Forum Discussion
NimbostratusSSL server profile with external website
Hello,
I'm trying to configure a VIP with SSL profile client and server. The backend node being a production externel HTTPS website.
I configure clientssl for the client ssl, but everything I tried for serverssl didn't worked.
How should I configure it ?
Thanks !
--edit : not sure what happened, lost my original post
17 Replies
natheCirrocumulus
Bastien - I think you can simply use the default serverssl profile. Try that.
- nathe
I wonder in the statistics do you see the connections to the pool member go up when you try and connect? This will check that the traffic gets to the pool member. To see if traffic goes back to the client you will have to run tcpdump on the ltm. Try a simple cmd to see if you're getting return traffic, tcpdump -nni 0.0 host x.x.x.x
N
smp_86112Cirrostratus
Not sure why, but I don't see your original post content. However if you are trying to configure a Virtual Server to load-balance connections to a Pool Member in a network which is not directly attached, you need to enable SNAT. Is SNAT enabled on the Virtual Server?
- nathe
smp - I don't see the post either now (although I did before). I meant to mention SNAT also, as I suspected that the tcpdump wouldn't see any return traffic. Thanks.
- smp_86112
I see it now.
Nathan was right. The Client SSL Profile encrypts the client-side of the connection, and the Server SSL Profile encrypts the server-side of the connection. So if the connection to the Pool Member (the server-side) will be encrypted, you will need to apply a Server SSL Profile on the VIP. My comment about SNAT also still applies.
Bastien_124165Yes, SNAT is enabled, I do see connections in the VIP statistics. I also see inbound and outbound traffic for the client side, nothing server side.
- Bastien_124165
I made a test with a simple VIP with HTTP, no ssl profile, and it still doesn't work. I tried to configure AutoMap and a SNAT pool which contain my public IP, non luck.
- smp_86112
There's a number of different ways one could go trying to figure out what is wrong here...but I'm going to agree with Nathan again - the quickest way to figure out what is going on is by looking at the wire. So at this point I'd also suggest running this TCPDUMP command:
tcpdump -nni 0.0 host x.x.x.x
where x.x.x.x is the IP address of your Pool Member. Run that command while you are attempting to make a connection to the VIP.
- Bastien_124165
Odd, I don't even see traffic for the health monitor (gateway_icmp) for the test node (simply www.google.ca).
When going to the VIP, I can see my client connection, but nothing after that.
- smp_86112
It's tough to give you any useful input unless we can focus on specific behavior - we just don't have enough familiarity with your environment to understand all the potential possibilities.
Can you post the LTM config of the virtual server and the pool? You can anonymize the addresses if you feel it necessary.
- Bastien_124165
Automap and Source Address Translation are enabled.
When doing
I don't even see the monitors's echo ping !tcpdump -nni 0.0 host 74.125.131.94
