Forum Discussion

Brad_H_9706's avatar
Brad_H_9706
Icon for Nimbostratus rankNimbostratus
Mar 15, 2010

Server SSL Profiles work with Virtual Edition?

I saw the release notes said that "Advanced SSL features" were not included in Virtual Edition, but there is no mention of what this includes.

 

 

I've got my Virtual Servers set up without a Server SSL profile and it works just fine. As soon as I try to switch the nodes over to 443 and set a server ssl profile, it just stalls. Tcpdump's show that both side of the negotiation happen, but then there isn't any data that flows.

 

 

Has anybody gotten this to work, or am I just doing something dumb?

6 Replies

  • offset_68718's avatar
    offset_68718
    Historic F5 Account
    And what happens when you hit the servers directly with a browser on 443? Take out the LTM. Does the traffic look the exact same?
  • Well other than it working, it looks similar. I can't say it's exactly the same since it is another entirely new SSL session. There will be different session id's, random numbers, etc in the ssl negotiation.

     

     

    Are you saying you were able to get this working on Virtual Edition?
  • Vonne's avatar
    Vonne
    Icon for Nimbostratus rankNimbostratus
    I have the same problem. It’s possible to load balancing SSL traffic without ssl profile. But if I configure sslprofile no data flow occur.

     

     

    I can see that SSL 500 TPS are included with BIG-IP VE, so the use of ssl profiles should work without problems. Are there some extra procedures that must be performed for ssl termination?
  • Good to know it's not just me. I opened a support case on this just now. I'd really like to know if this is supposed to work or if it's just a bug in Virtual Edition.
  • Just FYI - this does seem to fall into the category of things that don't work with Virtual Edition. This was confirmed with F5 Support.
  • Hi BradH

     

     

    We have just hit the same issue. Did F5 Support indicate that this is a bug that they are going to fix or did they just say "Buy a real BIG-IP!!"?

     

     

    It really messes us up, as it means we end up having to configure our test pools without Cookie Persistance and no SSL passthrough.

     

     

    Cheers

     

     

    Perry