VS not working on 443

Question

Hey Folks,&nbsp;Need advise on a issue that I have been working on since yesterday, details below.&nbsp;We have a VS on 443, with the backend member on 443 as well. Whenever the users are trying to access the F5 URL it throws a 404 error , however, if they try to access it directly (by passing the F5 and accessing the backend member directly) it gives the login page. The wireshark capture shows that the backend member is sending a 404 response to the GET HTTP request from the F5. Even the network trace shows the same. The app owner says, it's got to do something with the F5 since bypassing it makes the app work fine. My assumption is that the URL in the http header isn't being recognized by the backend member. Any ideas or suggestions in getting this fixed please. &nbsp;Wireshark capture&nbsp;41	14.962775	10.130.51.250	192.168.97.42	HTTP	926	OUT s1/tmm0 : GET / HTTP/1.1&nbsp;42	14.964862	192.168.97.42	10.130.51.250	TLSv1.2	733	IN&nbsp;s1/tmm0 : [TLS segment of a reassembled PDU]43	14.964878	10.130.51.250	192.168.97.42	TCP	216	OUT s1/tmm0 : 56140 → 443 [ACK] Seq=1042 Ack=2663 Win=15882 Len=0 TSval=3825198007 TSecr=31829837544	14.965236	192.168.97.42	10.130.51.250	HTTP	949	IN&nbsp;s1/tmm0 : HTTP/1.1 404 Not Found&nbsp;(text/html), Alert (Level: Warning, Description: Close Notify)45	14.965246	10.130.51.250	192.168.97.42	TCP	216	OUT s1/tmm0 : 56140 → 443 [ACK] Seq=1042 Ack=3397 Win=16615 Len=0 TSval=3825198008 TSecr=31829837546	14.965295	10.130.51.250	192.168.97.42	TCP	216	OUT s1/tmm0 : 56140 → 443 [FIN, ACK] Seq=1042 Ack=3397 Win=16615 Len=0 TSval=3825198008 TSecr=31829837547	14.965301	10.130.51.136	10.24.229.138	TLSv1.2	721	OUT s1/tmm0 : [TLS segment of a reassembled PDU]48	14.965376	10.130.51.136	10.24.229.138	HTTP	906	OUT s1/tmm0 : HTTP/1.1 404 Not Found&nbsp;(text/html)

mayur_sutare · Answer

First I would recommend you to verify vServer configuration. Can you please confirm below settings on your vServer?&nbsp;Client &amp; Server SSL profilesSNAT &nbsp;

wannabe_f5admin · Answer

Hi Mayur,&nbsp;We have the client ssl as well as the server ssl configured on the VS.. As far as the SNAT is concerned, I don't think it's relevant here. If there was an issue with the SNAT, the page itself won't load, but here that's not the case. The page does load but it's giving a 404 error

abed_al-r · Answer

Is is working fine when you setup the VS as performance layer4 ?

Have you tried the standard VS without http profile attached to it ?

Which F5 version are you running ?

And do you see some error messages while reproducing the issue in "tailf /var/log/ltm" ?

While loading the application in browser do you see CORS error or any other error other than the 404 ?

_kt_ · Answer

Does backend pool member host multiple domains?

I am wondering if it uses SNI to determine the page being requested, but when you perform SSL bridging on the F5 no SNI is presented to the webserver. It may then default to a domain for which 'GET /' doesn't have any associated content.

What was the tcpdump command used to produce the output you provided above?

You could do a tcpdump on the F5 VS, i.e. F5 clientside, to capture the TLS establishment - the server name extension in the client hello would show what is being requested. As a quick check you could copy this into the Server Name field within the server SSL profile. Note that if that turned out to be the issue you would need a longer term solution to insert the appropriate SNI on the serverside. Devcentral has a few iRule options, but I think later versions of software may now allow it to be done automatically.

jaikumar_f5 · Answer

I agree to &nbsp;, if SNI is playing a role here, you'd see this behavior too. You'll need your serverssl profile fixed with SNI fields.&nbsp;There could be site binding as well on the webservers. Look in that aspect as well.What are the headers being passed when you directly access the server url and the header being passed when access through main bigip url. It might give some clue too.&nbsp;Also curious to know what monitoring have you put for your pool members.

Forum Discussion

VS not working on 443

9 Replies

Recent Discussions

F5 loadbalancer not working

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Related Content

F5 health 443 monitor issue with Atlassian Conluence

F5 iRUule not working

monitor does not work https

How Proxy SSL works on BIG-IP

F5 SMTP Fast Template - SNAT Not working as expected