Can someone tell me how to I configure SSL pass-through for Standard VS? Basically we dont want to have SSL offloading on LTM and the server should have SSL cert. I have used 2 options suggested by F5 support, 1) Configure serverssl profile as Server SSL Profile and 2) Configure none for Client and Server profile settings. The first option worked only once for us and then never worked for any other VS. The second option didnt work either. The only way it worked is with Performance L4 type VS. I am wondering if anyone has successfully configured ssl pass-through with Standard VS.

If you don't want to configure SSL decryption on LTM, a Performance Layer4 VIP with a FastL4 profile should work. If you do want to decrypt the client SSL and re-encrypt the server side connection, you can use a standard VIP with a client and server SSL profile. The advantage to the latter option is that you can inspect and modify the HTTP. This includes using cookie persistence. The downside is that it's extra load on the servers and LTM as both need to decrypt the SSL. Why do you mention that you want to not use a Performance L4 VIP? Aaron

So far I worked on SSL pass-thru apps which didn't need HTTP inspection and I configured Performance L4 VIP's. I just want to know if it is possible with standard VS and be prepared for future requests (HTTP inspection) OR HTTP inspection doesn't make any sense with ssl pass-thru as LTM will not see packets/payload (encrypted). I have tried it with standard and it didn't work.

Sure, it's possible to use a standard TCP VIP and not decrypt the SSL. It would be more efficient to use a Performance Layer 4 VIP though if you can do without SSL persistence. HTTPS passthrough generally means not decrypting the SSL. If you don't decrypt the SSL you cannot inspect or modify the HTTP because it's encrypted. Aaron

Aaron, can you tell me how to configure standard VIP for ssl pass-thru? Our app is public facing app which is now configured as Perf. L4 VIP with Source IP persistence. The problem now is that we are seeing load on one server only as the Source Addr. is essentially our Public IP (NAT) for all Internal hosts. Any suggestions? I can think of Cookie based persistence however it is Perf L4 VS.

If you want to use the efficiency of a FasL4 profile you give up the functionality of decrypting SSL using a client SSL profile and inspecting or modifying the HTTP using an HTTP profile. If you need to load balance based on HTTP content, you would have to switch to a standard TCP VIP and add a client SSL and HTTP profile to the VIP. You could then insert an HTTP persistence cookie. An alternative would be to use SSL session ID persistence. I think this would also require using a standard TCP VIP instead of a FastL4, but it would allow you to avoid decrypting (and re-encrypting) the SSL. Aaron

SSL pass-through configuration

24 Replies

Sly_85819
Nimbostratus
Nov 18, 2009
Missed description of above capture

The request is coming from the public ip 198.147.192.8 and hitting the VS 192.168.20.25. The pool member IP address is 192.168.16.6

Here is the working capture after changing the VS to L4.

10:26:09.443127 802.1Q vlan4094 P0 arp who-has 192.168.20.25 (Broadcast) tell 192.168.20.25

10:26:18.331585 802.1Q vlan4094 P0 198.147.192.8.46476 > 192.168.20.25.https: S 1156719225:1156719225(0) win 64512 (DF)

10:26:18.332086 802.1Q vlan4094 P0 192.168.20.25.https > 198.147.192.8.46476: S 2974381553:2974381553(0) ack 1156719226 win 4140 (DF)

10:26:18.375527 802.1Q vlan4094 P0 198.147.192.8.46476 > 192.168.20.25.https: . ack 1 win 64512 (DF)

10:26:18.376258 802.1Q vlan4094 P0 198.147.192.8.46476 > 192.168.20.25.https: P 1:71(70) ack 1 win 64512 (DF)

10:26:18.376514 802.1Q vlan4094 P0 192.168.20.25.https > 198.147.192.8.46476: P 1:829(828) ack 71 win 4140 (DF)

10:26:18.422397 802.1Q vlan4094 P0 198.147.192.8.46476 > 192.168.20.25.https: P 71:253(182) ack 829 win 63684 (DF)

10:26:18.425823 802.1Q vlan4094 P0 192.168.20.25.https > 198.147.192.8.46476: P 829:872(43) ack 253 win 4392 (DF)

10:26:18.472931 802.1Q vlan4094 P0 198.147.192.8.46476 > 192.168.20.25.https: P 253:812(559) ack 872 win 63641 (DF)

10:26:18.473942 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: S 1990251855:1990251855(0) win 4380 (DF)

10:26:18.474645 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: S 1366852104:1366852104(0) ack 1990251856 win 49640 (DF)

10:26:18.474651 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: . ack 1 win 4380 (DF)

10:26:18.474657 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: P 1:77(76) ack 1 win 4380 (DF)

10:26:18.475374 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: . ack 77 win 49564 (DF)

10:26:18.484404 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: P 1:64(63) ack 77 win 49640 (DF)

10:26:18.572778 802.1Q vlan4094 P0 192.168.20.25.https > 198.147.192.8.46476: . ack 812 win 4951 (DF)

10:26:18.583764 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: . ack 64 win 4443 (DF)

10:26:18.584250 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: P 64:107(43) ack 77 win 49640 (DF)

10:26:18.584259 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: P 77:120(43) ack 107 win 4443 (DF)

