Forum Discussion
NimbostratusOutbound SSL question
Good Day, I am new to F5 and have a question that I hope someone can help me with. We are struggling with an issue with a website that one of our servers is trying to connect to outbound. The connection is an SSL and the manager of the firewall is stating that, when the handshake is sent from the server that the hello is never returning. He is stating that it never returns to the Firewall. The company hosting the remote website has run a packet capture and is stating that the hello is being sent. Can the F5 be affecting this return traffic? The firewall manager is insisting that it is, but I am not familiar enough with the network or the F5 product to respond intelligently.
Has anyone experienced this situation? Any help is appreciated.
Jim
5 Replies
- Kevin_Stewart
Employee
So just to clarify, you have a server that is trying to talk SSL to a remote web server through your local F5, correct? And if yes, can I also assume that routing is not an issue because the two parties are at least talking at layer 4 before the SSL handshake? Are you doing any sort of SSL manipulation/offload on the F5 for this traffic? The firewall is presumably in front of your F5, so if the remote site says it's being sent, but your firewall isn't seeing it, then I'd imagine something else is wrong in between these two entities.
Jim_Shoemaker_1Thanks for the response... Yes, the traffic is passing through the F5... The F5 has nothing to do with the traffic from an SSL perspective. And, yes, there is layer connectivity. All looks good until the handshake. With regards to the F5, we are not doing any SSL manipulation.
Once again, pardon any ignorance on my part.. I am new to this! I'm not sure that the F5 is in "Front" of the firewall. Below is an illustration of the current connectivity
internet 1--- \ - F5 - Firewall - internal network - Server / internet 2 ---
I would say the the Firewall is BEHIND the F5, but I want to be sure that I am representing the network properly.
Does any of this affect the outbound SSL?
Thanks again.
- Kevin_Stewart
Potentially not the outbound connection. The remote site is after all receiving a port 443 request from your server through your local F5 (and firewall), correct? So if the F5 is in front, you should be able to observe this traffic leave its external interface and whatever response arrive back on that interface. A good guess that you'll probably see the response here, but that you might not have your VIP configured to pass this traffic.
Assuming your diagram is correct.. can you plug behind the F5 and test to take the Firewall out of the picture? you could also run some curls from the F5.. though not as complete of a test..
Narendren_SHi Jim,
It would be more helpful, if we get an exact network picture. Since traffic is being handled by multiple devices between src and dst, we need to do hop by hop analysis.
As per your inputs, it seems there are two internet connectivity in place. If so, we should isolate asymmetric paths, since firewall will not permit asymmetric traffic by default.
So, getting the exact network diagram will help to proceed.
