01-Jun-2021 19:39
Hello,
we have a machines behind F5 ,both the vip and pools are with port 443 without any client or server ssl profile , while the member servers(2 adfs servers ) have ssl certificate , so f5 just pass though ssl , this all worked , when tls0 and 1 was disabled on the server. they can no more access these servers from outside, so the configuration was reverted , when the public ip is scanned it shows the vulnerable tls0 and 1 , is there something the F5 is doing , I understand that since its just a pass though we do not have anything to disable tls ciphers on ssl profile ,will it do good if I add server ssl or serverssl-insecure-compactable ?
public ------ VIP(port 443)--No client ssl profile -----------> pool members (no server ssl profile -- port 443 -- > 2 servers behind (entrust cert) -# working
public ------ VIP(port 443)--No client ssl profile -----------> pool members (no server ssl profile -- port 443 -- > [After Tls1 and 0 disabled on 2 servers behind (entrust cert) -# not working
02-Jun-2021 00:27
Hi Binoy,
can you describe why you are not able to access the service? Is the Virtual Server marked as down because the pool members are marked as down? If so - what kind of health checks do you have enabled for the pool members? Do they maybe rely on TLS1.0 or TLS1.1?
Or do you get a connection reset from the pool members?
Did you try to do a packet capture on the F5? You can configure the BIG-IP to log the reset cause:
K13223: Configuring the BIG-IP system to log TCP RST packets
So it's mandatory to understand from where the problem comes in order to resolve the issue.
KR
Daniel
07-Jun-2021 18:20
Hi Daniel,
Thank you for your reply and sorry for the delay in response , not able to access service means the service is not down in ltm , however when the application team disable TLS1 and 1.0 on their servers, the ldap(ADFS ) stops working , they suspected something on the F5 for which I specified that F5 is only a pass though ,I strongly felt this is something related to application however I wanted to confirm it .
I referred the below and it says SSL Pass through traffic where BIP IP just pass the the traffic from client to servers , So I only wanted to make sure that we are right that F5 does not do any reset when they disable tls v1 v0 on their servers , second it since this is production we have not got chance for any downtime to test it again.
https://support.f5.com/csp/article/K65271370 #
the health monitor is tcp
here is the same sample
ltm virtual VIP12_443 {
destination VIPex/172.16.1.1:https
ip-protocol tcp
mask 255.255.255.255
pool pp
profiles { ----------------------- No Client or sever SSL profile attached / Health Monitor is tcp
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
vlans {
/bb
}
vlans-enabled
vs-index 25
}