Forum Discussion

Brad_146558's avatar
Brad_146558
Icon for Nimbostratus rankNimbostratus
Mar 25, 2015

Odd issue with .NET MVC-API and LTM

I was hoping someone else out there had some suggestions on kind of a weird issue I'm experiencing. We have a website, a few actually. That are using MVC-API to deliver some mobile functionality on a website. The website works fine through the F5 when hitting it from a desktop browser, but whenever the integrated mobile browser(Android+iOS) reaches out to the website, we are seeing a 3-way handshake failure on the server side of the BIG-IP.

 

If we bypass the F5 everything works no problem, but we are using iRules and need to be able to publish this through the F5. I hoping someone might have run into this before, we've never used MVC-API.

 

20 Replies

  • You are seeing a TCP handshake failure server side? Is SSL involved at all? What iRules are you using?

     

    • Brad_146558's avatar
      Brad_146558
      Icon for Nimbostratus rankNimbostratus
      Right now we've taken all iRules out of the equation for testing purposes. SSL is involved, we are using a certificate/key/ca packaged up in PKCS 12 format. The only other thing noteworthy about the certificate is it is a UCC/Multiname certificate. Also we are encrypting the conversation from end to end, so on the client side of the conversation as well as the server side.
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Are you getting SSL handshake failures or TCP handshake failures on the server side?
    • Brad_146558's avatar
      Brad_146558
      Icon for Nimbostratus rankNimbostratus
      TCP, we are also seeing a lot of duplicate ACKs from the server which just makes the situation that much more confusing. I'm leaning a little more towards this being an issue with the server itself but it is odd that we are only seeing the TCP issues when the server is communicating with the F5.
  • You are seeing a TCP handshake failure server side? Is SSL involved at all? What iRules are you using?

     

    • Brad_146558's avatar
      Brad_146558
      Icon for Nimbostratus rankNimbostratus
      Right now we've taken all iRules out of the equation for testing purposes. SSL is involved, we are using a certificate/key/ca packaged up in PKCS 12 format. The only other thing noteworthy about the certificate is it is a UCC/Multiname certificate. Also we are encrypting the conversation from end to end, so on the client side of the conversation as well as the server side.
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Are you getting SSL handshake failures or TCP handshake failures on the server side?
    • Brad_146558's avatar
      Brad_146558
      Icon for Nimbostratus rankNimbostratus
      TCP, we are also seeing a lot of duplicate ACKs from the server which just makes the situation that much more confusing. I'm leaning a little more towards this being an issue with the server itself but it is odd that we are only seeing the TCP issues when the server is communicating with the F5.
  • I've done quite a few packet captures and it seems the communication issue occurs just before the cipher negotiation starts. I've got my SSL debug turned up to the "Debug" setting but I'm still not seeing any errors, would I see TLS/Cipher issues in the LTM log with default settings? Currently the LTM log is pretty clean as far as errors go.

     

  • The issue turned out to be certificate related oddly enough. It seemed there was something about the PKCS12 certificate that the integrated mobile browser didn't like when it was published through the F5. What made this hard to find is no one was looking at the certificate because we never saw any certificate related errors and the issue never happened while using traditional desktop browsers.