cancel
Showing results for 
Search instead for 
Did you mean: 

VS not working on 443

Hey Folks,

 

Need advise on a issue that I have been working on since yesterday, details below.

 

We have a VS on 443, with the backend member on 443 as well. Whenever the users are trying to access the F5 URL it throws a 404 error , however, if they try to access it directly (by passing the F5 and accessing the backend member directly) it gives the login page. The wireshark capture shows that the backend member is sending a 404 response to the GET HTTP request from the F5. Even the network trace shows the same. The app owner says, it's got to do something with the F5 since bypassing it makes the app work fine. My assumption is that the URL in the http header isn't being recognized by the backend member. Any ideas or suggestions in getting this fixed please.

 

Wireshark capture

 

41 14.962775 10.130.51.250 192.168.97.42 HTTP 926 OUT s1/tmm0 : GET / HTTP/1.1 

42 14.964862 192.168.97.42 10.130.51.250 TLSv1.2 733 IN s1/tmm0 : [TLS segment of a reassembled PDU]

43 14.964878 10.130.51.250 192.168.97.42 TCP 216 OUT s1/tmm0 : 56140 → 443 [ACK] Seq=1042 Ack=2663 Win=15882 Len=0 TSval=3825198007 TSecr=318298375

44 14.965236 192.168.97.42 10.130.51.250 HTTP 949 IN s1/tmm0 : HTTP/1.1 404 Not Found (text/html), Alert (Level: Warning, Description: Close Notify)

45 14.965246 10.130.51.250 192.168.97.42 TCP 216 OUT s1/tmm0 : 56140 → 443 [ACK] Seq=1042 Ack=3397 Win=16615 Len=0 TSval=3825198008 TSecr=318298375

46 14.965295 10.130.51.250 192.168.97.42 TCP 216 OUT s1/tmm0 : 56140 → 443 [FIN, ACK] Seq=1042 Ack=3397 Win=16615 Len=0 TSval=3825198008 TSecr=318298375

47 14.965301 10.130.51.136 10.24.229.138 TLSv1.2 721 OUT s1/tmm0 : [TLS segment of a reassembled PDU]

48 14.965376 10.130.51.136 10.24.229.138 HTTP 906 OUT s1/tmm0 : HTTP/1.1 404 Not Found (text/html)

9 REPLIES 9

First I would recommend you to verify vServer configuration. Can you please confirm below settings on your vServer?

 

  1. Client & Server SSL profiles
  2. SNAT

 

Hi Mayur,

 

We have the client ssl as well as the server ssl configured on the VS.. As far as the SNAT is concerned, I don't think it's relevant here. If there was an issue with the SNAT, the page itself won't load, but here that's not the case. The page does load but it's giving a 404 error

Abed_AL-R
Cirrostratus
Cirrostratus

Is is working fine when you setup the VS as performance layer4 ?

Have you tried the standard VS without http profile attached to it ?

Which F5 version are you running ?

And do you see some error messages while reproducing the issue in "tailf /var/log/ltm" ?

While loading the application in browser do you see CORS error or any other error other than the 404 ?

Hi Abed,

 

We did setup this VIP as a perf layer 4 (without http profile) but that didn't help either. We are running 14.1.2.6 and we don't see any other error message apart from 404 - Resource not found..

If you setup the f5 on layer4 and still the problem occurs then maybe you're facing what I've faced couple months ago.

I'm pretty sure you're doing NAT automap , is that so ?

Then maybe your application is not capable to be accessed from the internal network, from the same subnet network.

If you have another server on the same backend server network, then try to access your backend server from it.

 

If this is not the issue, then as @KINGSLEY THOMPSON​  mentioned, check the SNI if your backend is hosting multiple domains.

_KT_
Nimbostratus
Nimbostratus

Does backend pool member host multiple domains?

I am wondering if it uses SNI to determine the page being requested, but when you perform SSL bridging on the F5 no SNI is presented to the webserver. It may then default to a domain for which 'GET /' doesn't have any associated content.

What was the tcpdump command used to produce the output you provided above?

You could do a tcpdump on the F5 VS, i.e. F5 clientside, to capture the TLS establishment - the server name extension in the client hello would show what is being requested. As a quick check you could copy this into the Server Name field within the server SSL profile. Note that if that turned out to be the issue you would need a longer term solution to insert the appropriate SNI on the serverside. Devcentral has a few iRule options, but I think later versions of software may now allow it to be done automatically.

I agree to @KINGSLEY THOMPSON​ , if SNI is playing a role here, you'd see this behavior too. You'll need your serverssl profile fixed with SNI fields.

 

There could be site binding as well on the webservers. Look in that aspect as well.

What are the headers being passed when you directly access the server url and the header being passed when access through main bigip url. It might give some clue too.

 

Also curious to know what monitoring have you put for your pool members.

Don't think the backend is hosting multiple domains but will double check that. tcpdump -nni 0.0:nnnp -s0 -w /var/tmp/<filename>.pcap host <ip address of the source> was the command I had used to run the capture on the F5.

 

@jaikumar_f5 - TCP on the service port is being used as the health monitor.. Would definitely explore the options suggested by you & =KT= .. Thanks !

Here's a very good article on the same - https://support.f5.com/csp/article/K50528306