F5 SSL to backend server issue

I see it is an SSL profile for weak deprecated ciphers for use with LTM 11 and above.

Joe,

 

 

It also looks like you are using our Trial edition of the LTM, if it is 10.1. There are some SSL limitations in that trial version, so I am not sure if you might be running into them. I suggest you get in touch with your local F5 account team who can get you access to the latest v11 code along with a eval license key, and I am sure things will start working right away at that point.

 

Hi Joe,

 

What I will suggest you to do it instead of directly going for HTTPS based access from client >LTM> Share point servers check if everything is working fine with HTTP it self. If yes then try client > LTM HTTPS and from there further forward HTTP and then finally come to your senario may be there are some limitation on this VE platform that is causing this issue.

 

 

Regards,

OK I found it :-) it is a limitation of the LTM VE 10.1 edition :

 

 

http://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_ve_10_1_0.htmlbigip_restrict

 

 

ClientSSL and ServerSSL profiles on same virtual server (CR141545)

 

When you assign both a ClientSSL and a ServerSSL profile to the same virtual server, the BIG-IP system forwards the client request successfully, but the client does not receive the response. To work around this issue, you can create two separate virtual servers that specify the same destination IP address and port. The first virtual server references the ClientSSL profile and an iRule that internally routes the connection to the second virtual server instead of to a load balancing pool. The second virtual server references the ServerSSL profile and the load balancing pool. The following is an example of an iRule assigned to a ClientSSL virtual server. The iRule includes the virtual command, which internally routes connections to a second virtual server named server_ssl_test. The second virtual server must have its VLAN disabled using the vlan none enable command:

 

 

rule target_server_ssl {

 

when CLIENT_ACCEPTED {

 

virtual server_ssl_test

 

}

 

}

 

pool b68_https { member 10.1.1.68:4443 }

 

virtual client_ssl_test {

 

destination 10.1.1.117:443

 

profile http clientssl tcp

 

rule target_server_ssl

 

}

 

virtual server_ssl_test {

 

destination 10.1.1.117:443

 

profile http serverssl tcp

 

pool b68_https

 

vlan none enable

 

}

 

 

 

Will test the workaround and report back.

 

 

Cheers !

 

modified the irule with my virtual servers/pool names/ips and it's giving me errors starting even with line one line 1: [undefined procedure: rule] !!!! any help out there ?

ok. got it thanks to another f5 Irules forum guy (aaron). the irule in the GUI is just this:

 

 

when CLIENT_ACCEPTED {

 

virtual server_ssl_test

 

}

 

 

the rest is the config of the virtual servers.

 

 

Now it's working :-) BUT i had to set SNAT to AUTOMAP on the "server_ssl_test" Virtual serve. If I disable SNAT => NADA.

 

Thanks for your help guys. I can keep my 10.1 VE edition for testing :-)

 

 

Cheers !

 

Hi Joe,

 

 

I'd really suggest using an eval key for a full version of VE instead of the trial. With the full version you aren't subject to any of the limitations of the trial. If you aren't in touch with an F5 SE email me and I'll see if I can put you in touch: aaron at f5 dot com

 

 

Aaron