Forum Discussion

pjcampbell_7243's avatar
Feb 01, 2017

The underlying connection was closed: An unexpected error occurred on a receive

I have a 2008 IIS server with .NET1.1 framework client to another 2008 server through LTM Virtual server with SSL offloading.

 

Whenever the .NET client tries to talk to the Virtual I get a "The underlying connection was closed: An unexpected error occurred on a receive" back.

 

This works fine if I remove the client/server ssl profile and pass through but breaks when ssl client and server profiles are applied.

 

HTTP profile on or off does not matter. OneConnect on or off does not matter. Single pool member for testing.

 

I've tried using an iRule to respond immediately to the 100 continue. I've tried turning off the 100 continue from client side. Neither help, no real reason to think this is an issue but just in case.

 

I set up an iRule to log the request and response and it looks to me like the response is incomplete.

 

I believe this broke when we went from 10.2.4 to 11.5.3 ... It has been a long time, I'm just getting back to it.

 

Any suggestions on what else to try? I can't remove the serverssl profile and send requests back to the pool member in plaintext unfortunately. It only talks via SSL.

 

  • This was worked around by enabling the client ssl option "Don't insert empty fragments". Seems to have something to do with CBC ciphers

     

    Apparently this option is supposed to be enabled by default but on our system it is "options none" on the default client ssl profile. I suspect it has something to do with us maintaining the same config since v7 or v8 and upgrading on top over the years to v9 v10 and then v11.

     

    Interestingly with it breaking from v10 to v11. I still have old configs from our v10 setup and it's options none there also.... This doesn't seem to be a new option.

     

  • I am guessing the .NET server's SSL ciphers don't work with F5's default ciphers. I am thinking probably it has something to do with SSLv3 being un-supported in recent F5 code versions. You may have to change the cipher settings on the SSL profile to make sure that it is compatible with the .NET server. Also, check the F5 logs to see if you are seeing any specific SSL errors.

     

    K17370 - F5 default ciphers for 12.x

     

  • This is one of those, "I wouldn't do it myself moments", but have you tried to use COMPAT as cipher string? It'll let you go as low as SSL2.

     

    Also, have you verified that the client actually uses HTTPS? If the LB is doing offloading chances are that the server is not using any secure bindings? If you'd remove the profiles in that case it'd work while adding them would make the connection fail (as the client talks HTTP when the LB expects SSL initiation).

     

    /Patrik

     

  • Have you tried changing the http profile chunking response from 'selective' to rechunk?

     

    • pjcampbell_7243's avatar
      pjcampbell_7243
      Icon for Cirrus rankCirrus

      I hadn't tried it but I just tried it with no change. Thanks for the suggestion though.

       

  • This was worked around by enabling the client ssl option "Don't insert empty fragments". Seems to have something to do with CBC ciphers

     

    Apparently this option is supposed to be enabled by default but on our system it is "options none" on the default client ssl profile. I suspect it has something to do with us maintaining the same config since v7 or v8 and upgrading on top over the years to v9 v10 and then v11.

     

    Interestingly with it breaking from v10 to v11. I still have old configs from our v10 setup and it's options none there also.... This doesn't seem to be a new option.