Forum Discussion
NimbostratusHow to troubleshoot SSL server profile?
Hi
I'm trying to work out where my connection is going wrong. I have setup a VIP with both a client and server SSL profile so the nodes receive traffic on 443. What commands should I use from the F5 to troubleshoot the cert between the F5 and the nodes/servers?
Thanks
3 Replies
ApproxeeWhere are you receiving the error, and what does it say - Is it a browser error ? - Is it a self cert or a Public CA ? Is there an intermediate Cert between the root CA and your certificate ?- ApproxeeYou could use TCPdump, and then use SSLdump to see where it is failing - I think also you can use SSLdump directly if it is not a live system
hoolioCirrostratus
You can capture a tcpdump first to see that up to L4 is working and then use ssldump with the server's SSL private key to check that SSL is working:
sol411: Overview of packet tracing with the tcpdump utility https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html
tcpdump -ni 0.0 -s0 -w /var/tmp/trace.1.dmp host CLIENT_IP or host SERVER_IP replace CLIENT_IP and SERVER_IP with the client and pool member(s) IPs
SOL10209 - Overview of packet tracing with the ssldump utility https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html?sr=31391333
ssldump -AedHr /var/tmp/trace.1.dmp -Nk /var/tmp/private.key > /var/tmp/ssldump.txt
Aaron
