Forum Discussion
Niqichick_13681
Nimbostratus
NimbostratusTLS 5 second delay before establishing TLS client Hello
I have a configuration for BEA Weblogic that is configured with a "one-armed" configuration, AutoSNAT, and SSL passthrough. When my clients come to the VIP they are experiencing a 5 second delay. When they go to the server's real IP for testing, they are able to process transactions in milliseconds. I require TLS, and the server holds the certs as I just pass the SSL traffic through. I have a packet capture and have noted the delay seems to be between the https (port 443) from VIP to client and another packet sent from VIP to client for TLS client Hello. Has anyone seen anything like this before?
- Kevin_Stewart
Employee
When you say "SSL passthrough", can I assume you mean no client and server SSL profiles on the VIP? If so, the CLIENTHELLO should be coming from the back end server? Can you watch both sides of the connection in parallel to verify?
What_Lies_Bene1Cirrostratus
So your capture shows an immediate response from the server, but a 5s delay client side? What type of VS have you configured please?
Niqichick_13681There are no client/server SSL profiles applied to this connection for this VIP, although there are other VIPs that do have those configurations. I do see the CLIENTHELLO coming from the backend server and I have packet captures from both sides of the connections at the same point in time to verify. They both show the 5 second delay from the https packet to the CLIENTHELLO packet.
- Kevin_StewartAnd just to verify, you see this delay on both sides of the proxy, as in the delay is being produced at the server?
- Niqichick_13681
Yes, that is correct. So as to be clear, when the client makes the request to the server, when it responds on the AutoSNAT translated port that is not 443, it takes +5 seconds. You can see the delay on packet captures that align in time from both f5 and the server.
- Niqichick_13681
Type of VS is host, standard
- What_Lies_Bene1OK thanks. You may want to switch to a Performance (Layer4) unless you are using any layer 7 features (such as a HTTP profile) which I doubt.
- Kevin_Stewart
A few more questions:
I have a packet capture and have noted the delay seems to be between the https (port 443) from VIP to client and another packet sent from VIP to client for TLS client Hello.
The TLS CLIENTHELLO message should be coming from the client. Can you elaborate on where this delay is happening? Is it consistent? And is it only in the TLS handshake, or throughout the session?
- Niqichick_13681
I have tried both Performace and standard with no change. I am seeing the TLS Clienthello from the VIP. I have verified that it always appears this way in the packet captures. The delay is After the VIP send TCP https (443) traffic, then there is a 5 second delay. Then the CLIENTHELLO from the VIP (i also agree this is wierd). After that there is an immediate Serverhello. Certificate from the real ip to the vip.
- Niqichick_13681
Sorry, i have reconfirmed with my tester and he is saying we are seeing the CLIENTHELLO from the floater IP.
- Kevin_Stewart
I have to say I'm at a loss. Unless I'm missing some detail, or there's something unusual about this configuration, there is absolutely no reason why a CLIENTHELLO message would be coming from the server side of a TLS handshake. Is there an iRule? Is there anything going on in the web server's application logic that might be causing a reach-back? Can you post the network capture from both sides of the F5?
