SSL traffic not working

Question

Hi all, we have this self-generated new sha 2 certificate which we are putting into the F5 VIPs but we get the error "Connection Closed" and on the F5 logs we can see the connection getting RST. We look into the logs below and found that F5 was sending CLient Hello to the Application Server but it doesn't get a reply. 
It seems self-generated sha 1 cert are working and even cets from Thawte are working. We don't understand why this new sha 2 certs does not work. When going directly to the server, we don't see any issues.
VIP port: 443
Node Port: 443
10.65.0.20 - Source Client
172.20.83.19 - F5 VIP
172.20.234.34 - F5 Self IP
172.20.85.3 - Application Server

F5

Application Server

Palo Alto Switch Static Route for F5

kevin_stewart · Answer

Can you please clarify a few things?&nbsp;

Assuming you're doing decrypt and re-encrypt to the server, where are you putting the new SHA-2 cert? In the client SSL profile or server SSL profile?&nbsp;

It's interesting that we see a single ClientHello on either side. You'd normally expect to see the client side SSL complete before attempting anything on the server side. What type of BIG-IP VIP do you have configured?

Can you share any other details about your configuration?&nbsp;

kevin_stewart · Answer

Dorum, 
The issue is a bit hard to determine because you're showing both sides of the proxy. It's also a common misconception that you need a certificate in the server SSL profile. You might only need a certificate (and private key) there if you needed to perform some sort of mutual authentication to the backend server. In most cases, the default server SSL profile is sufficient for re-encryption to the backend server. It will silently ignore any certificate mismatch or trust issues. 
So then the next step is to isolate the problem. You can do that by simply pointing the capture at one of the two VLANs. I'd start on the outside and use TCPDUMP and SSLDUMP. Example:
tcpdump -lnni [external VLAN] host [VIP IP] [and additional filters]

ssldump -AnNd -i [external VLAN] port 443 [and additional filters]

Given that this is a standard VIP, you should see the client SSL handshake happen before any server side SSL handshake, so if it stops at the ClientHello (and presumably someone issues a reset), then there's a good chance the problem is on the client side. Otherwise flip to the server side VLAN and capture again.

fgf_165674 · Answer

"We look into the logs below and found that F5 was sending CLient Hello to the Application Server but it doesn't get a reply."&nbsp;
Can you do the next tests from the F5 to the Application Server - 172.20.85.3 ?&nbsp;
ping 172.20.85.3
traceroute 172.20.85.3
telnet 172.20.85.3 443
curl -vk https://172.20.85.3
tcpdump -ni 0.0 host 172.20.85.3 and port 443&nbsp;

samir_jha_52506 · Answer

Agree with @kevin Points. As SSL certificate is configure on both side(F5 &amp; server). Select F5 serverside ssl as "serverssl-insecure-compatible". Hope issue will solved &amp; update us.&nbsp;

Forum Discussion

SSL traffic not working

4 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

SSL Proxy

X-Forwarded-For not working

F5 LTM traffic flow

VPN not working when using APM policy via Local Traffic Policy

Logging TLS traffic less than TLSv1.2