The underlying connection was closed: An unexpected error occurred on a receive

Question

I have a 2008 IIS server with .NET1.1 framework client to another 2008 server through LTM Virtual server with SSL offloading. &nbsp;
Whenever the .NET client tries to talk to the Virtual I get a "The underlying connection was closed: An unexpected error occurred on a receive" back.&nbsp;
This works fine if I remove the client/server ssl profile and pass through but breaks when ssl client and server profiles are applied.&nbsp;
HTTP profile on or off does not matter.  OneConnect on or off does not matter.  Single pool member for testing.&nbsp;
I've tried using an iRule to respond immediately to the 100 continue.  I've tried turning off the 100 continue from client side.  Neither help, no real reason to think this is an issue but just in case.&nbsp;
I set up an iRule to log the request and response and it looks to me like the response is incomplete.&nbsp;
I believe this broke when we went from 10.2.4 to 11.5.3   ... It has been a long time, I'm just getting back to it.  
&nbsp;
Any suggestions on what else to try?
I can't remove the serverssl profile and send requests back to the pool member in plaintext unfortunately.  It only talks via SSL.&nbsp;

pjcampbell_7243 · Accepted Answer

This was worked around by enabling the client ssl option "Don't insert empty fragments".  Seems to have something to do with CBC ciphers&nbsp;
Apparently this option is supposed to be enabled by default but on our system it is "options none" on the default client ssl profile.  I suspect it has something to do with us maintaining the same config since v7 or v8 and upgrading on top over the years to v9 v10 and then v11.&nbsp;
Interestingly with it breaking from v10 to v11.  I still have old configs from our v10 setup and it's    options none there also....  This doesn't seem to be a new option.&nbsp;

vijay_e · Answer

I am guessing the .NET server's SSL ciphers don't work with F5's default ciphers. I am thinking probably it has something to do with SSLv3 being un-supported in recent F5 code versions. You may have to change the cipher settings on the SSL profile to make sure that it is compatible with the .NET server. Also, check the F5 logs to see if you are seeing any specific SSL errors.&nbsp;
K17370 - F5 default ciphers for 12.x&nbsp;

patrik_jonsson · Answer

This is one of those, "I wouldn't do it myself moments", but have you tried to use COMPAT as cipher string? It'll let you go as low as SSL2.&nbsp;
Also, have you verified that the client actually uses HTTPS? If the LB is doing offloading chances are that the server is not using any secure bindings? If you'd remove the profiles in that case it'd work while adding them would make the connection fail (as the client talks HTTP when the LB expects SSL initiation).&nbsp;
/Patrik&nbsp;

patrik_jonsson · Answer

Since we have tried a few things already I wanted to add this as an answer too:&nbsp;
https://support.f5.com/csp/article/K13223&nbsp;
Depending on the amount of traffic to your box it might be worth trying as well. &nbsp;
/Patrik&nbsp;

jwhitespro_1928 · Answer

Have you tried changing the http profile chunking response from 'selective' to rechunk?&nbsp;

pjcampbell_7243 · Answer

I hadn't tried it but I just tried it with no change.  Thanks for the suggestion though.&nbsp;

Forum Discussion

The underlying connection was closed: An unexpected error occurred on a receive

7 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

What is HTTP Part II - Underlying Protocols

iRule - unexpected behavior

Troubeshooting website connection

F5 Connection Mirroring question

DevCentral Connects hosts Capture the Flag!