Forum Discussion

paolodaniele's avatar
paolodaniele
Icon for Altostratus rankAltostratus
Sep 19, 2022

WSS LTM not passing data correctly

Hi, i'm having some trouble about running an Virtual Server in front of a K3s ingress. I've setted up 4 virtual server, all point to the same destination address, but different port (different pool...
error
security
virtual server
websocket
ws
wss
  • mdevlin's avatar
    mdevlin
    Oct 06, 2022

    Hi Paolo, 

    Thank you for your time today, im glad we could determine what was wrong.

    A few steps we took that helped us confirm first off, that no truncating was happening in the headers, was to capture the connection in a tcpdump with the f5 high detail peer options (:nnnp), that showed us the payload on the backend as being perfect.  No truncating happening.

    tcpdump -vvv -s0 -ni 0.0:nnnp host <f5 VIP> and port <f5 virtual server port>

     

    One of the key factors to identifying what was the issue here was something you sent me in a private message.  Removing the http profile, which subsequently resultied in the websocket, waf and clientssl profile to be removed, allowed the connection to work.  The wss:// call, not ws://.  

    Because this was a WSS or WebSocket Secure call, the server was expecting a TLS session, and our configuration was doing TLS offloading at the f5, and sending the traffic plain text to the server.  Why the application generated an "ERR_TRUNCATE_HEADERS" message is purely speculation at this point, but i suspect it was because the headers were all encrypted and thus exceeded the maximum for the application.

    I would normally expect to see 400 errors with HTTP, so the backend encryption wasnt jumping out at me sooner.

    Im glad that we could resolve this matter, and please let myself and f5 know if there is anything else we can do to assist you in the future.

    Cheers

    Mike

mdevlin's avatar
mdevlin
Icon for Employee rankEmployee
Sep 22, 2022

paolodaniele What version of code are you running?

Have you uploaded a qkview to ihealth? 

Can you provide us the configurations of your virtual server, iRules (if applicable), policies and profiles (if you cant upload a qkview)

  • mdevlin's avatar
    mdevlin
    Icon for Employee rankEmployee
    Sep 22, 2022

    Additionally, if you remove the ASM security profile (for testing purposes), does it function as required/desired?

    • paolodaniele's avatar
      paolodaniele
      Icon for Altostratus rankAltostratus
      Sep 22, 2022

      I've tried to remove the ASM and it's not work.

      Btw the version 16.1.2.2 so i've not the problem that had older version (i've done some digging before writing you!)

      As i told to buulam i'm pretty noob with f5 and i didn't know the iHealth portal. I'm uploading the file to check with the tool.

      If i cannot find anything i'll post you the config part (i've to blur some ip and name for gdpr privacy)

      Thank you

      • mdevlin's avatar
        mdevlin
        Icon for Employee rankEmployee
        Sep 22, 2022

        Hey paolodaniele,

        If you message me directly your email address for iHealth, i will be able to review your config on it directly, and investigate the matter further.