Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

F5 | LTM | Server Hello packet is not coming


Hi Team,

Hope you all are doing great!

i have an issue, where i have F5 LTM VS (Standard - SSL Passthrough (no client/server SSL profile).

Issue - URL is not accessible, getting error message site can't be reach. 

Bypassing LB it works properly. I took packet capture and observed that TCP Hnadshake is happeing but SSL handshake is not happening. Client hello is coming but Server hello is not happenning and no error message in packet capture.

Please let me know if issue is with F5 or not.






@RAQS can you please provide the configuration of the virtual server so we can look at this a bit more in depth? My first guess is that because you aren't performing SSL termination you most likely have a configuration option applied that is attempting to look at the at the traffic, such as an HTTP profile, and those settings might cause this behavior for you.

ip-protocol tcp
persist {
abc_Dest_Addr {
default yes
pool abc.com_https
profiles { { }
serverssl-use-sni disabled
source-address-translation {
type automap
translate-address enabled
translate-port enabled
vs-index 477

@RAQS May I have the configuration of that profile because based on the rest of that configuration this should work, this is all assuming that the appropriate firewall rules are in place to allow you to reach the F5 and the F5 to reach the pool members on the self-IP closest to the destination pool members.


@Paulius ==> updated packet capture screenshot. Connectivity is in place. TCP handshake is happening. But SSL Handshake is not happening. Regarding that tcp timeout, its all default value, only idle timeout is set as 600 seconds.

Any help ?

Can you do the curl command via the CLI from the BIG-IP toward the pool member?

To be honest if you send a client helo and there is no response it would start with looking at the server. Does it perhaps have certain ACLs or such?

@RAQS can you run the following tcpdump on the F5 please? For a bit more accurate tcpdump you can replace the IP in the following command with the IP of the client.

tcpdump -nni 0.0:nnp host

As @boneyard has stated I would also ensure that you can curl from the F5 to the pool members as well and receive a valid response from them.