Forum Discussion

Binoy's avatar
Binoy
Icon for Nimbostratus rankNimbostratus
Jun 02, 2021

Cannot access machines after TLS 1.0 and 1.0 was disabled in server side(both vip and pool members on port 443 without any client or server ssl profile)

Hello,

we have a machines behind F5 ,both the vip and pools are with port 443 without any client or server ssl profile , while the member servers(2 adfs servers ) have ssl certificate , so f5 just pass though ssl , this all worked , when tls0 and 1 was disabled on the server. they can no more access these servers from outside, so the configuration was reverted , when the public ip is scanned it shows the vulnerable tls0 and 1 , is there something the F5 is doing , I understand that since its just a pass though we do not have anything to disable tls ciphers on ssl profile ,will it do good if I add server ssl or serverssl-insecure-compactable ?

 

public ------ VIP(port 443)--No client ssl profile -----------> pool members (no server ssl profile -- port 443 -- > 2 servers behind (entrust cert) -# working

public ------ VIP(port 443)--No client ssl profile -----------> pool members (no server ssl profile -- port 443 -- > [After Tls1 and 0 disabled on 2 servers behind (entrust cert) -# not working

 

 

application delivery
LTM
ssl not working after tls 0 and 1 disabled on server (no client profile or ssl profile )

2 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 02, 2021

    Hi Binoy,

     

    can you describe why you are not able to access the service? Is the Virtual Server marked as down because the pool members are marked as down? If so - what kind of health checks do you have enabled for the pool members? Do they maybe rely on TLS1.0 or TLS1.1?

    Or do you get a connection reset from the pool members?

    Did you try to do a packet capture on the F5? You can configure the BIG-IP to log the reset cause:

    K13223: Configuring the BIG-IP system to log TCP RST packets

    So it's mandatory to understand from where the problem comes in order to resolve the issue.

     

    KR

    Daniel

     

     

    • Binoy's avatar
      Binoy
      Icon for Nimbostratus rankNimbostratus
      Jun 08, 2021

      Hi Daniel,

       

      Thank you for your reply and sorry for the delay in response , not able to access service means the service is not down in ltm , however when the application team disable TLS1 and 1.0 on their servers, the ldap(ADFS ) stops working , they suspected something on the F5 for which I specified that F5 is only a pass though ,I strongly felt this is something related to application however I wanted to confirm it .

       

      I referred the below and it says SSL Pass through traffic where BIP IP just pass the the traffic from client to servers , So I only wanted to make sure that we are right that F5 does not do any reset when they disable tls v1 v0 on their servers , second it since this is production we have not got chance for any downtime to test it again.

      https://support.f5.com/csp/article/K65271370 #

       

      the health monitor is tcp

       

      here is the same sample

      ltm virtual VIP12_443 {

        destination VIPex/172.16.1.1:https

        ip-protocol tcp

        mask 255.255.255.255

        

        pool pp

        profiles {                                                     ----------------------- No Client or sever SSL profile attached  / Health Monitor is tcp

          tcp { }

        }

        source 0.0.0.0/0

        source-address-translation {

          type automap

        }

        translate-address enabled

        translate-port enabled

        vlans {

          /bb

        }

        vlans-enabled

        vs-index 25

      }