Forum Discussion
NimbostratusShort-lived tls connections with empty data
I have a setup to deliver syslog from application (using irules) to hsl, then to a virtual server which enables serverssl to encrypt the connection between f5 hsl and a remote syslog server.
The setup works except that I observed an issue with constant retried tcp/tls connections between the encrypting virtual server (as a syslog client) and the remote syslog server. Even without log coming from hsl, the encrypting vs simply attempts tcp/tls and then followed by a tcp fin immediately, almost once every couple seconds.
The encrypting virtual server uses the default tcp profile and serverssl profile. I thought a new connection should only be triggered with log data coming from hsl. Is this expected? Is there a way to allow a persistent tls connection between the encrypting virtual server and the remote syslog server?
From ssldump:
New TCP connection 3: 10.0.0.14(49798) <-> 10.0.0.11(514)
3 1 1517783929.0667 (0.0014) C>SV3.1(163) Handshake
ClientHello
Version 3.3
random[32]=
c1 f4 69 0d 48 b8 58 cd ab a9 02 94 88 c9 5d 76
61 04 4a db 29 0a 02 aa 18 ff ea 39 69 ca 65 e6
cipher suites
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression methods
NULL
3 2 1517783929.0682 (0.0015) S>CV3.3(81) Handshake
ServerHello
Version 3.3
random[32]=
cd ff 49 e6 d5 2d 25 74 a4 9d 44 f8 05 bf fc 0a
bb 69 4d fe 5f fb 15 1e 11 66 ea 01 62 8c 9c 43
session_id[32]=
b1 d6 42 f9 3e 61 b4 65 4c ef 25 1b d2 5c d7 eb
a5 56 24 38 98 86 51 ab f6 b2 53 cd 14 4a b5 0b
cipherSuite TLS_RSA_WITH_AES_128_GCM_SHA256
compressionMethod NULL
3 3 1517783929.0682 (0.0000) S>CV3.3(812) Handshake
Certificate
3 4 1517783929.0682 (0.0000) S>CV3.3(4) Handshake
ServerHelloDone
3 5 1517783929.0695 (0.0012) C>SV3.3(262) Handshake
ClientKeyExchange
3 6 1517783929.0695 (0.0000) C>SV3.3(1) ChangeCipherSpec
3 7 1517783929.0695 (0.0000) C>SV3.3(40) Handshake
3 8 1517783929.0714 (0.0018) S>CV3.3(1) ChangeCipherSpec
3 9 1517783929.0714 (0.0000) S>CV3.3(40) Handshake
3 10 1517783929.0725 (0.0011) C>SV3.3(26) Alert
3 1517783929.0725 (0.0000) C>S TCP FIN
3 1517783929.0729 (0.0003) S>C TCP FIN
Thanks.
Leonardo_SouzaCirrocumulus
The connection looks to be closed because of the SSL alert message. What does the message say?
Depending on how you did the iRule, is possible that you open the HSL connection, but never sends log data. Can you post the iRule here?
As you are using a virtual server in the HSL connection, you could use oneconnect profile to keep the connection open to the server. However, I don't see any benefit in that for your case.