Forum Discussion
irbk
Cirrus
CirrusSSL issues with new setup
We are doing our actual implmentation of the F5 BigIP LTM VM version 17.1.03 (build 0.0.4). It's a little bit complcated because we are trying to load balance an application (Microsoft Dynamics Navision 2018) and not just HTTP or HTTPS traffic. However, for initial testing, one of our servers in the pool being load balanced will at least show an IIS welcome page so I'm testing by just using HTTP/HTTPS. I have my nodes set up in my pool and I've currently only have the 1 node active that gives an IIS welcome page (the other just gives an error). I have our wildcard certificate imported and set as the "SSL Profile (Client)" within my virtual server for 443. If I go directly to http://msnav01.domain.com I get the IIS welcome page. If I go to http://bigip.domain.com I get the IIS welcome page. If I go directly to https://msnav01.domain.com I get the IIS wecome page. If I go to https://bigip.domain.com I eventually get a "site can't be reached" with "err_connection_reset" message. Checking the LTM log gives me a less-than-useful "SSL Handchange failed" error message and even with the logging turned up I'm not getting much more uesful info
Sep 27 16:53:07 BigIP.domain.com info tmm[3124]: 01dd0002:6: /Common/Wildcard23-24: SSL Handshake details for TCP <client IP>:33343 -> <virtual server IP>:443 entity: server SID: <server sid here> version: TLSv1.2 cipher-suite: ECDHE-RSA-AES128-GCM-SHA256 key-exchange: 333 bytes client-cert-sha1: N/A server-cert-sha1: N/A mutual-authentication: false
I've looked at a lot of different articles but nothing has solved the issue or even helped me move forward. I've tried turning off the "Generic Alert", setting the Cashe size to 0, turning up the logging to debug, etc. I'm at a loss and just not sure where to go next. I'm positive that the issue is something with the cert or the implmentation of the cert, just not sure where to go next.
Thanks in advance!
- Paulius
MVP
irbk Would you mind sharing the virtual server configuration and any associated configuration such as SSL profile, SSL cert information, and pool member configuration. Based on your explanation the F5 shouldn't have any reason it would work for 1 domain and not the other if the SSL cert is a wildcard for *.domain.com because that includes all FQDNs mentioned. I would recommend running the following tcpdump to see if it provides any additional information.
tcpdump -nni 0.0:nnp host <virtual_server_IP> -w /shared/tmp/ssl_tshoot.pcap
Once you have run your test you can cancel the tcpdump and it should be saved in /shared/tmp/ as ssl_tshoot.pcap. You can copy the pcap off the F5 and open it up in wireshark to see if you can find anything to explain the SSL handshake issue.
- lnxgeek
Can you post the VS configuration?
irbkWhat's the easiest way to share the VS config?
- irbk
Ok, I'm not really a linux guy but I'll do my best!
- irbk
ltm virtual BigIP_443 {
creation-time 2023-09-26:15:10:23
destination <VS IP>:https
ip-protocol tcp
last-modified-time 2023-09-28:09:52:29
mask 255.255.255.255
persist {
source_addr {
default yes
}
}
pool Nav_Pool_443
profiles {
LC-http { }
LC-oneconnect { }
LC-tcp-lan { }
Modified_Wildcard {
context clientside
}
Modified_serverssl {
context serverside
}
analytics { }
tcp-analytics { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool BigIP-Nav
type snat
}
translate-address enabled
translate-port enabled
vs-index 3
}The above was just a configuration I was playing around trying to get something like just SSL Passthrough to work. I think the end goal is the SSL Bridging because you get better traffic analysis and load balancing or something like that.
This is what the profile was before I started just trying stuff this am.ltm virtual BigIP-Nav_443 {
creation-time 2023-09-26:15:10:23
destination <VS IP>:https
ip-protocol tcp
last-modified-time 2023-09-28:11:01:52
mask 255.255.255.255
persist {
source_addr {
default yes
}
}
pool Nav_Pool_443
profiles {
LC-http { }
LC-oneconnect { }
LC-tcp-lan { }
Wildcard23-24 {
context clientside
}
analytics { }
tcp-analytics { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
pool BigIP-Nav
type snat
}
translate-address enabled
translate-port enabled
vs-index 3
}Here is the SSL profile
ltm profile client-ssl Wildcard23-24 {
app-service none
cert-key-chain {
WildCard23-24_0 {
cert WildCard23-24
key WildCard23-24
passphrase <encrypted>
}
}
defaults-from clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
log-ssl-c3d-events debug
log-ssl-client-authentication-events debug
log-ssl-forward-proxy-events debug
log-ssl-handshake-events debug
}And here is the pool
ltm pool Nav_Pool_443 {
load-balancing-mode predictive-member
members {
Nav01:https {
address <IP>
session monitor-enabled
state up
}
Nav02:https {
address <IP>
session monitor-enabled
state up
}
}
monitor https
}Thanks again!
- Paulius
irbk Based on the second virtual server configuration, I see that you are passing decrypted traffic to the servers on 443. Did you configure the servers to receive decrypted traffic on 443 because by default they should not allow that? Now SSL bridging is nice but not necessary and completely depends on your security stance and capabilities of the receiving pool members and if they can perform all application functions over HTTP and not HTTPS. If it's not required I would stick with SSL termination at the F5 and passing decrypted traffic to the servers.
- irbk
No, that shouldn't be right. The servers have to have encrypted traffic, they aren't configured to recive it otherwise. What setting requres changing?
Actually, the servers arn't even going to be receiving on 443 in the end, this is just how I'm testing to get the certificate issue squared away but the servers do need to recieve encrypted traffic so either the BigIP needs to do a passthrough or we need to setup the SSL Bridging (which I believe is the prefered option for several reasons).
- irbk
I didn't know if you might want the profiles as well listed in the VS, so here you go
ltm profile http LC-http {
app-service none
defaults-from http
insert-xforwarded-for enabled
proxy-type reverse
}ltm profile one-connect LC-oneconnect {
app-service none
defaults-from oneconnect
source-mask 255.255.255.255
}ltm profile tcp LC-tcp-lan {
app-service none
defaults-from f5-tcp-lan
idle-timeout 28800
}Yes, that's a really high idle timeout but it was put there becuase people will run reports that run for like 8 hours and we didn't want to system timing them out while a report was running. I'm not sure if it's necessary but before we can test that we need to get the SSL part working first.
- irbk
posting the TCPdump is a little bit more tricky. I think this may be the best way
- lnxgeek
Looking at the tcpdump it is clear that your problem is that the serverside connection is in cleartext.
It is the job of a serverside ssl profile to make sure that is uses TLS on the connection towards the server (not matter the port number), so that seem to be missing.
- irbk
Replied to my own reply so things ended up out of order, deleted this comment and added it to the above reply since I can't seem to just "delete" a reply.
