How to troubleshoot SSL server profile?

Question

Hi&nbsp;
I'm trying to work out where my connection is going wrong.  I have setup a VIP with both a client and server SSL profile so the nodes receive traffic on 443.  What commands should I use from the F5 to troubleshoot the cert between the F5 and the nodes/servers?&nbsp;
Thanks&nbsp;

approxee · Answer

Where are you receiving the error, and what does it say - Is it a browser error ? - Is it a self cert or a Public CA ? 
Is there an intermediate Cert between the root CA and your certificate ?

approxee · Answer

You could use TCPdump, and then use SSLdump to see where it is failing - I think also you can use SSLdump directly if it is not a live system

hooleylist · Answer

You can capture a tcpdump first to see that up to L4 is working and then use ssldump with the server's SSL private key to check that SSL is working:&nbsp;
sol411: Overview of packet tracing with the tcpdump utility
https://support.f5.com/kb/en-us/solutions/public/0000/400/sol411.html&nbsp;
tcpdump -ni 0.0 -s0 -w /var/tmp/trace.1.dmp host CLIENT_IP or host SERVER_IP
replace CLIENT_IP and SERVER_IP with the client and pool member(s) IPs&nbsp;
SOL10209 - Overview of packet tracing with the ssldump utility
https://support.f5.com/kb/en-us/solutions/public/10000/200/sol10209.html?sr=31391333&nbsp;
ssldump -AedHr /var/tmp/trace.1.dmp -Nk /var/tmp/private.key &gt; /var/tmp/ssldump.txt&nbsp;
Aaron&nbsp;

Forum Discussion

How to troubleshoot SSL server profile?

3 Replies

Recent Discussions

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

Related Content

Server Profile SNI

F5 CIS, TLS Extensions, and troubleshooting

Re: SYN Troubleshooting: Stats

9. SYN Cookie Troubleshooting: Logs

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request