we've got a VS with a Access Policy showing a webtop with some links like rdp-connections and a Portal Accesss to an internal http Site. Everything's working fine.
Now I need a link to a Portal Access to a internal Sharepoint 2016 Site which is only reachable via https, and I only get the error:
"Error: secure connection failed The connection to the Server was reset..." (translated from German)
a tcpdump shows a Reset from the Server (=another LTM in the LAN) with: Cause: TCP Reset from Server
a "curl -vk server" shows cert and everything else
every non-ssl-Site is working
Version is 22.214.171.124
I've tried a lot with SSL-Server-Profile, but no success.
any Idea, where to look?
To find the root-cause the first thing to do is to understand why a TCP RST is sent by the server.
Some checks to do :
Also, FYI, to implement SharePoint SSO with APM there is an iRule to add. You can find it there:
Hope that helps.
thanks for your hints, but it was a problem with SNI, I had to enter the name of the SharePoint Server in the field Servername in the SSL-Server Profile.
But I still have a Problem: it takes above 2 minutes, till the Site opens (and every Link on the Site too).
In a capture I don't see errors in this time (if I capture for the IP of the SP-Service)
Any other ideas about timeouts?
A SSL handshake problem so :)
Regarding your new problem, there is certainly a issue on the TCP communication to be so long. Check if you see packets retransmision or RST due to a timeout raised by one side.
To take the trace (to be done on each F5), you can use the "-p" flag with tcpdump to capture the entire communication if you are in SNAT or Auto-map mode.
I did this already, but there are no TCP retransmit from self-IP to Destination.
I suspected an SNI_Issue because if we start a sharepoint-site, there will be automatically the "mysite" of the user loaded. And for the "mysite" I think I need an extra Portal-Access and an extra SSL-Server-Profile, is this right?
Sorry your problem of SNI is not clear enough for me to answer you, I need more details.
If you need to dynamically change the SNI parameter according to the FQDN of client request , you can have a look to the iRules present in codeshare:
maybe I can explain my issue with SNI:
our intranet-site has the address https://intranet.xxx.int/Seiten/default.aspx , so I create a portal-access for intranet.xxx.int and in the SSL-Server-Profile I enter the server-name intranet.xxx.int , ok it works after about 2 minutes.
If I browse the intranet, there is a "personal part" with my user (SSO is working) and this personal part has the address: https://my.xxx.int, this would be the 2nd SNI (this is also loaded after the 2 minutes.
So now I'm not sure about the effect of the host my.xxx.int (I've modified the ACL but I think this was not needed). If I browse the intranet with a mobile-device (via MDM-App-Tunnel), I have to enter User/PW a second time for my.xxx.int.
thanks for your link to the I-Rule, but I can't figure out, how to tweak the variable, could you give me some hints?
Just for info after some tests:
another SharePoint-Site (same Version) is ok (loading in a few seconds)
So could it be, that the F5 has a Problem with rendering the one site that needs 2 minutes?
The header (title-info of the browser-tab) is also loaded in a few seconds.
In the config of the portal-access I've also configured minimal-patching, but no difference
Can you confirm that you set hostname instead ip in portal access (Application URI)?
Additional the request is done by floating and not self (the rules are open from floating?)
yes, I've set hostname.
No, non-floating IP (it's a single, testing F5, I don't have a floating IP on this F5). do you think it is a problem?
Non floating is not problem I would just validate architecture.
Can you please make a curl from cli:
curl -i -k https://sharepoint-hosntname/uri
Set the same hostname in uri above that you set in portal acces (Application URI).
And tell me what's you obtain.
[iv0yyy@f5-host:Active:Standalone] ~ # curl -i -k https://sp-site.xxx.int/Seiten/default.aspx
HTTP/1.1 401 Unauthorized
Content-Type: text/plain; charset=utf-8
X-MS-InvokeApp: 1; RequireReadOnly
Date: Thu, 12 Jul 2018 07:54:32 GMT
You can confirm that you set snat automap in your VS (VPN that host portal access) and during your test when you click in your portal access did you see a logs in f5?
in /var/log/ltm? maybe ssl or other that can help us?
Additional don't forget to set a ssl server profile to insecure.
Then I think that you do it but just verify that you set a rewrite profile in your VS .
In order to validate if the problem com from SNI you can set up a VS for Sharepoint (test) trough your F5 and use a simple server ssl (insecure). Check if you have access to your app. If yes it's not an ssl problem...