Forum Discussion
Mate_132781
Cirrostratus
CirrostratusSSL Re-Encryption - No SSL traffic on server side
Hi,
I configured SSL re-encryption on F5 virtual edition, but I don't see SSL traffic on server side.
Client correctly connects to outside IP of F5, but when I create TCPDUMP there is no SSL traffic on server side
I'm using self signed certificates on client side and default sslserver profile on server side.
I belive that problem is not on SSL level because there is nothing in log and f5 even does not start SSL handshake...
On other side, when I try with openssl coman, SSL session is correctly setted up.
pls help.
Thank you for hint! :-)
To be sure I disabled HTTPS monitor on BIG-IP and after that there was no any traffic to server. After starting HTTPS connection from client I noticed that F5 used outside IP adress (one to which client connected) as a source IP address torward server. SNAT auto-map was enabled on VS.
After that I created SANT pool with inside IP address of F5, associate it with VS and now everything is working.
Monitor traffic confused me in TCPDUMP.
Thanks for help.
Mate_132781Thank you for hint! :-)
To be sure I disabled HTTPS monitor on BIG-IP and after that there was no any traffic to server. After starting HTTPS connection from client I noticed that F5 used outside IP adress (one to which client connected) as a source IP address torward server. SNAT auto-map was enabled on VS.
After that I created SANT pool with inside IP address of F5, associate it with VS and now everything is working.
Monitor traffic confused me in TCPDUMP.
Thanks for help.
Hannes_RappNimbostratus
How do you determine presence or no presence of SSL traffic? Do you open your capture file and expect to see TLS/SSL messages? SSL/TLS messages, such as CLIENTHELLO are only seen after you import the SSL private key to WireShark (private key from end-server). Before that is done, all traffic is encrypted, and can only be seen as TCP 443 stream.
On a very basic level, I hope you're aware that if you configure serverssl profile, that configuration itself doesn't re-encrypt traffic before forwarding it to end-server, unless your end-server listener is SSL-enabled, and correctly presents a SSL certificte. The serverssl profile configuration only enables F5 itself to act as a client during SSL handshake phase.
- Mate_132781Access to WEB servers is working and pure HTTP is disabled on application. I'm aware of things you wrote. Thank you very much for help. :-)
Hannes_Rapp_162Nacreous
How do you determine presence or no presence of SSL traffic? Do you open your capture file and expect to see TLS/SSL messages? SSL/TLS messages, such as CLIENTHELLO are only seen after you import the SSL private key to WireShark (private key from end-server). Before that is done, all traffic is encrypted, and can only be seen as TCP 443 stream.
On a very basic level, I hope you're aware that if you configure serverssl profile, that configuration itself doesn't re-encrypt traffic before forwarding it to end-server, unless your end-server listener is SSL-enabled, and correctly presents a SSL certificte. The serverssl profile configuration only enables F5 itself to act as a client during SSL handshake phase.
- Mate_132781Access to WEB servers is working and pure HTTP is disabled on application. I'm aware of things you wrote. Thank you very much for help. :-)