Forum Discussion

MadMick's avatar
MadMick
Icon for Nimbostratus rankNimbostratus
Apr 26, 2022

Proxy Handhsake failure

Hi all, sorry, I'm not an expert using F5 but I got a question for you. I'm using an iRule Proxy configured on a BIG-IP 13.1.1. Suddenly...and I don't know why, this proxy is still working but a...
event
security
PSFletchTheTek's avatar
PSFletchTheTek
Icon for Cumulonimbus rankCumulonimbus
Apr 27, 2022

Hi,

Your in Local Traffic > Virtual Servers > [VIRTUAL SERVER] > Secuirty.
SSL Certs are set at
Local Traffic > Virtual Servers > [VIRTUAL SERVER]
Under Configuration
SSL Profile (Client) and SSL Profile (Server)

And these policies are set in Local Traffic > Profiles > SSL > Client or Server as needed.
Client is incoming so from web client to f5 and server is f5 to web server,
From the looks of your in i'm guessing this is linked to the f5 to server comms so the SSL Server profile is being used.

 

So possibly something in the server ssl profile is stopping you?
You are in the range of looking at what updates have happened on the TrendMicro platform, and a f5 support call to try to deep dive into it.

MadMick's avatar
MadMick
Icon for Nimbostratus rankNimbostratus
Apr 27, 2022

Thank you mate for your time.

This is my configuration...and it seems correct: what do you think?

I already check this and I can't see any blocking parameter.

 

 

 

 

 

  • PSFletchTheTek's avatar
    PSFletchTheTek
    Icon for Cumulonimbus rankCumulonimbus
    Apr 27, 2022

    Hum interesting!!! - you don't actually have SSL turned on!!!
    The fields are blank! therefore its going striaght in and straight out.

    So, you might have already mentioned this. Where are those logs from???
    Is it the f5, the client or the server??? (TrendMicro side)

    • MadMick's avatar
      MadMick
      Icon for Nimbostratus rankNimbostratus
      Apr 27, 2022

      The log I sent you is from the client where TrendMicro agent is installed.

      If I remove proxy from the configuration, the agent can be activate.
      If I put the proxy in the configuration I receive the handshake error.
      If I put the proxy in my browser settings, I can navigate withous any problem.

      Is there any way to trace what BIG-IP proxy is doing for my client?

       

       

       

      • PSFletchTheTek's avatar
        PSFletchTheTek
        Icon for Cumulonimbus rankCumulonimbus
        Apr 27, 2022

        It's sounding more and more like a trend micro issue not liking the f5 in the middle.

        But you can use tcpdump to see the flows. So things like

         tcpdump -nni 0.0:nnnp 'host 192.168.201.37 ' -s0  -vvv

        or

         tcpdump -nni 0.0:nnnp 'port 8081' -s0  -vvv

        Add -w /var/tmp/<filename>.pcap to the dump to capture the output and then you can review it in wireshark.

        This should allow you to see the flows, the port 8081 one might look the best at the moment so you can see in and out. Or if you know the client IP add that with a or so 'host 192.168.201.37  or host 10.10.10.1' for example that should then let you see in and out.