For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

akroehnert's avatar
akroehnert
Icon for Nimbostratus rankNimbostratus
Oct 21, 2015

Proxy SSL configured as per manual, connection reset occours

Hi   I have an issue with Proxy SSL that puzzles me. I am running on BigIP 11.6.0 HF5. I have a IIS 8.5 running in the back-end. BigIP is configured with a clientssl and serverssl profile. Both ut...
application delivery
deployment
design
LTM
security
ssl
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 21, 2015

Do you have the "ProxySSL Passthrough" option enabled?

The first thing I'd do is run an ssldump capture on the client side of the F5 (client to F5).

ssldump -AdNn -i 0.0 port 443 and host [IP of VIP]

This will let you watch the SSL handshake and see where an error might be happening. For example, if the client doesn't send an RSA cipher in its ClientHello cipher list and you have the F5's client SSL profile to only accept RSA ciphers, the server (F5) will immediately send an alert and reset. If you have the Proxy Passthrough option enabled and everything starts working, that's usually a good indication that at least one side of the communication is not able to do RSA key exchanges, which is absolutely required for ProxySSL to work.