Forum Discussion

Alex_30981's avatar
Icon for Nimbostratus rankNimbostratus
Mar 14, 2012

SSL server profile problem

Hello everybody,



I am having trouble in the SSL sever profile setup of a LTM VE (Trial Version). I have surfed the Web looking for an answer but so far I have been unable to solve this problem.



What I want to do is SSL re-encryption by setting up a virtual server with two SSL profiles (client and server SSL profile). Unfortunately the server SSL profile seems to fail: when I connect with openssl from a client machine to the , the SSL handshake against the LTM is correctly fulfilled, but when I send a basic HTTP request it is not being forwarded to the backend server.



Analyzing network traces on all parties involved, I can see a correct SSL handshake between LTM and the two servers but there is no encrypted payload being sent from the LTM to the end machines.



I paste my server SSL profile down here:



profile serverssl VLAN3_SSL_PROFILE {


defaults from serverssl


key none


cert none


chain none


ca file "VLAN3.crt"


crl file none


ciphers "DEFAULT"


modssl methods disable


renegotiate enable


renegotiate period indefinite


renegotiate size indefinite


peer cert mode ignore


unclean shutdown enable


strict resume disable


handshake timeout 60


alert timeout 60


cache size 262144


cache timeout 3600





I should add that I have associated this profile to a virtual server with no issues and that there is no iRULE involved whatsoever. In addition to this, I have reused the client SSL profile for an SSL OFFLOAD virtual address which actually works, which has led me to suspect that this is a SSL server profile problem only.



Theoretically the steps to achieve what I want to do should be pretty straightforward, but since this is Trial Version I wonder if this could be some sort of bug. I will appreciate any help you can provide me. Thanks in Advance!!






3 Replies

  • Hi Alex,

    from the release notes:

    ClientSSL and ServerSSL profiles on same virtual server (CR141545)

    When you assign both a ClientSSL and a ServerSSL profile to the same virtual server, the BIG-IP system forwards the client request successfully, but the client does not receive the response. To work around this issue, you can create two separate virtual servers that specify the same destination IP address and port. The first virtual server references the ClientSSL profile and an iRule that internally routes the connection to the second virtual server instead of to a load balancing pool. The second virtual server references the ServerSSL profile and the load balancing pool. The following is an example of an iRule assigned to a ClientSSL virtual server. The iRule includes the virtual command, which internally routes connections to a second virtual server named server_ssl_test. The second virtual server must have its VLAN disabled using the vlan none enable command:

     rule target_server_ssl {
      virtual server_ssl_test
    pool b68_https { member }
    virtual client_ssl_test {
     profile http clientssl tcp
     rule target_server_ssl
    virtual server_ssl_test {
     profile http serverssl tcp
     pool b68_https
     vlan none enable


    Christian Koenning
  • I'd recommend getting a 45 day eval key for VE lab edition from your F5 or partner SE. You can then install any supported VE version and use all of the modules. The trial is only good for 10.1 and has some limitations like this server SSL profile issue.