Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

kgaigl's avatar
kgaigl
Icon for Cirrocumulus rankCirrocumulus
Mar 18, 2026

Help with SSH Virtual Server

Hello,

we've 2 VS for SSH ( Delinea Secret Server ), Type Performance L4, NAT: AutoMap, an appropiate L4 tcp Profile and so on.

If I try the connection with ssh -vvv admin@service.com. the connection gets established, but I don't get the challenge for the Fingerprint and no Password Prompt.

A tcpdump looks fine, no Resets or else.

I can ssh to the Pool Members from a Linux Client and from the F5 CLI without Problems.

So I think the F5 drops anywhere the Key Exchange/Fingerprint.

Any Idea?

Thank you

Karl 

8 Replies

  • leemedz's avatar
    leemedz
    Icon for Cirrus rankCirrus
    Mar 18, 2026

    Using a Performance Layer 4 Virtual Server may well bring PVA into the equation which would impact the tcpdump traffic captured so you could well be missing something important. 

     

    Details can be found in the following post: here

     

    The other thing I would try is using a Standard VS as a test and see what happens. 

  • kgaigl's avatar
    kgaigl
    Icon for Cirrocumulus rankCirrocumulus
    Mar 18, 2026

    PVA is not active:

    [root@ldb-ara27-rz-05:Active:In Sync] ~ # tmsh show /sys hardware | grep -i pva
[root@ldb-ara27-rz-05:Active:In Sync] ~ #

     

    and VS Type Standart I've already tried, no difference

    we've some other SSH VS, configured as Standart with some Docker Container, they are working well

  • leemedz's avatar
    leemedz
    Icon for Cirrus rankCirrus
    Mar 18, 2026

    Just found the following: K Article that has some troubleshooting steps for Performance (Layer 4) virtual servers: https://my.f5.com/manage/s/article/K62404483. 

     

    I would tweak the tcpdump output though as shown below (I have appended the 'p' to the command so that both sides (client and server) are captured) which might help show where the issue is:

     

    tcpdump -vi 0.0:nnnp -s0 -w /var/tmp/<outputfile.pcap> -c <maximum packets> host <virtual_server_IP> or host <pool_member_IP>

     

    F5 Specific tcpdump Switches

  • kgaigl's avatar
    kgaigl
    Icon for Cirrocumulus rankCirrocumulus
    Mar 19, 2026

    in the Layer4 Profile there is no Setting for PVA Acceleration

    • leemedz's avatar
      leemedz
      Icon for Cirrus rankCirrus
      Mar 23, 2026

      So that would suggest that the F5 devices are Virtual then at a guess.

      Not really important either way - PVA is not in the picture so it can't affect the tcpdump output so I would run the tcp command above and see what it returns. Since it captures both the client and server traffic I am hoping that will shed a bit more light on where things are not working.    

  • zamroni777's avatar
    zamroni777
    Icon for MVP rankMVP
    Mar 20, 2026

    SSH indeed allows multiple client instances to use 1 ssh session.

    in putty, this setting allows it.
    i dont need to login on my second and subsequent putty windows when connecting to same ssh server

     

  • Melissa_C's avatar
    Melissa_C
    Icon for Moderator rankModerator
    Apr 03, 2026

    Hello kgaigl​ 

    Noticed you had some suggestions and wanted to check if you had a solution to update your post? If not and you need additional assistance let us know so we can look at what options would be available to assist you. 

    -Melissa 

  • kgaigl's avatar
    kgaigl
    Icon for Cirrocumulus rankCirrocumulus
    Apr 06, 2026

    Hello Melissa,

     

    sorry, that I've ignored the last posts, but for 99% the Problem is on the poolmember: an identical Test-VIP is working after Software-Update of the Pool-Member, so I guess, it's not a F5 Problem