Forum Discussion

irbk's avatar
irbk
Icon for Cirrus rankCirrus
Oct 04, 2023

SSL protocol mismatch

Ok, I ended up way down a rabbit hole earlier this week.  That whole line of thought seemed to be a red herring.  BigIP LTM trying to load balance to MS Navision servers which don't use standard 80 o...
application delivery
LTM
ssl
  • Paulius's avatar
    Paulius
    Oct 05, 2023

    irbk That is correct. Unless you have some way of the F5 being able to look for a value in the client request that would define if it was intended to be SSL or not you would have to split SSL and non-SSL into two different VS listening on different ports on the F5 side that is client facing.

irbk's avatar
irbk
Icon for Cirrus rankCirrus

Yes, this is 100% correct.  Traffic starts out as just regular TCP traffic and then changes to TLS anc continues as both TLS and TCP traffic.  Here is wireshark output from a good connection (SSL passthrough).

You can see that the communication that's going on is both TCP and TLS traffic on the same port.  So are you saying the F5 is incapable of SSL bridging in this situation?

 

Paulius's avatar
Paulius
Icon for MVP rankMVP
Oct 05, 2023

irbk That is correct. Unless you have some way of the F5 being able to look for a value in the client request that would define if it was intended to be SSL or not you would have to split SSL and non-SSL into two different VS listening on different ports on the F5 side that is client facing.

  • irbk's avatar
    irbk
    Icon for Cirrus rankCirrus
    Oct 05, 2023

    Paulius I don't believe there's anyway I can tell the F5 "this is TLS traffic" vs "this is TCP traffic".  I'm positive there's no way for me to tell the server to splt the traffic to two different ports.  So it kind of sounds like my only option is the SSL passthrough.  Bummer.  Thanks for the assist!