Forum Discussion

Doran_Lum_13484's avatar
Doran_Lum_13484
Icon for Nimbostratus rankNimbostratus
Dec 02, 2016

SSL traffic not working

Hi all, we have this self-generated new sha 2 certificate which we are putting into the F5 VIPs but we get the error "Connection Closed" and on the F5 logs we can see the connection getting RST. We look into the logs below and found that F5 was sending CLient Hello to the Application Server but it doesn't get a reply.

It seems self-generated sha 1 cert are working and even cets from Thawte are working. We don't understand why this new sha 2 certs does not work. When going directly to the server, we don't see any issues.

VIP port: 443

Node Port: 443

10.65.0.20 - Source Client
172.20.83.19 - F5 VIP
172.20.234.34 - F5 Self IP
172.20.85.3 - Application Server

F5

Application Server

Palo Alto Switch Static Route for F5

application delivery
BIG-IP
LTM

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 02, 2016

    Can you please clarify a few things?

     

    1. Assuming you're doing decrypt and re-encrypt to the server, where are you putting the new SHA-2 cert? In the client SSL profile or server SSL profile?

       

    2. It's interesting that we see a single ClientHello on either side. You'd normally expect to see the client side SSL complete before attempting anything on the server side. What type of BIG-IP VIP do you have configured?

       

    3. Can you share any other details about your configuration?

       

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Dec 05, 2016

    Dorum,

    The issue is a bit hard to determine because you're showing both sides of the proxy. It's also a common misconception that you need a certificate in the server SSL profile. You might only need a certificate (and private key) there if you needed to perform some sort of mutual authentication to the backend server. In most cases, the default server SSL profile is sufficient for re-encryption to the backend server. It will silently ignore any certificate mismatch or trust issues.

    So then the next step is to isolate the problem. You can do that by simply pointing the capture at one of the two VLANs. I'd start on the outside and use TCPDUMP and SSLDUMP. Example:

    tcpdump -lnni [external VLAN] host [VIP IP] [and additional filters]

ssldump -AnNd -i [external VLAN] port 443 [and additional filters]

    Given that this is a standard VIP, you should see the client SSL handshake happen before any server side SSL handshake, so if it stops at the ClientHello (and presumably someone issues a reset), then there's a good chance the problem is on the client side. Otherwise flip to the server side VLAN and capture again.

  • fgf_165674's avatar
    fgf_165674
    Icon for Nimbostratus rankNimbostratus
    Dec 05, 2016

    "We look into the logs below and found that F5 was sending CLient Hello to the Application Server but it doesn't get a reply."

     

    Can you do the next tests from the F5 to the Application Server - 172.20.85.3 ?

     

    ping 172.20.85.3 traceroute 172.20.85.3 telnet 172.20.85.3 443 curl -vk https://172.20.85.3 tcpdump -ni 0.0 host 172.20.85.3 and port 443

     

  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    Dec 05, 2016

    Agree with @kevin Points. As SSL certificate is configure on both side(F5 & server). Select F5 serverside ssl as "serverssl-insecure-compatible". Hope issue will solved & update us.