10:26:18.584985 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: . ack 120 win 49640 (DF)

10:26:18.585964 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: P 120:679(559) ack 107 win 4486 (DF)

10:26:18.696550 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: . ack 679 win 49640 (DF)

10:26:18.811775 802.1Q vlan4093 P0 192.168.16.6.6800 > 198.147.192.8.46476: P 107:373(266) ack 679 win 49640 (DF)

10:26:18.815195 802.1Q vlan4094 P0 192.168.20.25.https > 198.147.192.8.46476: P 872:1138(266) ack 812 win 4951 (DF)

10:26:18.911868 802.1Q vlan4093 P0 198.147.192.8.46476 > 192.168.16.6.6800: . ack 373 win 4752 (DF)

10:26:18.999749 802.1Q vlan4094 P0 198.147.192.8.46476 > 192.168.20.25.https: . ack 1138 win 63375 (DF)
hoolio
Cirrostratus
Nov 18, 2009
Can you also post the VIP confg from when it's not working, using 'b virtual VIP_NAME list'?

Thanks,

Aaron
Sly_85819
Nimbostratus
Nov 18, 2009
The app is now in production and it is L4 VS.

When it was not working,

1)

VS- Standard

Client SSL Profile - None

Server SSL Profile - None

2)

VS- Standard

Client SSL Profile - None

Server SSL Profile - parentssl

Rest of the settings were same.
- DavisLi
  Ret. Employee
  May 13, 2017
  Not sure why this is the solution but I was doing APM and had trouble on my portal links browsing to HTTPS sites. I have also done the same thing as you and it worked. I just used some default serverssl profile and attach to a standard VS and the HTTPS portal links worked.
hoolio
Cirrostratus
Nov 18, 2009
When you change from standard to Forwarding IP or in reverse, quite a few settings change. It would be interesting to compare the actual config from the two VIP configurations. If you're able to, you could configure a test VIP even on the same IP but a different port to test this further. If there are restrictions getting to the test VIP, you could test using curl from the LTM command line:

curl -kv https://1.1.1.1/index.html where 1.1.1.1 is the VIP IP.

Of if you have a binary formatted tcpdump from a failure with a standard VIP, you could use ssldump to get more info on a possible SSL handshake problem.

Aaron
Sly_85819
Nimbostratus
Nov 18, 2009
Thanks. I have tried using ssldump however wasnt able to do much with it. I am still a newbie for LTM troubleshooting :-(. I will see if there is any way I can simulate the problem again and take captures.
Anesh
Cirrostratus
Apr 24, 2014
Was this issue fixed? If so could you please paste the solution
What_Lies_Bene1
Cirrostratus
Apr 24, 2014
Which part are you looking for a solution too?
RiadSanchz
Cirrus
Feb 07, 2018
Is there any F5 documentation explaining SSL pass-through and how to configure it?
- Robell_Pontes_7
  Nimbostratus
  Feb 07, 2018
  ssl traffic can be processed in 3 ways:
  
  a) ssl offloading, where the traffic is encrypted from the client to the F5 and then the F5 decrypts it (terminates the SSL) and sends it to the backend "plain". you need a ClientSSL profile for this.
  
  b) ssl bridging, where the traffic is encrypted from the client to the F5 and then the F5 decrypts it, usually to perform some sort of layer 7 operation (such as apply an irule to check the http request) but then the traffic is encrypted again before being sent to the backed. you need a ClientSSL profile and a ServerSSL for this.
  
  c) there's nothing to configure for ssl 'passthrough'. It just means the SSL traffic is passed as it is through the F5 to the backend servers, not terminated on the F5. No layer 7 processing can be performed on the F5 as traffic is encrypted.
- RiadSanchz
  Cirrus
  Feb 07, 2018
  Thank you so much for the response.. Server Team asked me to setup the a new VS and set it up as ssl pass-through. So basically I do nt have to attach and SSL Profile to the VS as I would in SSL offloading.
RiadSanchz_3395
Nimbostratus
Feb 07, 2018
Is there any F5 documentation explaining SSL pass-through and how to configure it?
- Robell_Pontes_7
  Nimbostratus
  Feb 07, 2018
  ssl traffic can be processed in 3 ways:
  
  a) ssl offloading, where the traffic is encrypted from the client to the F5 and then the F5 decrypts it (terminates the SSL) and sends it to the backend "plain". you need a ClientSSL profile for this.
  
  b) ssl bridging, where the traffic is encrypted from the client to the F5 and then the F5 decrypts it, usually to perform some sort of layer 7 operation (such as apply an irule to check the http request) but then the traffic is encrypted again before being sent to the backed. you need a ClientSSL profile and a ServerSSL for this.
  
  c) there's nothing to configure for ssl 'passthrough'. It just means the SSL traffic is passed as it is through the F5 to the backend servers, not terminated on the F5. No layer 7 processing can be performed on the F5 as traffic is encrypted.
- RiadSanchz_3395
  Nimbostratus
  Feb 07, 2018
  Thank you so much for the response.. Server Team asked me to setup the a new VS and set it up as ssl pass-through. So basically I do nt have to attach and SSL Profile to the VS as I would in SSL offloading.