Forum Discussion

Adolfo's avatar
Icon for Nimbostratus rankNimbostratus
Aug 12, 2020

SSL issue

Hello there,


We have a F5 LTM and a virtual server configured to a server in port 443, the topology is:


Computer --> F5 LTM --> switch --> server


When we try to connect to the server through https we saw the message "Connection reset" in the browser, but if we try to connect without passing the F5 the connection is successful. We don't have configured any SSL client profile or server.


This is the configuration on F5:


#Virtual Server



ltm virtual /Common/Server1 {

   destination /Common/10.1.5.X:443

   ip-protocol tcp


   pool /Common/Server1

   profiles {

       /Common/tcp { }



   translate-address enabled

   translate-port enabled






ltm pool /Common/Server1 {

   members {

       /Common/10.1.7.X:443 {

           address 10.1.7.X



   monitor /Common/https_443







# -Default Profile-

ltm profile tcp tcp {

   ack-on-push enabled

   close-wait-timeout 5

   congestion-control high-speed

   deferred-accept disabled

   delayed-acks enabled

   ecn disabled

   fin-wait-timeout 5

   idle-timeout 300

   keep-alive-interval 1800

   limited-transmit enabled

   max-retrans 8

   nagle disabled

   proxy-buffer-high 49152

   proxy-buffer-low 32768

   proxy-mss disabled

   proxy-options disabled

   receive-window-size 65535

   reset-on-timeout enabled

   selective-acks enabled

   send-buffer-size 65535

   slow-start enabled

   syn-max-retrans 3

   time-wait-recycle enabled

   time-wait-timeout 2000

   timestamps enabled



As you can see, we don't have any SSL client or server profile and we tried changing "translate-port" to disabled and "Source Address Translation" to auto map but none of these work.


Also we made a tcpdump and we can see the TCP Reset from 10.1.7.X (tcpdump.png) and some curl (curl.png), openssl (openssl.png and openssl2.png) and a telnet (telnet.png).











Hope you can help us to find out what's going on.


Thank you.

1 Reply

  • Your virtual server is very simple with no profiles that should interfere.


    Telnet isn't a good test for SSL connections other than stating that the port is open, use openssl or another utility to test the connection.


    You have to have some sort of SNAT translation enabled because your virtual server and pool member exist on different networks. Automap should be fine assuming you have a valid self-ip configured.


    The F5 is not manipulating the SSL handshake and especially not the http traffic considering it can't decrypt any of it due to SSL passthrough being configured here.


    Given the very simple configuration of the virtual server this would seem to be more likely an issue with the server or device between F5 and server.


    You can take a capture with F5 'noise' to see the reset cause:

    tcpdump -s0 -ni 0.0:nnnp host 10.1.7.x and host source_ip