Forum Discussion
cmcnicholas
Cirrus
Cirrusserver_name extension missing from Client Hello
I ran a trace recently on some traffic and while reviewing in Wireshark I see that in some instances the server_name extension details are visible in the client hello. However, seconds later in clien...
cmcnicholas These are the actual client connections failing or is this a log you are parsing through that shows the SSL error? The reason I ask is because it could be the health check from the F5 that is causing the error because health checks originate from the self IP while load balanced traffic originates from the floating IP of the F5. If it's the client IP it might be worth running some captures to see if the F5 receives the SNI because it could be a miss-configuration on the client side. If you want to enable SNI on the health monitor make sure you have the SSL profile associated to the health monitor and you fill in the SNI filed in the SSL profile shown below.
Paulius
MVP
MVPcmcnicholas When you say server_name extension do you mean server name indication (SNI)? If you are referring to SNI, from my understanding this is added in by the client and not the F5 or server and shoud be maintained by the client. If you want to ensure that the F5 isn't doing anything with it you can run a tcpdump on the F5 on the client side of the connection to validate that the request always arrives with the SNI field. You can also run a tcpdump/wireshark on the client side to make sure the client is sending the SNI field.