TCL error: _cgc_pick_clientside
Hi, in an ASM-LTM (Perimeter) Setup I see frquently the following logs: ***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"*** Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set. Thanks, Rolf
Question on CSR and SSL
Please someone help me clear below doubt. Below is the scenario i am demonstrating in LAB. 1) I have generated CSR on LTM and provided to CA (CA is my Windows server 2012) 2)With the help of open SSL on Windows server 2012 i generated public and private key pair and signed the CSR. "TESTVIP" is name of my newly signed certificate. I also extracted public key from CAserver. 3)I have imported "TESTVIP" certificate and private key in LB(got private key while generating CSR on LB). Question1) When i am associating this (TESTVIP and private key) to client SSL profile it is giving me an error "KEY and certificate do not match. Though i have done it correctly. Question2) Also i am trying to install CA public key in end user browser to trust the website, but it says "this file is invalid for use as following security certificate". How can i establish that green lock symbol in URL in such LAB scenario? Any help would be appreciated.
TLS record layer version
Dears, As mentioned in the article https://support.f5.com/csp/article/K53037818 .. TLS servers compliant with the TLS1.2 specification must accept any value as the record layer version number for ClientHello. It also mentioned that "When you encounter issues with SSL handshakes failing due to the record layer version in the ClientHello message, you should first review the configuration on the TLS server." As of now, we would like to know where can we see the configuration of TLS record layer version in F5 Client SSL Profile. Thanks in Advance. Mohammed ShirazActive directory cannot resolve remote ssl vpn computer
Gents, I hope you can help me with this. Is it possible a remote vpn computer can be seen by AD ?. VPN works, AD can ping the remote computer, but cannot resolve its hostname. Those are corporate computers that have been joined to the domain already. Please advise.
SSL::enable/SSL::disable unexpected behaviour
I have a question about the specific bahaviour of LTM with regard to SSL::enable/SSL::disable. I have a virtual server with two pools: One pool has a member that needs TLS communication; The other pool has a member that doesn't use TLS (i.e., it uses plain text HTTP). The pool selection is based on the request URI (e.g., the first URI-path selects the pool). I have a serverside SSL profile configured to my virtual server. When I use the iRule below, the behaviour is not quite what I expected: when HTTP_REQUEST { if { } { select the tls-pool: enable server side SSL SSL::enable serverside pool } else { select the http-pool: disable server side SSL SSL::disable serverside pool } } ` The observed behaviour is as follows: Client connects to virtual server (new TCP connection). Client issues a request that selects the http-pool. The http-pool member responds (confirmed: the 'SSL::disable' works). Over the same client TCP connection, the client issues a request that selects the tls-pool. The tls-pool member responds (confirmed: server side TLS is working). Over the same client TCP connection, the client issues a request that selects the http-pool again. This fails! A tcpdump reveals that LTM is sending a TLS Client Hello to the http pool member. The pool member responds with a '400 Bad Request', I get errors in /var/log/ltm: `warning tmm2[1688]: 01260009:4: Connection error: ssl_null_parse:3177: record length too large (22) warning tmm2[1688]: 01260013:4: SSL Handshake failed for TCP 192.168.10.10:80 -> 192.168.10.1:50214 ` and the client side TCP connection is aborted (TCP RST). When I rewrite my iRule to perform the 'SSL::enable' and 'SSL::disable' in a SERVER_CONNECTED event, all seems to work fine: `when HTTP_REQUEST { if { } { set tls 1 pool } else { set tls 0 pool } } when SERVER_CONNECTED { if { $tls == 1 } { SSL::enable serverside } else { SSL::disable serverside } } What is the difference? My guess is it has to do with attach/detach. But I seem to miss the subtle difference...F5 BIG-IP and Imperva Integration.
Hi, Design requirements: F5 LTM VE (13.x) takes traffic to VIP (sends to Imperva for inspection) Imperva sends back to LTM, LTM sends to SERVER. Traffic between F5/Imperva/Server must be SSL encrypted. KEY design requirements/notes: 1) F5 must send to Imperva ENCRYPTED (Imperva will do the decrypt/encrypt). 2) LTM has BEST license (BUT only LTM is enabled) Questions I have - can this be done on LTM only (not using SSL Orchastrator)? And will there be any issues keeping it ALL SSL between the 2 boxes? Thanks for your feedback!
