Forum Discussion
AltostratusSSL Cert Issue
In process of migrating applications from cisco ACE to F5 LTM. We are running into an issue with an application with ssl offload .
on cisco ACE we have client ssl initiation and server ssl termination defined. When I set the same on F5 . CLient is not able to access the application . So removed the ssl profile and with basic setup i.e source persistence, TCP protocol ,SNAT . CLient is able to access the application through a dedicated software but the GUI access is not working .
attaching cisco ACE ssl config . please assist me with f5 LTM setup.
policy-map type loadbalance first-match QA__POLICY class class-default sticky-serverfarm QA_STICKY ssl-proxy client QA_SERVER
ssl-proxy service QA_SERVER ssl advanced-options PARAMMAP_SSL_INITIATION
parameter-map type ssl PARAMMAP_SSL_INITIATION cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_RC4_128_SHA cipher RSA_EXPORT_WITH_RC4_40_MD5 cipher RSA_EXPORT_WITH_DES40_CBC_SHA
parameter-map type ssl QA_SSL_TERMINATION cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_3DES_EDE_CBC_SHA cipher RSA_WITH_AES_128_CBC_SHA priority 2 cipher RSA_WITH_AES_256_CBC_SHA priority 3
ssl-proxy service QA_SSL_SERVER key qakey.key cert qacert.pem ssl advanced-options QA_SSL_TERMINATION
policy-map multi-match POLICY class QA_CLASS loadbalance vip inservice loadbalance policy QA_POLICY loadbalance vip icmp-reply active nat dynamic 12 vlan 20 ssl-proxy server QA_SSL_SERVER
7 Replies
kohli9harjeevNimbostratus
Hi,
Have you configured a client-ssl profile with correct certificates to offload SSL on F5. Also,are your backend server listening on port 443 or any other non-SSL port. If port 443,then you might want to apply server ssl profile on VS or if any other non-SSL port,dont need to apply server-ssl profile as the traffic to backend servers will go in clear text after SSL offload.
Also,did you apply http profile to the VS you created on the F5?
Kindly provide the F5 configuration here to have a better picture.
sandiksk_35282The backend servers are listening on port 443 .VIP is set to listen only on port 443.
- sandiksk_35282
Client ---- F5 ( traffic gets decrypted on F5 ) from F5 --- Server ( F5 encrypts the data and server decrypts the data)
do I need to apply the cert and key to client ssl profile or server ssl profile.
- Samir_Jha_52506
Noctilucent
Please create client SSL profile(key,cert,chain) Apply created client SSL profile & default serverssl profile. It will work
- sandiksk_35282
Do I need to enable any settings on the client and server ssl profile or just use the default and also these are the ciphers which are being used on cisco ACE , so can I enable all the options on F5
client ssl profile ipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_RC4_128_SHA cipher RSA_EXPORT_WITH_RC4_40_MD5 cipher RSA_EXPORT_WITH_DES40_CBC_SHA
Server ssl profile cipher RSA_WITH_RC4_128_MD5 cipher RSA_WITH_3DES_EDE_CBC_SHA cipher RSA_WITH_AES_128_CBC_SHA priority 2 cipher RSA_WITH_AES_256_CBC_SHA priority 3
- sandiksk_35282
still not able to get this working is there any setting I need to turn on in client and server ssl profile . Please let me know.
natheCirrocumulus
Looking at your ciphers mentioned there are some low security ones there. The default Client SSL and Server SSL profile will have now blocked these from being negotiated. if you do need these particular ciphers then look to the clientssl-insecure-compatible and serverssl-insecure-compatible profiles instead. see the following SOL articles on askf5: SOL13171, SOL14783 and SOL13156
