Configuring F5 Re-Encryption

Employee

May 11, 2016

It would seem that all indications are pointing to the server side SSL connection, and there are a number of things that can cause a failure. At the very least you should set up an SSLDUMP between the BIG-IP and Tomcat server and watch that transaction. If there's an SSL handshake error, you'll see it in this capture.

ssldump -AdNn -i [internal VLAN name] port 8443 [and any additional filters]

Also consider the following:

It could be that the server doesn't support RFC5746 Secure Renegotiation. You'll actually see this in the LTM log, and you can control it by setting the Secure Renegotiation option in the BIG-IP's server SSL profile to Request.
It could be that the server doesn't support the ciphers and/or protocols presented by the BIG-IP. This one is a bit more complex to troubleshoot, but if this is the case you'll likely see the server send an alert message directly at the client's (BIG-IP's) ClientHello message. Take note of the ciphers used by your successful direct connection test and compare those to what the BIG-IP is sending.
It could be that the server requires a Server Name Indication (SNI) value. By default the server SSL profile doesn't send an SNI in the ClientHello, but you can add one in the Server Name field in the server SSL profile. This will usually also fail after the client's ClientHello message.

Forum Discussion

Configuring F5 Re-Encryption

Recent Discussions

Unable to get Internet in server using SWG forward Proxy.

Upgrading BIGIP 2000S to R2600

NAT for specific IPs

VIP needed for many UDP ports

remove ssh after gtm_add/bigip_add/big3d_add ?

Related Content

Using Single Configuration File to Configure F5

TMUI / Configuration WebUI - TLS/SSL Configuration - ECDHE

Decrypt and Re-encrypt requests on F5

no sync GTM configuration?

Need help - Configure forwarding proxy chain

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS