With Passthrough VIP how does SSL handshake work

Question

Trying to understand when the backend member takes care of certificate, how does SSL handshake work as client connects to the VIP ip

I took a packet capture and see sessions for client and server hellos between

client<---> F5 VIP

F5 VIP <---> Backend Pool member

There is no SSL profile applied on the VIP.

Thank you

paulius · Answer

InquisitiveMai The client connection comes in on from random ephemeral port (we will say 5056) then the F5 selects to pool member and opens up a connection between itself from the same ephemeral port that the client used (this happens a lot of the time but something it's different) to the pool member on 443 or whatever SSL port you specified. The F5 stitches these two connections together and then passes the SSL handshake directly to the client and then from the client back to the pool member. If you have SNAT enabled you can try using the following capture to see both connections. You can export this and open it with wireshark and even decrypt using the SSL key.

tcpdump -nni 0.0:nnp host <client_IP> -w /shared/tmp/my_capture.pcap

inquisitivemai · Answer

PauliusThank you for your response. The above filter only captures the client machine traffic. Do I need to put any other setting on wireshark.

I did take another capture on the F5 with the VIP address and pool member port (tcpdump -vvv -nni 0.0:nnnp -so host <VIP IP Address> or Port <Pool member port> -v -w /shared/tmp/file.pcap and Do not see the same port being used for connection from F5 to backend member. For this second capture, I did conversation filter with F5 TCP and see client Hellos and Server Hellos with seperate Port numbers from Client:random port <--->VIP:443 and F5 SelfIP:<random port different> <---> Poolmember:44376

nitass · Answer

The above filter only captures the client machine traffic. Do I need to put any other setting on wireshark.

Try not to use p modifier
e.g.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/&lt;output file&gt; '(host &lt;virtual ip&gt; or host &lt;pool member ip&gt;) and port 443' -v
&nbsp;

paulius · Answer

Give what nitass recommended a try. Only issue with listening on the virtual server IP directly is that you will have to scan through and find your client IP, shouldn't be too hard in wireshark though. You should see both ends of the connection if your virtual server has SNAT enabled.

Forum Discussion

With Passthrough VIP how does SSL handshake work

Recent Discussions

Big IP DNS Failover

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

Related Content

Passthrough IPSec with AFM

SSL Profiles Part 1: Handshakes

TCP Internals: 3-way Handshake and Sequence Numbers Explained

Announcing F5 NGINX Gateway Fabric 1.4.0 with IPv6 and TLS Passthrough

Restricting number of concurrent TLS handshakes using Max Active Handshakes on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS