cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SSL issue

Adolfo
Nimbostratus
Nimbostratus

Hello there,

 

We have a F5 LTM and a virtual server configured to a server in port 443, the topology is:

 

Computer --> F5 LTM --> switch --> server

 

When we try to connect to the server through https we saw the message "Connection reset" in the browser, but if we try to connect without passing the F5 the connection is successful. We don't have configured any SSL client profile or server.

 

This is the configuration on F5:

 

#Virtual Server

#________________________________________________________________________________

 

ltm virtual /Common/Server1 {

   destination /Common/10.1.5.X:443

   ip-protocol tcp

   mask 255.255.255.255

   pool /Common/Server1

   profiles {

       /Common/tcp { }

   }

   source 0.0.0.0/0

   translate-address enabled

   translate-port enabled

}

#________________________________________________________________________________

#Pools

#________________________________________________________________________________

 

ltm pool /Common/Server1 {

   members {

       /Common/10.1.7.X:443 {

           address 10.1.7.X

       }

   }

   monitor /Common/https_443

}

 

#________________________________________________________________________________

#Profiles

#________________________________________________________________________________

 

# -Default Profile-

ltm profile tcp tcp {

   ack-on-push enabled

   close-wait-timeout 5

   congestion-control high-speed

   deferred-accept disabled

   delayed-acks enabled

   ecn disabled

   fin-wait-timeout 5

   idle-timeout 300

   keep-alive-interval 1800

   limited-transmit enabled

   max-retrans 8

   nagle disabled

   proxy-buffer-high 49152

   proxy-buffer-low 32768

   proxy-mss disabled

   proxy-options disabled

   receive-window-size 65535

   reset-on-timeout enabled

   selective-acks enabled

   send-buffer-size 65535

   slow-start enabled

   syn-max-retrans 3

   time-wait-recycle enabled

   time-wait-timeout 2000

   timestamps enabled

}

 

As you can see, we don't have any SSL client or server profile and we tried changing "translate-port" to disabled and "Source Address Translation" to auto map but none of these work.

 

Also we made a tcpdump and we can see the TCP Reset from 10.1.7.X (tcpdump.png) and some curl (curl.png), openssl (openssl.png and openssl2.png) and a telnet (telnet.png).

0691T000009hsLQQAY.png

 

 

0691T000009hsLVQAY.png

 

 

0691T000009hsLWQAY.png

 

 

0691T000009hsLXQAY.png

 

 

0691T000009hsLaQAI.png

 

 

Hope you can help us to find out what's going on.

 

Thank you.

1 REPLY 1

Andrew-F5
F5 Employee
F5 Employee

Your virtual server is very simple with no profiles that should interfere.

 

Telnet isn't a good test for SSL connections other than stating that the port is open, use openssl or another utility to test the connection.

 

You have to have some sort of SNAT translation enabled because your virtual server and pool member exist on different networks. Automap should be fine assuming you have a valid self-ip configured.

 

The F5 is not manipulating the SSL handshake and especially not the http traffic considering it can't decrypt any of it due to SSL passthrough being configured here.

 

Given the very simple configuration of the virtual server this would seem to be more likely an issue with the server or device between F5 and server.

 

You can take a capture with F5 'noise' to see the reset cause:

tcpdump -s0 -ni 0.0:nnnp host 10.1.7.x and host source_ip