)" VIP.

Hello I am seeing a weird issue I have a "Performance(Layer 4)" VIP and the issue I see is when I do a -

time openssl s_client -connect :
I see a 4 sec delay on the initial SSL handshake after Client Hello. I don't see this delay when hitting the back-end server directly. Any clues or suggestions? The back-end servers are Linux so no net-bios setting in play.

  • Hello Domai!

    That's really odd... I have implemented this type of configuration on some clients and there was no delay. The BIG-IP is just forwarding at L4...

    Can you do a tcpdump of the entire flow? Just to double-check that it's the BIG-IP introducing this delay?

    It would be something like this:

    tcpdump -nni 0.0 -s0 'host %vip_ip or host %node_ip' -w capture.pcap'
    

    That way we will see the entire conversation....

    If you can, please post the VIP configuration...

    Cheers!

  • Please enable TCP loose initiation in the TCP profile associated to this VIP.

     

    • rafaelbn_176840's avatar
      rafaelbn_176840
      Icon for Altocumulus rankAltocumulus

      Amy003, I'm curious about this. What is your thinking? To my knowledge, loose initiation is useful for quiet yet long lived connections, since the BIG-IP would accept the packet without seeing the 3-way-handshake. Can you explain? Cheers! Rafael

       

    • rafaelbn_176840's avatar
      rafaelbn_176840
      Icon for Altocumulus rankAltocumulus

      Amy003, I'm curious about this. What is your thinking? To my knowledge, loose initiation is useful for quiet yet long lived connections, since the BIG-IP would accept the packet without seeing the 3-way-handshake. Can you explain? Cheers! Rafael

       

  • Please enable TCP loose initiation in the TCP profile associated to this VIP.

     

    • rafaelbn_176840's avatar
      rafaelbn_176840
      Icon for Altocumulus rankAltocumulus

      Amy003, I'm curious about this. What is your thinking? To my knowledge, loose initiation is useful for quiet yet long lived connections, since the BIG-IP would accept the packet without seeing the 3-way-handshake. Can you explain? Cheers! Rafael

       

  • F5 docs do not specify as such that the connections need to be long lived ones.Did running the captures establish anything?

     

  • Hi Domai

     

    Can you share the solution for this issue ? We met the same issue which also cost much time (7-8 second) when SSL Handshake.

    We already check the config and cert but not finding errors.

  • Is the target server trying to do a reverse DNS lookup of the source IP before accepting the connection, or some other action like that which could take longer assuming the source IP of the traffic is now the BIG-IP's Self IP rather than your actual client?