Forum Discussion

Kunal_Borkar_11's avatar
Kunal_Borkar_11
Icon for Nimbostratus rankNimbostratus
Dec 13, 2012

SSL offloading not working

I have Lab setup on my laptop where f5 LTM VE installed on VMware. I have two pool members 10.1.125:80 and 10.1.1.25:81 running on http protocol.

 

I have created Virtual server 10.1.1.50:443 on https by uploading self sign certificate. Certificate bined to ssl profile and and same profile has binded to Vserver.

 

But when I access https://10.1.1.50 from IE and Chrome, I get certifictae after accepting it, gets an error page can not be dispalyed.

 

Same can be access on port http://10.1.1.50.

 

Kindly suggest how to resolve this and what needs tobe check in this case.

 

Thanks in advance.

 

Regards,

 

Kunal Borkar

 

 

 

8 Replies

  • Please confirm;

     

     

    a) You have a HTTP Profile assigned to the VS

     

    b) You are using the same Pool as the port 80 VS

     

    c) You have used a ClientSSL Profile
  • Hi Steve,

     

     

    Thanks for response. I have assigned HTTP profile to VS, yes using same pool for both VS:80 and VS:443.

     

    Also assigned new created client ssl profile where parent profile is ClientSSL.

     

     

    When i access VS on port 443, i am getting certificate but after accepting it "page can not be dispalyed" eroor shows.

     

     

    -Kunal
  • Hi Steve,

     

     

    Thanks for response. I have assigned HTTP profile to VS, yes using same pool for both VS:80 and VS:443.

     

    Also assigned new created client ssl profile where parent profile is ClientSSL.

     

     

    When i access VS on port 443, i am getting certificate but after accepting it "page can not be dispalyed" eroor shows.

     

     

    -Kunal
  • Hi Steve,

     

     

    Thanks for response. I have assigned HTTP profile to VS, yes using same pool for both VS:80 and VS:443.

     

    Also assigned new created client ssl profile where parent profile is ClientSSL.

     

     

    When i access VS on port 443, i am getting certificate but after accepting it "page can not be dispalyed" eroor shows.

     

     

    -Kunal
  • Well, if this works from the same client and both VSs use the same Pool and any SNAT is the same on both then I think it's time for some tcpdumping! Something like this should help us confirm what's happening after the cert is accepted: tcpdump -i all -nn -vv host x.x.x.x where x.x.x.x is the client IP address and assuming there's no SNAT in place.
  • curl -v will show the SSL handshake.

     

    Remove the http profile and telnet to the port. Leave the connection open and check the connection table. If it shows a pool member IP then it was successfully load balanced and a connection established. If "any" is listed for the member then that portion failed or something before the LB_Selected event.
  • I have tried by removing http profile binded to HTTPS Vserver and telnet to VS:443 below is the output,

     

     

    10.1.1.25:59127 <-> 10.1.1.50:https <-> any6 tcp 1/0

     

     

    by seeing this, It is clear any issue with Certificate ?

     

     

    -Kunal
  • Leave only one pool member, preferently the one listening on port 80, use snat automap and test. It may be some routing issue since you're putting everthing up in the same subnet.

     

     

     

    Unusual thing is that you have one server listening on port 81, however if everything is set up correctly (port transalation) it may not matter.

     

     

    Saludos,

     

    HH