issue with default server ssl profile, TCP RSTs send by BIG-IP

Question

ok, weird situation, anyone seen this before?&nbsp;
virtual server listening on 443 with client and server SSL profile. when i use a debug profile (cipher: NONE:RC4+RSA) everything is fine. when i use the default ssl server profile parts of the website dont load. when i look at packet captures i see the BIG-IP is actively RSTing connections to the pool member with the defauls ssl server profile. this appears to happen when the response is larger then a few packets. so some of the traffic gets through, but not everything.&nbsp;
i assume the is some issue with the SSL on the pool member, but how can i explain that it works until the amount of data send by the pool member becomes "too" large? why does the big-ip send a reset on this?&nbsp;
the big-ip version is too low to enable reset packet logging :(&nbsp;

boneyard · Answer

anyone?&nbsp;

boneyard · Answer

this turned out to be related to:
bug 224279 - Previously, if HTTP version responses were split across multiple packets, the connection could stall.  This issue has been corrected.

which was caused by the client side BEAST mitigation based on (1/n-1) record splitting.

Forum Discussion

issue with default server ssl profile, TCP RSTs send by BIG-IP

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Server Profile SNI

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Client vs Server SSL profile

F5 AS3 - Default Persistence Profile

Server Side Profile not show the certificate