Forum Discussion
NimbostratusLTM SSL bridging not working
Hi,
I'm currently trying to implement SSL bridging for a Cisco IronPort Spamquarantine web portal. The Cisco box is using a self signed certificate and is accessible from the F5 box (testing with penssl s_client -host quarantienhost -port 443 connects to the portal and returns a redirect)
But I'm not able to publish this site with the F5 LTM. When I try to access it it trys to load the page and then after some time gives up. When I replace the ip of the Cisco Ironport by one of another system also using a self signed certificate all works as expected.
How can I debug what is going on? I've created an analytics profile for logging but this only shows the request coming in.
Ed_SummersSorry if a trivial question, but you mentioned that the IronPort 'returns a redirect' during your successful connection test from LTM. Have you confirmed the redirects it sends when hosted behind LTM are valid for the environment? IOW, it will redirect the client back through LTM or another valid location?
keshav_163381Please do a tcpdump on the f5 LTM with working and non-working as find the difference. It looks like return traffic is not going back to the LTM. Please identify this issue.
ChristianH_1903@ED and @keshavArora: Thank you for your comments. when running "openssl s_client -host -port 443" and then "GET /login HTTP/1.1" I receive and answer which would redirect me to the a new url on . But when trying to access /login from a browser via the ip of the VIP nothing is returned. Just as if the F5 would not be able to access the .
- keshav_163381
There are couple of things you have to checked steps by steps.
1 ) What is the status of the virtual servers (If yes) 2 ) Are you able to reach the LB (Take a tcpdump for the your machine and check the connection table ) 3 ) Run the Curl command for troubleshooting purpose 4 ) Routing in important which we can check if you have reachbillity from machine to VIPS. 5 ) Check the profiles settings like http traffic need http profile or sometimes app does not understand http so tried to remove that and check. 6) SNAT options 7 ) Tcpdump on the servers side
SylvainCFor information I'm a colleague of ChristianH and we figured out what was the problem. We fixed it by adapting network configuration on Cisco IronPort part.