SSL Cert Issue

Question

In process of migrating applications from cisco ACE to F5 LTM. We are running into an issue with an application with ssl offload .&nbsp;
on cisco ACE we have client ssl initiation  and server ssl termination defined.
When I set the same on F5 . CLient is not able to access the application . 
So removed the ssl profile and with basic setup  i.e source persistence, TCP protocol ,SNAT .  CLient is able to access the application  through a dedicated software but the GUI access is not working .&nbsp;
attaching cisco ACE ssl config . please assist me  with f5 LTM setup.&nbsp;
policy-map type loadbalance first-match QA__POLICY
  class class-default
    sticky-serverfarm QA_STICKY
    ssl-proxy client QA_SERVER&nbsp;
ssl-proxy service QA_SERVER
  ssl advanced-options PARAMMAP_SSL_INITIATION&nbsp;
parameter-map type ssl PARAMMAP_SSL_INITIATION
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_EXPORT_WITH_RC4_40_MD5
  cipher RSA_EXPORT_WITH_DES40_CBC_SHA&nbsp;
parameter-map type ssl QA_SSL_TERMINATION
  cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA priority 3&nbsp;
ssl-proxy service QA_SSL_SERVER
  key qakey.key
  cert qacert.pem
  ssl advanced-options QA_SSL_TERMINATION&nbsp;
policy-map multi-match POLICY
  class QA_CLASS
    loadbalance vip inservice
    loadbalance policy QA_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 12 vlan 20
    ssl-proxy server QA_SSL_SERVER&nbsp;

kohli9harjeev · Answer

Hi,&nbsp;
Have you configured a client-ssl profile with correct certificates to offload SSL on F5.
Also,are your backend server listening on port 443 or any other non-SSL port. If port 443,then you might want to apply server ssl profile on VS or if any other non-SSL port,dont need to apply server-ssl profile as  the traffic to backend servers will go in clear text after SSL offload.&nbsp;
Also,did you apply http profile to the VS you created on the F5?&nbsp;
Kindly provide the F5 configuration here to have a better picture.&nbsp;

sandiksk_35282 · Answer

The backend servers are listening on port 443 .VIP is set to listen only on port 443.&nbsp;

sandiksk_35282 · Answer

Client ---- F5 (  traffic gets decrypted on F5 )
from F5 --- Server  ( F5 encrypts the data and server decrypts the data)&nbsp;
do I need to apply  the cert and key to client ssl profile or server ssl profile. &nbsp;

samir_jha_52506 · Answer

Please create client SSL profile(key,cert,chain)
Apply created client SSL profile &amp; default serverssl profile. It will work

sandiksk_35282 · Answer

Do I need to enable any settings on the client and server ssl profile or just use the default and also these are the ciphers which are being used on cisco ACE , so can I enable all the options on F5&nbsp;
client  ssl profile
ipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_RC4_128_SHA
  cipher RSA_EXPORT_WITH_RC4_40_MD5
  cipher RSA_EXPORT_WITH_DES40_CBC_SHA&nbsp;
Server ssl profile
cipher RSA_WITH_RC4_128_MD5
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA priority 3&nbsp;

Forum Discussion

SSL Cert Issue

7 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Regex issue

SSL cert

Re: extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sd

SSL protocol mismatch

SSL Profiles