Forum Discussion
CirrusDecrypting SSL traffic - PMS and egress
EmployeeOne thing to take into account is if you have a OneConnect profile applied to the virtual server the Serverside connections could have established SSL handshakes before you take the capture and not be able to be decrypted. You have to make sure all connections on the serverside and clientside are deleted before starting the capture otherwise you may not be able to decrypt.
You should also use a filter that includes the ServerSide nodes specifically and not rely on the :nnnp to gather that data if you are looking to decrypt the serverside traffic.
CirrostratusHi,
thank you for your input.
Sadly it does not work.
- did check if any tcp connection exists for this VS
- used a fresh browser
- no oneconnect profile
- no http/2
- added node IPs to tcpdump filter
- one can see complete TCP and SSL handshake between LTM and node in the capture
The LTM still uses a rather old version (15.1), so maybe it's an issue there?
- David_Larsen
That version should work.
- Is there a ServerSSL profile?
- Is there a HTTPS health monitor?
- Is the pool member IP used in any other pools?
There are a number of ways there could be an open connection to the server that already establish the SSL handshake. I'm wondering if it is something we are not thinking of that could have it open already.
- Ichnafi
Tried capturing a different VS (with same settings, profiles,..) on the same LTM. This time everything worked as expected.
So, never mind. Your scripts work. Thank you for sharing!
- David_Larsen
Glad that one is working. If you would like to figure out where the open connection is I would do a quick tcpdump on the serverside of just that server and see if you can see an open connection and where it might be coming from. I suspect once you get that connection to reset you will be able to capture from the original VS.
