Forum Discussion
NimbostratusSSLoffload not working
I am trying to setup SSL-Offload for a application hosted on LTM.
Below is the configuration: -
- Imported SSL certificate.
- Created SSL Client profile with Imported SSL cert.
- HTTPS virtual server with SSL client cert.
- Associated Pool with port 8001
The error I am getting is that traffic is not reaching to the backend servers. In Wireshark we are getting SYN->SYN-ACK->ACK->PSH ACK->ACK between CLient and VIP only. no traffic on backend servers.
Any suggestions?
8 Replies
Samir_Jha_52506Noctilucent
Please check below thing.
- Check if backend server is lessening on port 8001{Telnet } from LB
- Enable SNAT Auto map to VIP.
If still problem, paste VS, Pool & telnet output.
Ganesh_GargYes, Servers are listening on port 8001, and SNAT is set to Automap also.
-bash-3.00 telnet 100.96.52.201 8001 Trying 100.96.52.201... Connected to 100.96.52.201. Escape character is '^]'.
- Samir_Jha_52506
You have SNAT enabled. Can you use tcpdump to check what's happening on the client and serverside connections? You can check SOL411 for details on tcpdump & curl. If you need help analyzing the output you can open a case with F5 Support.
sol411: Overview of packet tracing with the tcpdump utility http://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html
- Ganesh_Garg
There is no server side traffic. connection terminates at client side only. after successful handshake push ack from client. and then fin ack.
TechTcan you try to configure a VS with port 80 and see if it forwards the traffic to backend server ? (just want to make sure there is no issues with VIP/pool config)
- Ganesh_Garg
I have already configured a VIP with port 8001 and that is working as expected. issue is only with SSL offloading.
- TechTTry to do the things below, if possible please paste the output here 1) Check what is the response you are getting while hitting the https VIP url : https://www.sslshopper.com/ssl-checker.html (to check if the profile is configured properly with certs and key) 2) do a tcpdump like below for VIP and server when you hit the url - tcpdump -nni 0.0 host - tcpdump -nni 0.0 "host 100.96.52.201 and port 8001"
- Ganesh_Garg
That issue is resolved, issue was actually the servers we have configured behind LB were weblogic servers. So I had to enable SSL-proxy=true in HTTP header to resolve the issue.
