Forum Discussion
CirrostratusWith Passthrough VIP how does SSL handshake work
MVPInquisitiveMai The client connection comes in on from random ephemeral port (we will say 5056) then the F5 selects to pool member and opens up a connection between itself from the same ephemeral port that the client used (this happens a lot of the time but something it's different) to the pool member on 443 or whatever SSL port you specified. The F5 stitches these two connections together and then passes the SSL handshake directly to the client and then from the client back to the pool member. If you have SNAT enabled you can try using the following capture to see both connections. You can export this and open it with wireshark and even decrypt using the SSL key.
tcpdump -nni 0.0:nnp host <client_IP> -w /shared/tmp/my_capture.pcap
InquisitiveMaiPauliusThank you for your response. The above filter only captures the client machine traffic. Do I need to put any other setting on wireshark.
I did take another capture on the F5 with the VIP address and pool member port (tcpdump -vvv -nni 0.0:nnnp -so host <VIP IP Address> or Port <Pool member port> -v -w /shared/tmp/file.pcap and Do not see the same port being used for connection from F5 to backend member. For this second capture, I did conversation filter with F5 TCP and see client Hellos and Server Hellos with seperate Port numbers from Client:random port <--->VIP:443 and F5 SelfIP:<random port different> <---> Poolmember:44376
- nitass
Employee
The above filter only captures the client machine traffic. Do I need to put any other setting on wireshark.
Try not to use p modifier
e.g.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/<output file> '(host <virtual ip> or host <pool member ip>) and port 443' -v
