I tried to get a capure but did not see any hit
1. Create a new decryption irule:
when CLIENTSSL_HANDSHAKE {
log local0. "Client IP: [IP::client_addr] TCP source port: [TCP::remote_port] client"
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
log local0.debug "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
}
when SERVERSSL_HANDSHAKE {
log local0. "Client IP: [IP::client_addr] TCP local port: [TCP::local_port] server"
log local0. "RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
log local0.debug "CLIENT_RANDOM [SSL::clientrandom] [SSL::sessionsecret]"
}
2. Add this irule to your VS which is handling the affected traffic.
3. Run tcpdump:
tcpdump -envi 0.0:nnnp -s0 -w /var/tmp/"$HOSTNAME"_"$(date +%d-%m-%y)".pcap host <Your-client-IP>
4. Generate traffic and catch the problem.
5. Stop tcpdump
6. Disable decryption irule
7. Run below commands to create the files with session keys:
sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /shared/tmp/sessionsecrets.pms
grep -h -o 'CLIENT_RANDOM.*' /var/log/ltm > /shared/tmp/sessionsecrets_random.pms