Forum Discussion

wannabe_f5admin's avatar
wannabe_f5admin
Icon for Cirrus rankCirrus
Dec 23, 2021

VS not working on 443

Hey Folks,   Need advise on a issue that I have been working on since yesterday, details below.   We have a VS on 443, with the backend member on 443 as well. Whenever the users are trying to...
application delivery
BIG-IP
LTM
_KT_'s avatar
_KT_
Icon for Nimbostratus rankNimbostratus

Does backend pool member host multiple domains?

I am wondering if it uses SNI to determine the page being requested, but when you perform SSL bridging on the F5 no SNI is presented to the webserver. It may then default to a domain for which 'GET /' doesn't have any associated content.

What was the tcpdump command used to produce the output you provided above?

You could do a tcpdump on the F5 VS, i.e. F5 clientside, to capture the TLS establishment - the server name extension in the client hello would show what is being requested. As a quick check you could copy this into the Server Name field within the server SSL profile. Note that if that turned out to be the issue you would need a longer term solution to insert the appropriate SNI on the serverside. Devcentral has a few iRule options, but I think later versions of software may now allow it to be done automatically.

wannabe_f5admin's avatar
wannabe_f5admin
Icon for Cirrus rankCirrus
Jan 06, 2022

Don't think the backend is hosting multiple domains but will double check that. tcpdump -nni 0.0:nnnp -s0 -w /var/tmp/<filename>.pcap host <ip address of the source> was the command I had used to run the capture on the F5.

 

@jaikumar_f5 - TCP on the service port is being used as the health monitor.. Would definitely explore the options suggested by you & =KT= .. Thanks !