Forum Discussion

Icon for Nimbostratus rank

Nimbostratus

Nov 27, 2019

SSL PassThrough Configuration

Hi, I have an web based application running on three different servers, I want to balance the load using round Robbin technique, the ip address of those servers are 10.10.10.71 72 & 73. They are all...

Icon for Nimbostratus rank

Nimbostratus

Dec 02, 2019

Hi @iaine

I successfully enabled the SSL pass through and SNAT, but there is an issue, it works for a very short time and after that I get the same error ERR_CONNECTION_REFUSED by the client. When I update SNat with the same configuration it works again and after that it gives the same error. Can you please tell what is happening here?

Ahmed_Galal
Cirrostratus
Dec 08, 2019
did you cofigure monitor for backend servers. i think that this might be related to a one of backend servers issue because there is no configuration in SSL passthrough you just dont configure profiles and configure backend servers with port 443.
- KhubaibArshad
  Nimbostratus
  Dec 09, 2019
  Hi Ahmed,
  No I am not using the Health Monitors for the back end server, because it shows that the HTTPs is down, which brings my nodes down, the back end servers are configured with the redirect to https, they accept https only. When this error occurs the VIP 10.0.0.70 is also down.
- Ahmed_Galal
  Cirrostratus
  Dec 09, 2019
  ( because it shows that the HTTPs is down) if the health monitor shows that backend server is down thats mean you have SSL communication issue between F5 and backend server might be incompatible cipher suite. configure health monitor again then make tcpdump for traffic between F5 self address and backend server.
  
  (When this error occurs the VIP 10.0.0.70 is also down) and this is the purpose for health monitor to drop connection when it sees that service is down on backend server
- KhubaibArshad
  Nimbostratus
  Dec 18, 2019
  But why every time it click on update, it works?
jaikumar_f5
MVP
Dec 09, 2019
Are you saying that you have not applied any monitor for your pool members. Please share your existing setup masking the imp details.

tmsh list ltm virtual <virtual name>
tmsh list ltm pool <pool name>
- KhubaibArshad
  Nimbostratus
  Dec 18, 2019
  root@f5-35(Active)(tmos)# list ltm virtual vns-portal-vip
  ltm virtual vns-portal-vip {
    destination 10.10.10.70:any
    ip-protocol tcp
    mask 255.255.255.255
    pool VNS-Portal-Pool
    profiles {
      fastL4 { }
    }
    snatpool vns-snat-pool
    translate-port disabled
  }
  
  root@f5-35(Active)(tmos)# list ltm pool VNS-Portal-Pool
  ltm pool VNS-Portal-Pool {
    members {
      10.10.10.71:smtp {
        session monitor-enabled
      }
      10.10.10.71:domain {
        session monitor-enabled
      }
      10.10.10.71:http {
        session monitor-enabled
      }
      10.10.10.71:https {
        session monitor-enabled
      }
      10.10.10.71:smtps {
        session monitor-enabled
      }
      10.10.10.71:submission {
        session monitor-enabled
      }
      10.10.10.72:smtp {
        session monitor-enabled
      }
      10.10.10.72:domain {
        session monitor-enabled
      }
      10.10.10.72:http {
        session monitor-enabled
      }
      10.10.10.72:https {
        session monitor-enabled
      }
      10.10.10.72:smtps {
        session monitor-enabled
      }
      10.10.10.72:submission {
        session monitor-enabled
      }
      10.10.10.73:smtp {
        session monitor-enabled
      }
      10.10.10.73:domain {
        session monitor-enabled
      }
      10.10.10.73:http {
        session monitor-enabled
      }
      10.10.10.73:https {
        monitor none
      }
      10.10.10.73:smtps {
        session monitor-enabled
      }
      10.10.10.73:submission {
        session monitor-enabled
      }
    }
    monitor tcp and https_443
  }