Forum Discussion

Merry95_171142's avatar
Merry95_171142
Icon for Nimbostratus rankNimbostratus
Feb 02, 2015

Why does the LTM send a FIN to the client?

I'm trying to install a service on a new F5.

 

I'm using a ssl_client profile. All the monitors are up. From the capture I did on the port I can see:

 

  • LTM interrogates regulary the server on the port (monitor sends a HTTP request)
  • The server responds correctly (match the received string)
  • The client makes a request : The Syn-Syn Ack- Ack is executed
  • The client sends a PSH ACK packet, that is answered by a PSH ACK packet from the LTM
  • Then LTM starts the FIN ACK process
  • The connection is never transmitted to the server
  • The statistics on this virtual server show no new connection

So what's wrong with my virtual server?

 

7 Replies

  • Hi Merry95,

    can you track the proper SSL handshake between client and virtual server by running SSLDUMP?

    As you have assigned a client-ssl profile there would be a full handshake. And after it is completed successfully the client´s request would be forwarded to the virtual server.

    There is no other IP address on your system shared with the virtual servers IP address? There is no related message in /var/log/ltm (run "
    tail -f /var/log/ltm
    ")?

    Ask F5 SOL10209 describes using the SSLDUMP utility.

    Thanks, Stephan
  • On the LTM, can you execute a connection to the server on the port its listening on and let us know the results? (can do this via CLI)

     

  • It seems the problem I had with some SSL services was due to a missing parametrer in the WebBrowser. In security parameters, for some reason, "TLS1.0" was disabled. That resolves a fair number of down services.

     

    I have still connection problems on some HTTP and HTTPS services:

     

    • HTTP: The client has a successfull TCP handshake with F5, but then F5 makes no handshake with the server and sends a FIN packet to the client. The monitor is OK, it connects on the listening port, sends a requests and checks the receive string.

       

    • HTTPS : The client has a successfull TCP handshake with F5, then initiates SSL packets. Then F5 has a successfull TCP handshake with the server. No SSL connection on this side. The client sends the crypted data, F5 sends uncrypted data to the server. The server sends the answer and F5 sends a crypted PSH packet to the client. But nothing returns on the webBrowser. I used ssldump utility (without the ciphering) and compare with another up https service, I saw no irregularity

       

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP
      Hi Merry95, do you have an http profile or an iRule assigned to the virtual server? Any compression or acceleration profiles selected? Any log messages in /var/log/ltm? To simplify things you can provide the output of "tmsh list ltm virtual ". Thanks, Stephan
    • Merry95_171142's avatar
      Merry95_171142
      Icon for Nimbostratus rankNimbostratus
      Hello Stephan, I have no http profile, and no compression/acceleration profile. No log in /var/log/ltm here is an extract from F5, with a HTTP Virtual Server : `ltm virtual VS_E3_GedEsign_8112 { destination 192.x.y.z:8112 ip-protocol tcp mask 255.255.255.255 partition WAS_Recette pool E3_GedEsign_8112 profiles { /Common/tcp { } clientssl_E3-Svc003Intranet { context clientside } } source 0.0.0.0/0 source-address-translation { pool WAS_Recette_SNATPool type snat } vlans { Vlan_179 } vlans-enabled vs-index 348 `
  • Finally I had several problems depending on the service requested:

     

    • TSL1.0 was disabled in the WebBrowser's parameters
    • Requested HTTP instead of HTTPS ...
    • Some servers were actually gateways toward external servers, these trafic weren't allowed on the firewalls...
    • the server answered a malformed packet, so the client couldn't display anything

    Thank you for your guidance, I now know how to use ssldump :)