VIRTUAL SERVER ISSUE

Hi  ,

For 443 pool, how are you configuring SSL ? have you configured SSL Server profile on the VIP when 443 pool is attached to it?

Mayur

Hi,

suppose you are accessing VIP on 443 and you have attached 443 pool to it.

1. If you want to terminate SSL on web-server (backend server), no need to configure any Client and Server SSL profile on the VIP. Just you need to make sure proper certificate is configured on the server itself. So that certificate will be presented to the client during SSL handshake. This would be SSL pass through for F5.

2. Now if you want to terminate SSL on F5 itself. For this, you need to configure Client SSL and Server

SSL profile on the VIP where 443 Pool will be attached. Client SSL profile will include the actual certificate that will be presented to client during SSL handshake. For Server side SSL, you can simply configure default SSL profile available on F5 i.e. serverssl-insecure-compatible. Client SSL would be used for secure session between client and F5. Server SSL will be used for secure session between F5 and backend web server. This would be SSL bridging.

As per your configuration, you can choose option 1 or 2.

Hope it helps!

Mayur

Hello, in order to use SSL Pass through, you need to have SSL certificate to be imported on the web server and map it to the application. On F5 side, you don't need to configure any client and server SSL profile on the virtual Server. Just configure http profile and enable SNAT if require.

In other scenario, is it possible for you to share Virtual Server and Pool configuration here to check it?

Mayur

Hello, thanks for sharing details. As per attached snaps, I can see you have enabled https_443 health monitor under pool but both pool members are showing offline so the pool itself is down. It seems the service 443 is not up and running on your web servers. You can verify it by doing telnet web-server-IP on 443 from the system where your web-server will be reachable. Telnet will fail. So to troubleshoot further, please check below points -

1.     Service 443 is properly mapped with your application on the web-server.

2.     Certificate is properly mapped.

3.     Local Firewall is not restricting the incoming traffic on the web-server.

If telnet is successful from your system, you also need to check if web-server is reachable from F5.

Hope it helps!

Mayur

Hi Mayur,

Thanks for been there for me at all time

I can't telnet in to the virtual server , i tried it but it was not going. I have checked my firewall also and it allowing traffic from the virtual server, as you can see from the snapshot sent to you the certificate was well mapped , you can even see the certificate through browser while trying to access the virtual server. But i can reach the virtual server through pinging from the tmsh prompt.

I still needs help, please don't be tired of helping me, my company are on my neck, it just have towork

Thanks

Taiwo

Actually i was asking to check telnet to the Web-Server IP but not F5's Virtual Server. As Pool is showing down, i am suspecting something on the web-Server/application side, not on F5 side.

Mayur

Hi Mayur,

Thanks am good now. I have to delete the web server and rebuilt it. Am for ever grateful. Onces again thnks and God bless, Amen.