Forum Discussion
NimbostratusSSL PassThrough Configuration
Hi,
I have an web based application running on three different servers, I want to balance the load using round Robbin technique, the ip address of those servers are 10.10.10.71 72 & 73. They are allowed to accept only https protocol. The Vip is 10.10.10.70. The requirement is to configure SSL pass through on the BIG-IP 3600 f5 because we don't have an ssl certificate. Each server responds when i browse them by their actual IP. But when i browse the VIP its not working. I guess its because of the SSL pass through. Can someone help to configure SSL Pass Through because i a newbie to F5.
iaineNacreous
Hi
To enable SSL Pass Through, dont configure any SSL profiles on your VIP or any Layer 7 profiles. You can only configure upto Layer 4 with Pass-Thru.
If you need your F5 to be a TCP proxy then you can leave the VIP type as Standard but if there is no requirement for this then you could use the Performance Layer 4 VIP type.
Also, as your VIP is on the same subnet as your servers, I'm guessing that you will need to enable SNAT to ensure the return path goes to your F5 rather than the servers default gateway (unless your F5 is the default gateway)
Hope this helps
KhubaibArshadHi @iaine
I successfully enabled the SSL pass through and SNAT, but there is an issue, it works for a very short time and after that I get the same error ERR_CONNECTION_REFUSED by the client. When I update SNat with the same configuration it works again and after that it gives the same error. Can you please tell what is happening here?
Ahmed_GalalCirrostratus
did you cofigure monitor for backend servers. i think that this might be related to a one of backend servers issue because there is no configuration in SSL passthrough you just dont configure profiles and configure backend servers with port 443.
- KhubaibArshad
Hi Ahmed,
No I am not using the Health Monitors for the back end server, because it shows that the HTTPs is down, which brings my nodes down, the back end servers are configured with the redirect to https, they accept https only. When this error occurs the VIP 10.0.0.70 is also down.
jaikumar_f5Noctilucent
Are you saying that you have not applied any monitor for your pool members. Please share your existing setup masking the imp details.
tmsh list ltm virtual <virtual name>
tmsh list ltm pool <pool name>
- KhubaibArshad
root@f5-35(Active)(tmos)# list ltm virtual vns-portal-vip
ltm virtual vns-portal-vip {
destination 10.10.10.70:any
ip-protocol tcp
mask 255.255.255.255
pool VNS-Portal-Pool
profiles {
fastL4 { }
}
snatpool vns-snat-pool
translate-port disabled
}
root@f5-35(Active)(tmos)# list ltm pool VNS-Portal-Pool
ltm pool VNS-Portal-Pool {
members {
10.10.10.71:smtp {
session monitor-enabled
}
10.10.10.71:domain {
session monitor-enabled
}
10.10.10.71:http {
session monitor-enabled
}
10.10.10.71:https {
session monitor-enabled
}
10.10.10.71:smtps {
session monitor-enabled
}
10.10.10.71:submission {
session monitor-enabled
}
10.10.10.72:smtp {
session monitor-enabled
}
10.10.10.72:domain {
session monitor-enabled
}
10.10.10.72:http {
session monitor-enabled
}
10.10.10.72:https {
session monitor-enabled
}
10.10.10.72:smtps {
session monitor-enabled
}
10.10.10.72:submission {
session monitor-enabled
}
10.10.10.73:smtp {
session monitor-enabled
}
10.10.10.73:domain {
session monitor-enabled
}
10.10.10.73:http {
session monitor-enabled
}
10.10.10.73:https {
monitor none
}
10.10.10.73:smtps {
session monitor-enabled
}
10.10.10.73:submission {
session monitor-enabled
}
}
monitor tcp and https_443
}
- M_2
Altocumulus
You cannot add different service ports to a single pool .
seems you have created a VIP with * ports , it should have some irule logic attached to redirect SMTP traffic to SMTP pool , HTTP traffc to HTTP pool and so on ....
- KhubaibArshad
How can I do that, I am new to this platform. Can you please guide.