Forum Discussion

fanttazio_23961's avatar
fanttazio_23961
Icon for Altostratus rankAltostratus
Jul 20, 2016

SSL offloading issue with MSSQL

Hello all,

We have a setup where f5 does the SSL offloading for our MSSQL server but looks like when we enable this feature the client cannot establish the connection to the server. When we disable the SSL offloading on the f5 the connection is successful. Below is the logical setup:

MS-SQL (TCP 1433) <---un-encrypted--->f5 VIP (custom TCP port)<----encrypted---> SQL client

f5 VIP has SNAT feature enabled. tcpdump on f5 shows the request comes from the client and connection establishes successfully but nothing goes to the host (SQL server) from the f5. The error on the client indicates that connection gets terminated from the server (f5): 

A connection was successfully established with the server, but then an error occurred during the pre-login handshake. (provider: TCP Provider, error: 0 - An existing connection was forcibly closed by the remote host.) (Microsoft SQL Server, Error: 10054)

We have done SSL offloading with f5 successfully and it is working for other services but this one is acting up. I was wondering if there is compatibility issue or something between MS-SQL server and f5 that SSL offloading wouldn't work. I would welcome any suggestion.

Thanks

application delivery
BIG-IP
LTM
security

5 Replies

  • quixel_254852's avatar
    quixel_254852
    Icon for Nimbostratus rankNimbostratus
    Aug 02, 2016

    I've just managed to solve a very similar problem by ticking the "Non-SSL Connections" Enable checkbox in my client ssl profile settings. I also was using 2014 version of the SQL client, which didn't have the Trust Server Certificate checkbox in its GUI by default, so I had to put TrustServerCertificate=True; string parameter in the Additional Connection Parameters tab on the client, encrypt connection setting was checked on the client of course.

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Aug 05, 2016

      interesting, that would suggest the big-ip doesn't see this as SSL traffic at all.

       

  • Seattle2k's avatar
    Seattle2k
    Icon for Employee rankEmployee
    Jun 25, 2020

    The bypass is necessary (or, removal of the SSL Profile), because SQL traffic uses the TDS protocol. WIth TDS/TDS7, there is a PRELOGIN message that is sent by the client, prior to the beginning of the SSL/TLS handshake. The client-ssl profile is not expecting this, and resets the connections as non-SSL/TLS traffic.