Forum Discussion

Ganesh_31405's avatar
Icon for Nimbostratus rankNimbostratus
Nov 17, 2010

SSL on server


I've minuscule knowledge about the LB configuration over SSL. This is my setup. I've an application server running in HTTPS (443 port) behind LB. In the LB, I've an VIP (10.223.x.x) created with 2 services (http and https). From client machine, when I access the VIP through http://10.223.x.x or https://10.223.x.x not able to hit my application server page. I'm always getting "page cannot be displayed"




In the VIP 443 service, I've tried setting SSL Client profile, SSL Server profile and with both the combination and nothing resolves. Any combinations I tried, end up getting the page cannot be displayed. I'm not sure what is the right approach to configure my LB, when server was running in HTTPS mode.




I want the communication between the Server and LB to bin HTTPS and LB to client in HTTP or even HTTPS is fine. All I need is to get my application server page, when running in SSL. I'm able to get that work, if it's running in HTTP. I'm able to hit my server page through SSL, If I access it directly through Internal Ip. Only when I access it through VIP, not able to get that working.




I appreciate any help on how to configure my LB (LB VE 10.2 version).


8 Replies

  • can u paste your virtual server, pool, profile configuration here?
  • So, I would concentrate on getting your HTTP virtual server working first. Sounds like SSL is not the only issue, if the HTTP virtual is not working either. As was stated earlier, it would be good to see the your config. LTM can be used to have any combination of SSL on either side of the conversation. We use this extensively to either offload SSL, or decrypt the payload for iRule use, the reload SSL to the target server.


  • With regard to your VIP 443 service, try no SSL profiles (client or server) and just a standard virtual server with a TCP profile (the defaults), this will give you HTTPS on both server and client side. Keep in mind at no point is this traffic decrypted at the LTM so you can not do anything with the payload, and you may want to use persistence depending on your app server - but that will not be necessary to get started with a response from the server.



    With regard to the VIP 80 service, you will need a serverssl profile to allow HTTP on the client side and HTTPS on the server side. If your app server SSL configuration requires X509 client auth, or if you are using certs signed by a CA not trusted by the LTM then you need to configure the serverssl profile appropriately, if not then again the default config should be fine.



  • Jason,

    I tried VIP with https service without client/server profile and only TCP profile. But still accessing the virtual ip through https doesn't hit my server and get the application login page.


    Let me brief my over all configuration


    My server running in internal IP :- and configured to SSL (default port 443)


    For SSL, i've uploaded Trial certificate from Thawte. Accessing the server directly works fine




    Added a node member : 80




    Created a pool, SVR1 and added this node as member




    Then created 2 VIP

  with service port 80


    (Protocol profile set to TCP, http profile set to http and no ssl profile set)


    Default pool set to SVR1



  with service port 443


    (Protocol profile set to TCP, http profile set to http and no ssl profile set)






    Now when I access or not able to hit the application server page which is running in SSL. When I remove the SSL in my server and make it to run in HTTP mode, I'm able to hit my server page.






    As you mentioned, I even tried to set serverssl profile in port 80 and still, not able to hit the server page. I'm not sure whether there is some handshake happening between my LB and server at all, when server in SSL mode. I've attached screen shot of the profile configuration of my VIP running in port 80




    I've been breaking my head for last couple of days and I greatly appreciate any help to get this resolved


  • with service port 443

    (Protocol profile set to TCP, http profile set to http and no ssl profile set)


    what port was this pool listening on? was it 443?



    if it's not 443, would u mind trying 443?
  • I've tried both 80 and 443. This is what I tried. Created two pools with same node pointing to different port

    svr1_http: -






    In the VIP


    , added svr_http pool and acess it through browser results in page cannot be displayed


    removed that pool and added SVr1_SSL. Accessing this VIP end with same error


  • this is mine.

    virtual bar {
       snat automap
       pool foo
       ip protocol tcp
    pool foo {
       members {}
     curl -Ik
    HTTP/1.1 200 OK
    Date: Thu, 18 Nov 2010 04:47:16 GMT
    Server: Apache/2.0.59 (rPath)
    Last-Modified: Sun, 24 Oct 2010 20:57:08 GMT
    ETag: "65c0-123-1e67b100"
    Accept-Ranges: bytes
    Content-Length: 291
    Vary: Accept-Encoding
    Content-Type: text/html; charset=UTF-8
  • if it still does not work, tcpdump may help.



    to screen


    tcpdump -nni 0.0 \(host or host\) and port 443



    to file


    tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.dmp \(host or host\) and port 443