inbound ssl decrypt and iphone

external ??? what do you mean by that.

I have tried it over my internal wifi and from the internet. but the path is still the same

VIP is on the A/A cluster

no error message just the icon saying they are waiting for stuff

A

hi @Alex_Samad

Well you mentioned inbound, so I'm assuming you have ssl inbound inspection,  which is typically applied from the outside coming in.

Accessing such site from the inside requires U-turn NAT and makes things more complex, so it influences how we would troubleshoot and which answers would be helpful

Why have you deployed A/A?

have you traced the packets going back and forth, are they following a symmetrical path?

Hi

Okay understand. but no U turn...   

internet -> pa -> lo back -> dmz zone

inernal -> pa -> lo back -> dmz zone

so internal external shouldn't make a difference

active /active - why should that make a difference - sorry bit sensitive on this as always the question is why that.  Do you think its an issue with this.

So the issue is.

android user attempt to get to the https site. it works works well

iphone user attempts to get to the https site. it starts to work and then stops.

from my observing packets at the ext boundary routers and inside I can see that packets are being sent from the http server to the PA and they are not making back to the iphone properly.

The minute I turn off decrypt it works. when i turn it back on it stops.  

so i don't think it has anything to do with asym or sym routing ... I don't think - although I had a GP asym issue that was fixed with 8.0.12

my plan now is to setup a test case - limit decrypt to my specific ip address range I can control. then turn some debugging on the PA's and turn of in chip switching.  turn on debug logging and setup packet captures for working and non working scenarios.

PA support want me to do packet capture on the iphone - yeah right - not sure how to do that.

But I think i can do it in the middle on one of the routers

its strange why i'm seeing it and others aren't. my main hope of coming here was to get some feedback from others see if ts just me or others are experiencing it.

note strangely its affect one branch of the url

so the web site reverse proxies confluence and jira and they work fine, just access to the /w - new web site driven by a content management system thats causing the problem.

A/A makes configuration much more complex and introduces a lot of complexity in network troubleshooting while the payoff is sort of exclusively having the ability to work around asymmetric traffic

So in my experience, I've seen many customers deploy AA in an environment that did not benefit from this approach (this is why you get this question from other people as well)

anyway,

sounds like you have that bit under control. Your troubleshooting steps seem like the best option right now, enable debugging and set packet captures

I can imagine some option in the decryption profile does not compute with the iphone and it is dropping the connection. Have you tried different browsers on iPhone, as some may return more user friendly error messages versus safari  (could be iphone has a different set of trusted root certificates and is not happy with yours, for example

Hi

Apreciate the answer and it was what I had expected.  I ususally reply maybe PA should stop sell A/A solution !

From memory when we did test a person installed chrome, but I think the underlying ssl is done by the OS not the browser..

A