HTTPS PASSTHROUGH (NO SSL OFFLOAD) problem

Question

We have a SAP Work Manager Application (Angel protocol?) that needs to work with our F5 Loadbalancer.
Behind the F5 are 2 servers (port 11336 used for connection).
The application uses 2 ports:
port 8080 for normal HTTP processing.
port 8081 for SSL processing (no LB offload).
We created 2 virtual servers for this.
One standard for the http protocol, directed to server on port 11336.
One Performance (Layer4) VS with FastL4, no SSL offload of course, directed to server on port 11336.
The HTTP part seems to work.
The HTTPS part gives a connection refused.
In the F5 statistics we see no incoming/outgoing packets.
When doing a TCPDUMP on F5 on the incoming port 8081 we get the following information:
admin@(f5mechl1-acc)(cfg-sync In Sync)(/S1-green-P:Active)(/infrabel)(tmos) tcpdump -Xvv -s0 -ni 1/0.4 port 8081
tcpdump: listening on 1/0.4, link-type EN10MB (Ethernet), capture size 65535 bytes
10:08:57.761324 IP (tos 0x0, ttl 123, id 1028, offset 0, flags [DF], proto: TCP (6), length: 48) 10.2.60.118.52906 &gt; 10.249.13.220.tproxy: S, cksum 0x2576 (correct), 1350344612:1350344612(0) win 8192  in slot1/tmm0 lis=
    0x0000:  0071 0800 4500 0030 0404 4000 7b06 9c77  .q..E..0..@.{..w

0x0010:  0a02 3c76 0af9 0ddc ceaa 1f91 507c 9fa4  ..

10:08:57.761350 IP (tos 0x0, ttl 255, id 30101, offset 0, flags [DF], proto: TCP (6), length: 40)   10.249.13.220.tproxy &gt; 10.2.60.118.52906: R, cksum 0x5f67 (incorrect (-&gt; 0x7226), 0:0(0) ack 1350344613 win 0 out slot1/tmm0 lis=

`    0x0000:  0071 0800 4500 0028 7595 4000 ff06 a6ed  .q..E..(u.@.....

0x0010:  0af9 0ddc 0a02 3c76 1f91 ceaa 0000 0000  ......

We also tried a Standaard TCP connection - also connection refused.
Anyone has an idea to solve this problem??
Thanks
Jan

jan_de_wachter_ · Answer

When entering the folowing command on the client server we recieve following response:

Agentry client transmit

Communications error (14)
Connection Failed
Ending transmission

Using Curl, we receive following answer:
C:\Users\HFL5801&gt;curl -i -v https://dev-sapmobile:8081/SAPWM
* Adding handle: conn: 0x1f5d4a0
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x1f5d4a0) send_pipe: 1, recv_pipe: 0
* About to connect() to dev-sapmobile port 8081 (0)
*   Trying 10.249.13.220...
* Connection refused
* Failed connect to dev-sapmobile:8081; No error
* Closing connection 0
curl: (7) Failed connect to dev-sapmobile:8081; No error

yoni_100721 · Answer

You say "The application uses 2 ports: port 8080 for normal HTTP processing. port 8081 for SSL processing (no LB offload)." but you have 2 VIP's with pools both going to port 11336 on the server?

jan_de_wachter_ · Answer

Indeed; we have 2 virtual servers. &nbsp;
One scanning for port 8080, the other for port 8081. &nbsp;
Both virtual servers addresses the same pool, using port 11336.&nbsp;

jan_de_wachter_ · Answer

The problem we are facing is that when we do a https://dev-sapmobile:8081 we always get a connection refused.&nbsp;
This with FastL4 VS or Standard VS with no ssl.&nbsp;
It only works when we specify standard VS with SSL Profile, but then we arre doing SSL offload.&nbsp;
We need a fully encrypted connection client to server.&nbsp;

jan_de_wachter_ · Answer

After doing a lot of tests, even change my definition to a simple HTTP, nothing worked.&nbsp;
Final solution: Delete of VS definition and Redefine VS (FastL4) - now it's working !!! &nbsp;
Strange ....&nbsp;

Forum Discussion

HTTPS PASSTHROUGH (NO SSL OFFLOAD) problem

5 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Passthrough IPSec with AFM

HTTPS passthrough fallback URL

Source_Addr Persistence Problems

HTTPS offload rewriting

FTPS Offload via iRules