NimbostratusHi all, would there be any issue if we were to set the static route for both VIP and SNAT to F5 Self IP ? because currently we are experiencing strange behavior with sha2 certs where we don't see any response from application servers ?
172.20.83.0/24 - F5 VIP subnet
172.20.84.0/24 - F5 SNAT subnet
172.20.234.34 - F5 Self-IP
NimbostratusHello,
172.20.234.34 is a floating or a non-floating Self-IP address?
If it is a non-floating Self-IP address, is it configured on the active or standby unit?
Regards,
NimbostratusFloating Self-IP so it's on both active and inactive unit
NimbostratusYou can use the self-IP as a next-hop. Typically (simply speaking) you'll want to use a floating self IP for the traffic group so routing survives a fail-over between clustered devices (if applicable).
However the wording of your question catches my eye. If the issue is constrained by a property of the server certificate (SHA2 signature algorithm or other), then I would not suspect routing as the issue. Does the issue only impact servers using SHA2 certificates? Are other servers in the same subnets working properly?
NimbostratusThanks, for the certificate yes it seem to impact SHA2 certificates only. On the tcpdump on F5 we see the TLS 1.2 encrypted alert 21. It's affecting different servers on different subnets