Forum Discussion
Gary_Meehan_315
Nimbostratus
NimbostratusBig-IP LTM Re-encryption
Hi all,
I've using the virtual edition of Big-IP 10.1 under a trial license, which I'm using to load balance traffic to a web server (a single instance of IIS in my test case).
In my virtual server, I can specify a client SSL Profile, so that the Big-IP server receives HTTPS traffic decrypts it and sends HTTP traffic to the web server, working fine. I can also specify a server SSL profile, so the Big-IP server receives HTTP traffic and sends HTTPS traffic to my web server, working. However, when I set both client and server SSL profiles, I never get a response to my requests.
I want the Big-IP server to decrypt incoming traffic, add a cookie for persistence profiling, and re-encrypt the traffic before sending it on to the web server. I can see the request coming into the web server but no response is ever seen at the browser.
I was wondering if anybody had any ideas on how I can get this working. I have self-signed certificates on both the Big-IP server and the web server if that makes any difference.
Thanks,
Gary
SteveMPFor the SSL profiles, did you add the certificate AND the key? And does either one require a chain? Also, did you set the client machine to trust the self signed cert?
Gary_Meehan_315Hi Steve,
To answer your questions briefly: yes, no and yes. If it was a certificate problem, I'm not sure I'd be seeing the GET request in the IIS logs.
Gary
John_Matlock_42Hi Gary,
Typically, if traffic is getting to the webserver and not back to the client there is a return-routing issue. If you go to the pool statistics and you see packets in but 0 in the out column, this is a good indicator of this. This is normally an issue when the F5 is not in the default route from the web server back to your client’s subnet or if your web server, client and load balanced VIP are all on the same VLAN you'll want to turn on SNAT. The traffic has to go back through the F5 on the route back. SNAT can be enabled on the VIP, for your test purposes AutoMap should work.
Let me know if this is not your problem.
John- Gary_Meehan_315Hi John,
The client, virtual server and web server are indeed all on the same subnet, but the SNAT pool was set to Auto Map and the Out column is non-zero. If it was a routing problem, I'm not sure why setting the client pool to None, with the virtual server talking HTTP to the client and HTTPS to the server, would work.
Since reading your post and checking the things you suggested, my setup has started working. Sort of. I now sometimes -- and only sometimes -- get a response but it's very slow: it can take two or three minutes to receive a JPG that I can get almost instantaneously if I hit the web server directly. I don't know if this has any bearing on the matter.
Gary - John_Matlock_42Hmm, I probably responded to this too early in the morning as I apparently didn't read your entire post. I apologize for that.
At this point, I would suggest performing some TCPDumps on the F5 to see what the traffic looks like. What is your server ssl profile set to? Since you're sometimes getting what you expect, but slowly, I really wouldn't expect the issue to be with the SSL certificates. You might try setting it to the insecure compatible server ssl profile and see what happens.
John - SteveMPJust curious, did you run the IIS template to set this up?
- Gary_Meehan_315Steve, I've tried both the Generic HTTP template and the IIS one, both with the same result. Currently, I'm using the a setup based on the Generic HTTP profile from a fresh installation from the VM template.
John, I'm using the default serverssl profile. What is the "insecure compatible server ssl profile"? I have only two server SSL profiles: serverssl and wom_default_serverssl. I assume the "insecure compatible server ssl profile" corresponds to the serverssl profile with some options set; you wouldn't happen to know which ones, would you?
Thanks for taking the time to respond.
Gary - John_Matlock_42Gary,
Here is the config information for the serverssl-insecure-compatible SSL profile... I was under the impression it was a default, but I guess I could be wrong. I don't think it'll change the behavior you're seeing, I'm just curious. Btw, have you had a chance to perform some tcpdumps to see if there's anything obvious like retransmissions, sequence issues or resets?
ltm profile server-ssl serverssl-insecure-compatible {
ciphers !SSLv2:!EXPORT:!DH:RSA+RC4:RSA+AES:RSA+DES:RSA+3DES:@SPEED
defaults-from serverssl
secure-renegotiation request
}
John - Gary_Meehan_315Thanks, John. Not had chance to get any tcp dumps from the Big-IP box: I'll have to consult with a colleague who has more knowledge of Linux networking than I do. I have run Wireshark on the web server and the traffic looks okay that end. Looks like it's using TLS v1.0.
As for the secure-renegotiation, a bit of googling reveals this was only introduced in Big-IP versions 10.2.3 and 11.0.0 and I'm restricted to 10.1 because I'm using the trial version.
Gary - Personally I wouldn't use the trial edition as some features are not complete:
https://support.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/product/relnotes_ve_10_1_0.html?sr=21269957ki
Obtain the full VE via downloads.f5.com and have your partner obtain you an eval license