Layer7 API Management

  • Private Community
Back to discussions
Expand all | Collapse all

Receiving responses with mianpart=null when "Use Keep-Alive" setting is turned off, and SSL termination on the backend load balancer is turned on

  • 1.  Receiving responses with mianpart=null when "Use Keep-Alive" setting is turned off, and SSL termination on the backend load balancer is turned on

    Posted Oct 25, 2017 07:36 AM

    #

    Hi Community,

     

    We're seeing mainpart = null in responses when the "Use Keep-Alive" setting is turned off, while also terminating SSL on a load-balancer (which also scans traffic once traffic is decrypted), and then re-initiates SSL to the backend servers. Has anyone ever seen this behavior before? We are not receiving any SSL or certificate issues that I am aware of.

     

    Please note, if we terminate SSL at the servers/pass SSL through the load balancer, and turn the "Use Keep-Alive" setting off, it works just fine. Repeat: We are only seeing the issue when the load balancer is configured to terminate SSL, and the Layer 7 routing assertion "Use Keep-alive" setting is on. This issue is only ocuring in one of 4 of our environments.

     

    To better lay out our results, please see the below:

     

    1.       When the Layer 7 points directly to the backend service endpoints/JVMs, Layer 7 sees the correct response from the Applications/JVMs
    2.      When the F5 is configured to pass SSL traffic from Layer 7 through, to the backend accessNS business servers, Layer 7 sees the correct response from the Application/JVMs
    3.      When the F5 is configured to terminate SSL, scan using ASM, then reinitiate SSL to the backend accessNS business servers, we see a response with Mainpart=Null which is causing the application to fail

     

    Any thoughts or help is greatly appreciated.

     

    Thanks!

    Richard Fair

     



  • 2.  Re: Receiving responses with mianpart=null when "Use Keep-Alive" setting is turned off, and SSL termination on the backend load balancer is turned on
    Best Answer

    Broadcom Employee
    Posted Oct 30, 2017 10:28 AM

    Richard,

    Where are you evaluating or seeing the null response.mainpart? Is it in the policy via an audit? Or is it on the end client? 

     

    If its on the gateway I would think we would need to evaluate the policy and the backend requirements possibly including a sniffer to validate if the gateway is getting something back or if for some reason that something in the policy is overwriting the response message. (possibly with a message content variable)

     

    But if the gateway has the response.mainpart and its lost at the F5 when its not doing pass-through then that would be a different thought. (maybe some session affinity or something in this area?). But this probably warrants a support case for pursuing.

     

    Thanks.



  • 3.  Re: Receiving responses with mianpart=null when "Use Keep-Alive" setting is turned off, and SSL termination on the backend load balancer is turned on

    Broadcom Employee
    Posted Nov 15, 2017 03:17 PM

    When we see issues with re-initializing SSL after the Gateway, the issue normal is linked back to a client mutual authentication problem.The SSL can be re-initialized but the back end may be expecting the initial Client Mutual which is no long occurring.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support