For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

irbk's avatar
irbk
Icon for Cirrus rankCirrus
Sep 28, 2023

SSL issues with new setup

We are doing our actual implmentation of the F5 BigIP LTM VM version 17.1.03 (build 0.0.4).  It's a little bit complcated because we are trying to load balance an application (Microsoft Dynamics Navi...
application delivery
LTM
ssl
lnxgeek's avatar
lnxgeek
Icon for MVP rankMVP
Sep 28, 2023

Looking at the tcpdump it is clear that your problem is that the serverside connection is in cleartext.

It is the job of a serverside ssl profile to make sure that is uses TLS on the connection towards the server (not matter the port number), so that seem to be missing.

 

irbk's avatar
irbk
Icon for Cirrus rankCirrus
Sep 28, 2023

Interesting, I was told by our implementer that a "SSL Profile (Server)" was not required.  I'm not quite sure what the proper way to setup the server ssl profile is?  I'm assuming it would match-ish (yea, I'm making up words) the client side?  So something like 

ltm profile server-ssl Modified_serverssl {
app-service none
cert WildCard24
defaults-from serverssl
key WildCard24
log-ssl-c3d-events debug
log-ssl-client-authentication-events debug
log-ssl-forward-proxy-events debug
log-ssl-handshake-events debug
options { no-tlsv1.3 no-dtlsv1.2 }
}

I added in an SSL Profile (server) and the wireshark seems to indicate that I get a good connection.

If I go to https://bigip.domain.com  I don't get a "site can't be reached" with "err_connection_reset" message, instead I get a "Not Found Http error 404" however if I go direct https://msnav01.domain.com  I get the IIS welcome page so I'd expect if the BigIP were working correctly, if I go to https://bigip.domain.com I should be seeing the IIS welcome page.

  • Paulius's avatar
    Paulius
    Icon for MVP rankMVP
    Sep 28, 2023

    irbk If you intend to reencrypt the traffic that the F5 decrypted and send it to 443 on the pool member you absolutely need an SSL server profile which can use the default profile of clientssl so that the F5 does SSL negotiation between it and the pool member just like the client did between itself and the F5. In regards to your 404 issue, this is most likely occurring because the page you are attempting to reach on 443 is not available. It seems like everything from this point forward is a server side issue rather than an F5 issue.

    • irbk's avatar
      irbk
      Icon for Cirrus rankCirrus
      Sep 28, 2023

      Currently the BigIP only has 1 pool member, msnav01.domain.com (I've disabled the other one for testing).   If I go direct https://msnav01.domain.com I get the IIS welcome page so I'd expect if the BigIP were working correctly, if I go to https://bigip.domain.com (which can only load balance to msnav01.domain.com) I should be seeing the IIS welcome page. 

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP
        Sep 28, 2023

        irbk To make sure I understand. The URL "https://msnav01.domain.com" points directly to the server and URL "https://bigip.domain.com" points to the F5 virtual server? If you are not seeing the IIS page when going to the bigip domain it's most likely that the server is not configured to respond to host "bigip.domain.com" but "msnav01.domain.com" which is why you are receiving the error. Try editing your hosts file to point "msnav01.domain.com" to the IP of the F5 virtual server and see if you are having the same issue. This still seems like a server issue because 404, unless otherwise configured, would only come from the server and not the F5. If you open of dev tools in your browser you can view the HTTP header field "Server" and it will most likely show some variation of "IIS" as the value rather than "BIGIP" which would imply you are making it to the server.