Forum Discussion

Nikoolayy1's avatar
Jun 27, 2021

Knowledge sharing: Troubleshooting/investigating SSL and HTTP issues

1. This is what I call the F5 magic article and only if F5 has written in diffent name, so that it jumps as the first article when someone searches for such issues, as it has most of the info for HTTP and SSL data collection like tcpdumps that are decrypted with the f5 inernal variables :nnnp and etc. and after that the information can be used to resolve many issues:

 

2.For SSL handshake issues the ssl debug i enabled by default in newer versions. Sometimes the F5 "Generic Alert" setting in the SSL profile needs to be stopped as to see in /var/log/ltm or in tcpdump what the real alert is.

 

Also as of now SSL profile can be attached to a health monitor and and SSL cipher groups can be used as a better way to control SSL decryption:

 

3.For logging the TCP RST if the F5 sends one there are global variables https://support.f5.com/csp/article/K13223. Also if the irule is causing the RST because of a config error look in the /var/log/ltm for "TCL error:" messages or for "reject" in the irule.

 

In newer versions after 15.0 you can use the f5 "--f5 ssl" flag in the tcpdump after enabling a global variable to decrypt the ssl traffic and this does an ssl decryption for any encryption algorithm even ECDSA.

 

 

4. If you TCL Errors google the error and solve it (also check the F5 ihealth if it detected issue with the irule and check the error in F5 bug tracker https://support.f5.com/csp/bug-tracker) and if needed use the "Catch" command to escape the error.

 

 

5.For HTTP request timeout because the F5 HTTP profiles or TCP connection timeout because the TCP profiles the TCP RST variables should log this.

 

6.Also when writting an iRule youca set variables that log the clock time at the Client_Accepted , HTTP_REQUEST etc. events and then to log the variables in /var/log/ltm or for example in splunk and then to compare when TCP handshake was done and after what time the HTTP_REQUEST event was triggered maybe at its end or start etc.

 

See the Splunk iRule and for example the variables:

 

set tcp_start_time [clock clicks -milliseconds]

set req_start_time [clock format [clock seconds] -format "%Y/%m/%d %H:%M:%S"]

 

 

You can modify the Irule to log to /var/log/ltm if needed but I don't recommend logging much data locally. Read:

 

7. This is great catching slowness caused by the F5 or pool member server. If you can enable the analytics module on the VIP.

 

 

8. For some HTTP issues a HAR file recording of the web traffic can be needed if the customer does not provide direct access to the virtual server: