Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Cannot access machines after TLS 1.0 and 1.0 was disabled in server side(both vip and pool members on port 443 without any client or server ssl profile)

Binoy
Nimbostratus
Nimbostratus

‎01-Jun-2021 19:39

Hello,

we have a machines behind F5 ,both the vip and pools are with port 443 without any client or server ssl profile , while the member servers(2 adfs servers ) have ssl certificate , so f5 just pass though ssl , this all worked , when tls0 and 1 was disabled on the server. they can no more access these servers from outside, so the configuration was reverted , when the public ip is scanned it shows the vulnerable tls0 and 1 , is there something the F5 is doing , I understand that since its just a pass though we do not have anything to disable tls ciphers on ssl profile ,will it do good if I add server ssl or serverssl-insecure-compactable ?

 

public ------ VIP(port 443)--No client ssl profile -----------> pool members (no server ssl profile -- port 443 -- > 2 servers behind (entrust cert) -# working

public ------ VIP(port 443)--No client ssl profile -----------> pool members (no server ssl profile -- port 443 -- > [After Tls1 and 0 disabled on 2 servers behind (entrust cert) -# not working

 

 

Labels:
0 Kudos
2 REPLIES 2

Daniel_Wolf
Nacreous
Nacreous

‎02-Jun-2021 00:27

Hi Binoy,

 

can you describe why you are not able to access the service? Is the Virtual Server marked as down because the pool members are marked as down? If so - what kind of health checks do you have enabled for the pool members? Do they maybe rely on TLS1.0 or TLS1.1?

Or do you get a connection reset from the pool members?

Did you try to do a packet capture on the F5? You can configure the BIG-IP to log the reset cause:

K13223: Configuring the BIG-IP system to log TCP RST packets

So it's mandatory to understand from where the problem comes in order to resolve the issue.

 

KR

Daniel

 

 

Binoy
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎07-Jun-2021 18:20

Hi Daniel,

 

Thank you for your reply and sorry for the delay in response , not able to access service means the service is not down in ltm , however when the application team disable TLS1 and 1.0 on their servers, the ldap(ADFS ) stops working , they suspected something on the F5 for which I specified that F5 is only a pass though ,I strongly felt this is something related to application however I wanted to confirm it .

 

I referred the below and it says SSL Pass through traffic where BIP IP just pass the the traffic from client to servers , So I only wanted to make sure that we are right that F5 does not do any reset when they disable tls v1 v0 on their servers , second it since this is production we have not got chance for any downtime to test it again.

https://support.f5.com/csp/article/K65271370 #

 

the health monitor is tcp

 

here is the same sample

ltm virtual VIP12_443 {

  destination VIPex/172.16.1.1:https

  ip-protocol tcp

  mask 255.255.255.255

  

  pool pp

  profiles {                                                     ----------------------- No Client or sever SSL profile attached  / Health Monitor is tcp

    tcp { }

  }

  source 0.0.0.0/0

  source-address-translation {

    type automap

  }

  translate-address enabled

  translate-port enabled

  vlans {

    /bb

  }

  vlans-enabled

  vs-index 25

}

 

 

0 Kudos
Copyright © 2023 Khoros, LLC