SSL issues with new setup

We are doing our actual implmentation of the F5 BigIP LTM VM version 17.1.03 (build 0.0.4). It's a little bit complcated because we are trying to load balance an application (Microsoft Dynamics Navi...

application delivery

LTM

ssl

irbk

Cirrus

Sep 28, 2023

posting the TCPdump is a little bit more tricky. I think this may be the best way

lnxgeek
MVP
Sep 28, 2023
Looking at the tcpdump it is clear that your problem is that the serverside connection is in cleartext.

It is the job of a serverside ssl profile to make sure that is uses TLS on the connection towards the server (not matter the port number), so that seem to be missing.
- irbk
  Cirrus
  Sep 28, 2023
  Replied to my own reply so things ended up out of order, deleted this comment and added it to the above reply since I can't seem to just "delete" a reply.
- irbk
  Cirrus
  Sep 28, 2023
  Interesting, I was told by our implementer that a "SSL Profile (Server)" was not required. I'm not quite sure what the proper way to setup the server ssl profile is? I'm assuming it would match-ish (yea, I'm making up words) the client side? So something like
  ltm profile server-ssl Modified_serverssl {
  app-service none
  cert WildCard24
  defaults-from serverssl
  key WildCard24
  log-ssl-c3d-events debug
  log-ssl-client-authentication-events debug
  log-ssl-forward-proxy-events debug
  log-ssl-handshake-events debug
  options { no-tlsv1.3 no-dtlsv1.2 }
  }
  I added in an SSL Profile (server) and the wireshark seems to indicate that I get a good connection.
  If I go to https://bigip.domain.com I don't get a "site can't be reached" with "err_connection_reset" message, instead I get a "Not Found Http error 404" however if I go direct https://msnav01.domain.com I get the IIS welcome page so I'd expect if the BigIP were working correctly, if I go to https://bigip.domain.com I should be seeing the IIS welcome page.
  - Paulius
    MVP
    Sep 28, 2023
    irbk If you intend to reencrypt the traffic that the F5 decrypted and send it to 443 on the pool member you absolutely need an SSL server profile which can use the default profile of clientssl so that the F5 does SSL negotiation between it and the pool member just like the client did between itself and the F5. In regards to your 404 issue, this is most likely occurring because the page you are attempting to reach on 443 is not available. It seems like everything from this point forward is a server side issue rather than an F5 issue.