Forum Discussion

Roberto_78444's avatar
Roberto_78444
Icon for Nimbostratus rankNimbostratus
Aug 11, 2009

SSL Problem

Hello I have a BigIp 1600 LTM and I configured an https virtual server with no http profile and no SSL profile.   When I try the following command to the vip i get an error:     opens...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Aug 12, 2009
The issue with that scenario without SNAT is that the client establishes a TCP connection with the VIP. LTM opens a connection to the server spoofing the client IP. Because the server is on the same subnet as the client, it just ARPs for the MAC address for the client IP and responds back directly to the client. The problem is the server responds using it's IP--which isn't what the client made the request to. So the client doesn't accept the response.

 

 

To handle this you can:

 

 

1. Not test using a client on the same subnet

 

2. Enable SNAT (for all clients or just those on the same subnet using a Selective SNAT iRule Click here)

 

3. Use nPath to allow the server to respond back directly to the client using the VIP address as a source

 

 

1 and 2 are easy--three is a bit more convoluted in that it intentionally uses asymmetric routing. You can find more info on nPath by searching the forums or AskF5 for nPath.

 

 

Aaron