OptimalDesign
Enthusiast
Enthusiast

LB works fine in ssl passthru but it does not work properly in ssl offload.

Jump to solution

Hi, Experts

I just test LB with web server pool and it works fine when LB works as Passthrough mode.

But it does not work at all when LB configured as SSL-offload... Welcome any technical advice!

1) When I configured LB as a Passthrough mode, then it can be connected to web server and I've got log as below;

#show log follow

2017-02-16T10:55:38+00:00 NSX-edge-9-0 loadbalancer[12792]: [default]:  [local0.info] 192.168.110.10:58941 [16/Feb/2017:10:55:38.123] passthru1 Web-Tier-Pool-new/web-03a 1/0/38 1736 -- 1/1/1/0/0 0/0

2017-02-16T10:55:38+00:00 NSX-edge-9-0 loadbalancer[12792]: [default]:  [local0.info] 192.168.110.10:58942 [16/Feb/2017:10:55:38.124] passthru1 Web-Tier-Pool-new/web-02a 1/1/42 1736 -- 0/0/0/0/0 0/0

2017-02-16T10:55:38+00:00 NSX-edge-9-0 loadbalancer[12792]: [default]:  [local0.info] 192.168.110.10:58943 [16/Feb/2017:10:55:38.508] passthru1 Web-Tier-Pool-new/web-03a 1/1/15 1736 -- 0/0/0/0/0 0/0

2017-02-16T10:55:38+00:00 NSX-edge-9-0 loadbalancer[12792]: [default]:  [local0.info] 192.168.110.10:58944 [16/Feb/2017:10:55:38.524] passthru1 Web-Tier-Pool-new/web-02a 1/0/78 4435 -- 0/0/0/0/0 0/0

...

2) However, when I configure LB as SSL-offload, then it returns HTTP code 502 and "Bad Gateway" on the webpage.

#show log follow

2017-02-16T10:32:27+00:00 NSX-edge-9-0 loadbalancer[1381]: [default]:  [local0.info] 192.168.110.10 - - [16/Feb/2017:10:32:27 +0000] "GET /cgi-bin/hol.cgi HTTP/1.1" 502 757 "" "" 58747 920 "LB_ssl_offload2_2~" "Web-Tier-Pool-new" "web-03a" 1 0 1 -1 4 PH-- 0 0 0 0 0 0 0 "" ""

2017-02-16T10:34:03+00:00 NSX-edge-9-0 loadbalancer[1381]: [default]:  [local0.info] 192.168.110.10 - - [16/Feb/2017:10:34:03 +0000] "GET /cgi-bin/hol.cgi HTTP/1.1" 502 766 "" "" 58762 400 "LB_ssl_offload2_2~" "Web-Tier-Pool-new" "web-02a" 2 0 1 -1 4 PH-- 0 0 0 0 0 0 0 "" ""

2017-02-16T10:43:37+00:00 NSX-edge-9-0 loadbalancer[1381]: [default]:  [local0.info] 192.168.110.10 - - [16/Feb/2017:10:43:37 +0000] "GET /cgi-bin/hol.cgi HTTP/1.1" 502 757 "" "" 58815 332 "LB_ssl_offload2_2~" "Web-Tier-Pool-new" "web-03a" 2 0 1 -1 5 PH-- 0 0 0 0 0 0 0 "" ""

2017-02-16T10:43:39+00:00 NSX-edge-9-0 loadbalancer[1381]: [default]:  [local0.info] 192.168.110.10 - - [16/Feb/2017:10:43:39 +0000] "GET /cgi-bin/hol.cgi HTTP/1.1" 502 766 "" "" 58819 698 "LB_ssl_offload2_2~" "Web-Tier-Pool-new" "web-02a" 2 0 1 -1 6 PH-- 0 0 0 0 0 0 0 "" ""

...


web-02a : 172.16.10.12/24 , GW 172.16.10.1/24 (vxlan 5000)

web-03a : 172.16.10.13/24 , GW 172.16.10.1/24 (vxlan 5000)

LB : 172.16.10.10/24 (vxlan 5000)

192.168.110.10 (My PC)


Thanks alot!





1 Solution

Accepted Solutions
ddesmidt
VMware Employee
VMware Employee

When you do "SSL-Passthrough" the clients terminate their HTTPS traffic on the pool members. So your Pool members are on https TCP 443.

When you do "SSL-Offload" the clients terminate their HTTPS traffic on the Edge-LB and then Edge-LB talks to the Pool members on http TCP 80.

Did you do change your pool member configuration and healthchecks?

Dimitri

View solution in original post

2 Replies
ddesmidt
VMware Employee
VMware Employee

When you do "SSL-Passthrough" the clients terminate their HTTPS traffic on the pool members. So your Pool members are on https TCP 443.

When you do "SSL-Offload" the clients terminate their HTTPS traffic on the Edge-LB and then Edge-LB talks to the Pool members on http TCP 80.

Did you do change your pool member configuration and healthchecks?

Dimitri

OptimalDesign
Enthusiast
Enthusiast

@ddesmidtddesmidt you're outstanding!!!

0 Kudos