HELP: SSL 128 cipher failures

You can check which ciphers are available for a given cipher string using:

 

 

tmm --clientciphers 'DEFAULT:!ADH:!EXPORT40:!EXP:!LOW'

 

 

You can use ssldump to check what happens in a client and server SSL handshake negotiation:

 

 

sol10209: Overview of packet tracing with the ssldump utility

 

http://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html

 

 

Aaron

Thanks Aaron.

 

 

Is there any documentation on best practices for configuring FTP over SSH?

 

 

 

FTP over SSH or over SSL? LTM cannot offload the encryption for SSH, so you'd just create a virtual server on port 22 and point that at a pool of servers on whichever port(s) the SSH daemon listens on. You could use a Performance L4 virtual server for this.

 

 

For FTPS, it is possible to have LTM decrypt the SSL. I tested this but found that the solution was very dependent on the FTPS client and FTP server types. I'm not sure it's a production-ready solution. The article on this is:

 

 

FTPS Offload via iRules

 

http://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/340/FTPS-Offload-via-iRules.aspx

 

 

There is a CR noting the request to support FTPS offloading, CR47551. You could contact F5 Support to find out if it has been/is planned to be supported at some point. You can ask them to attach your case to the CR to raise the visibility of the request.

 

 

Aaron

Still hitting my head with the following tcpdump during login attempt.. Althought I get the ""fingerprint ssh-rsa" but then get authenication failed:

 

 

 

Just have the VIP pointing to the server pool, and using L4 profile.

 

 

 

17:48:56.986258 IP x.22.169.241.1028 > x.36.172.x.ssh: S 758488788:758488788(0) win 65535

 

17:48:56.986703 IP x.36.172.x.ssh > x.22.169.241.1028: S 1025121854:1025121854(0) ack 758488789 win 5840

 

17:48:57.043374 IP x.22.169.241.1028 > x.36.172.x.ssh: . ack 1 win 32768

 

17:48:57.047688 IP x.36.172.x.ssh > x.22.169.241.1028: P 1:21(20) ack 1 win 46

 

17:48:57.103653 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767

 

17:48:57.103931 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 44 win 46

 

17:48:57.104957 IP x.36.172.x.ssh > x.22.169.241.1028: P 21:725(704) ack 44 win 46

 

17:48:57.109600 IP x.22.169.241.1028 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767

 

17:48:57.109604 IP x.22.169.241.1028 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767

 

17:48:57.109933 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 684 win 63

 

17:48:57.165816 IP x.22.169.241.1028 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762

 

17:48:57.167874 IP x.36.172.x.ssh > x.22.169.241.1028: P 725:1005(280) ack 700 win 63

 

17:48:57.256547 IP x.22.169.241.1028 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760

 

17:48:57.263654 IP x.36.172.x.ssh > x.22.169.241.1028: P 1005:1853(848) ack 972 win 71

 

17:48:57.355642 IP x.22.169.241.1028 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768

 

17:48:57.355650 IP x.22.169.241.1028 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768

 

17:48:57.355870 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1040 win 71

 

17:48:57.355928 IP x.36.172.x.ssh > x.22.169.241.1028: P 1853:1905(52) ack 1040 win 71

 

17:48:57.415586 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767

 

17:48:57.419579 IP x.36.172.x.ssh > x.22.169.241.1028: P 1905:1989(84) ack 1108 win 71

 

17:48:57.482899 IP x.22.169.241.1028 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766

 

17:48:57.523566 IP x.36.172.x.ssh > x.22.169.241.1028: . ack 1404 win 80

 

17:49:00.070659 IP x.36.172.x.ssh > x.22.169.241.1028: P 1989:2073(84) ack 1404 win 80

 

17:49:00.209323 IP x.22.169.241.1028 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0

 

17:49:14.280379 IP x.22.169.241.iad3 > x.36.172.x.ssh: S 4106293492:4106293492(0) win 65535

 

17:49:14.280606 IP x.36.172.x.ssh > x.22.169.241.iad3: S 3350075743:3350075743(0) ack 4106293493 win 5840

 

17:49:14.337254 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1 win 32768

 

17:49:14.341342 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1:21(20) ack 1 win 46

 

17:49:14.399249 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1:44(43) ack 21 win 32767

 

17:49:14.399902 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 44 win 46

 

17:49:14.400284 IP x.36.172.x.ssh > x.22.169.241.iad3: P 21:725(704) ack 44 win 46

 

17:49:14.403021 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 44:556(512) ack 21 win 32767

 

17:49:14.403026 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 556:684(128) ack 21 win 32767

 

17:49:14.403247 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 684 win 63

 

17:49:14.457271 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 684:700(16) ack 725 win 32762

 

17:49:14.459805 IP x.36.172.x.ssh > x.22.169.241.iad3: P 725:1005(280) ack 700 win 63

 

17:49:14.548367 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 700:972(272) ack 1005 win 32760

 

17:49:14.555198 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1005:1853(848) ack 972 win 71

 

17:49:14.746744 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 1853 win 32768

 

17:49:28.156578 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 972:988(16) ack 1853 win 32768

 

17:49:28.157029 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 988:1040(52) ack 1853 win 32768

 

17:49:28.157251 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1040 win 71

 

17:49:28.157255 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1853:1905(52) ack 1040 win 71

 

17:49:28.216186 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1040:1108(68) ack 1905 win 32767

 

17:49:28.219039 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1905:1989(84) ack 1108 win 71

 

17:49:28.356048 IP x.22.169.241.iad3 > x.36.172.x.ssh: P 1108:1404(296) ack 1989 win 32766

 

17:49:28.396201 IP x.36.172.x.ssh > x.22.169.241.iad3: . ack 1404 win 80

 

17:49:29.760217 IP x.36.172.x.ssh > x.22.169.241.iad3: P 1989:2073(84) ack 1404 win 80

 

17:49:30.033536 IP x.22.169.241.iad3 > x.36.172.x.ssh: . ack 2073 win 32766

 

17:49:30.128949 IP x.22.169.241.iad3 > x.36.172.x.ssh: R 1404:1404(0) ack 2073 win 0