Forum Discussion

irbk's avatar
irbk
Icon for Cirrus rankCirrus
Oct 04, 2023

SSL protocol mismatch

Ok, I ended up way down a rabbit hole earlier this week.  That whole line of thought seemed to be a red herring.  BigIP LTM trying to load balance to MS Navision servers which don't use standard 80 o...
application delivery
LTM
ssl
  • Paulius's avatar
    Paulius
    Oct 05, 2023

    irbk That is correct. Unless you have some way of the F5 being able to look for a value in the client request that would define if it was intended to be SSL or not you would have to split SSL and non-SSL into two different VS listening on different ports on the F5 side that is client facing.

irbk's avatar
irbk
Icon for Cirrus rankCirrus

This is interesting, with the SSL Profile (Client) and SSL Profile (Server) setup, doing a TCPdump capturing only the VS IP, I see 9 packets, none of which are a SSL/TLS negotation.  So it's like they aren't even trying the TLS communication or the communication is dying when they try to start the negotation. 

If I just have the SSL passthrough (IE "Performance (Layer4)") the connection succeeds and I cearly see the TLS negotation taking place.

Amine_Kadimi's avatar
Amine_Kadimi
Icon for MVP rankMVP
Oct 05, 2023

It's not easy to tell from a tcpdump output that there is any ssl negotiation happening unless you export it to wireshark. I would definitely see what ssldump output looks like

  • irbk's avatar
    irbk
    Icon for Cirrus rankCirrus
    Oct 05, 2023

    Oh, yeah, I exported the TCP dump direct to wireshark and it's absoultely clear that there is no TLS communication taking place.  According to what I'm understanding Paulius is saying below, in an SSL Bridging mode, the F5 can't handle SSL and non-SSL traffic on the same port, which is exactly how this application communicates.