SSL Pass Through

That sounds like it should work...

 

 

If you don't have a server SSL profile on the VIP, the BIG-IP can't/won't try to validate the certificate that the pool member presents. Can you check the pool stats to see if there are any stats for the pool member? Or better, can you run another tcpdump on the BIG-IP checking for the client and server IP's to see what's happening at the TCP layer? You can listen on all switch interfaces using interface 0.0:

 

 

tcpdump -ni 0.0 host CLIENT_IP or host SERVER_IP

 

 

If you want to save the output to a binary file, you can use this:

 

 

tcpdump -ni 0.0 -s0 -w/var/tmp/`hostname`.ssl.dmp host CLIENT_IP or host SERVER_IP

 

 

Once you have a trace that includes both the client to VIP and SNAT to server traffic, you might be able to find clues at the TCP layer. Else, you can decrypt the trace using the web server's private key and ssldump (Click here).

 

 

Aaron