Forum Discussion
NimbostratusCan F5 influence SSL traffic in a wildcard forwarding virtual server(0.0.0.0/0)?
Hi,
I am having some problem now with traffic passing through our F5, basically this F5 mainly serves as a firewall with policy enforced to its VS.
This one is a server-server communication. so what happens is when bypassing F5, there is a successful traffic passing through. however when we try to change the network and needs to pass through our F5, somehow after the SSL handshake ends, the client sends a FIN,ACK.
F5 config is
ltm virtual /Common/forward_vs{
destination /Common/0.0.0.0:0
fw-enforced-policy /Common/outside
ip-forward
mask any
profiles {
/Common/ddos_custom { }
/Common/fastL4_custom { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
/Common/vlan_outside
}
vlans-enabled
}
I can see the traffic passing through this VS from the F5 ethernet trailer and i can also see the SSL handshake passing through F5 until the client cipher exchange.
Client ------- Client Hello ---------> Dest
Client <----------- Ack -------------- Dest
Client <--Server Hello, Certificate -- Dest
Client <---- Server Key Exchange ----- Dest
Client ----------- Ack --------------> Dest
Client -- Client Key Exchange, Change Cipher Spec, Encrypted Handshake --> Dest
Client <-- Change Cipher Spec, Encrypted Handshake -- Dest
Client --------- Fin, Ack -----------> Dest
This one doesn't happen if the traffic doesn't pass through F5. But i doubt F5 has something to do with the connection failing since this is only a wildcard forwarding VS.
Any input will be appreciated. thanks.
1 Reply
natheCirrocumulus
Jose,
If the "ddos_profile" is a Layer 7 profile then this may be the issue as the BIGIP will expect to read the HTTP traffic but the VIP won't be terminating the SSL connection.
If you can remove this profile as a test that would tell you.
Hope this helps,
N
