NimbostratusI have a virtual server with port 443 that has the ssl client installed but when I access the ip address of the web browser there is a server hangup error or connection timeup, what should I check to fix it.
NimbostratusHello Rhiyadi,
Is your traffic arrive to your VS ? isn't blocked by a FW ? You can check on VS statistics to know if the traffic reach the VS. If the traffic arrive on your VS, maybe there's config error (like client ssl profile / server ssl profile / snat / pool assigned).
Nimbostratus@F-X Prouvost
traffic through my VS and not blocked from FW, how i can define client ssl profile/ server ssl profile miss config?
NimbostratusRhiyadi,
First let explain your setup and what you want to achieve.
You configured a VS listening on an IP x and on port 443. On this VS you configured a pool, on which port are listening pool members ? (so your server are configured to respond on port 80 or 443) ? So based on the setup you have and what you want to do you can do multiple configuration.
If you servers are listening on port 443; Do you want to do SSL bridging or SSL passthrough ? (bridging means that you want to encrypt / decrypt traffic between F5 and client and the re-encrypt traffic to server, passthrough mean you let your server negotiate SSL to the client). If you want bridging you need to configure HTTP / SSL Client / SSL server profile If you want passthrough you need to remove HTTP / SSL Client / SSL Server profile.
If your servers are listening on port 443; You have to configure your VS for SSL offloading and so configure SSL Client Profile AND HTTP Profile.
Now from a network perspective, is your F5 the default gateway of your servers ? If no : configure SNAT (you can choose Automap or create a specific SNAT Pool) If yes: SNAT not needed.
Could you please provide us a tcpdump ? Connect on CLI and type : tcpdump -nni 0.0:p host and port 443
Rgds, FX
CumulonimbusHi Rhiyadi,
tcpdump -nni 0.0 host xxx.xxx.xxx.xxx and port 443
where xxx.xxx.xxx.xxx is your VS IP.
In your VS check that you set snat to automap
In your VS check that you set a client ssl profile
Check that you set a ssl server profile if your backend listen in TLS/SSL. if not don't set a server ssl profile.
IMPORTANT, don't forget to set a HTTP PROFILE
if you have multiple backend/nodes in your Pool validate that you set a persistence.
For the momement In your vs configuration let your "VLANs and Tunnels" setting to "All VLANs and Tunnels".
Keep me update if you have checked all this point. and I will provide you an irule to see what's happening.
regards,
Nimbostratus@F-X Prouvost and @youssef
I have followed the steps you gave, but when i checked port 443 (https) to web browser there is error "secure connection failed". what should i do?
CumulonimbusHi,
If your browser can't access a secure site (one that starts with https) you will see an error page with the heading Secure Connection Failed and a message about the error. that's means that maybe you don't set correctly your ssl client profile.
can you confirm that you set a client ssl profil and server ssl profil in your VS? and in your client ssl profil you set righ cert and key...
you can show us your VS configuration? using cli:
tmsh list ltm virtual vs-nameThen can you please connect to your F5 using cli
then enter the following command:
curl -i -k https://xxx.xxx.xxx.xxxwhere xxx.xxx.xxx.xxx is you backend server. just want to be sure that your backend listen ssl/tls.
regards,