F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

rafaelbn_176840's avatar
rafaelbn_176840
Icon for Altocumulus rankAltocumulus
Jan 27, 2019

Troubleshooting PFS - BIG-IP Feature Request?

Hello all!   Ever since I heard of PFS I started dreading the day I would need to troubleshoot a PFS flow.   I read some interesting suggestions of how to deal with it. One could make SSL bridg...
application delivery
BIG-IP
LTM
DennisJann's avatar
DennisJann
Icon for Nimbostratus rankNimbostratus
Jan 30, 2019

You can capture the SSL session keys with an iRule while running tcpdump on the BIG-IP, and then use the Master Secret log file to view the decrypted tcpdump data in Wireshark.

 

K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command

 

The instructions in the KB article do work for decrypting PFS sessions.

 

If your HTTPS VIP is running on a non-standard port, you would need to go into Wireshark preferences and add the non-standard HTTPS port in Protocols > HTTP > SSL/TLS Ports.