inbound ssl decrypt and iphone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

inbound ssl decrypt and iphone

L4 Transporter

Hi

 

Seems like I am having issues with iphones and inbound ssl decrypt with 8.0.12

 

any one else having this issue. seems like 0-200k of data is okay, after that ... dies in the arse

A

6 REPLIES 6

Cyber Elite
Cyber Elite

are the iphones external and are they seeing some sort of error message?

no issues with android ?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

external ??? what do you mean by that.

 

I have tried it over my internal wifi and from the internet. but the path is still the same

VIP is on the A/A cluster

 

no error message just the icon saying they are waiting for stuff

 

A

hi @Alex_Samad

 

Well you mentioned inbound, so I'm assuming you have ssl inbound inspection,  which is typically applied from the outside coming in.

Accessing such site from the inside requires U-turn NAT and makes things more complex, so it influences how we would troubleshoot and which answers would be helpful

Why have you deployed A/A?

 

have you traced the packets going back and forth, are they following a symmetrical path?

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi

 

Okay understand. but no U turn...   

internet -> pa -> lo back -> dmz zone

inernal -> pa -> lo back -> dmz zone

 

so internal external shouldn't make a difference

active /active - why should that make a difference - sorry bit sensitive on this as always the question is why that.  Do you think its an issue with this.

 

So the issue is.

android user attempt to get to the https site. it works works well

iphone user attempts to get to the https site. it starts to work and then stops.

 

from my observing packets at the ext boundary routers and inside I can see that packets are being sent from the http server to the PA and they are not making back to the iphone properly.

 

The minute I turn off decrypt it works. when i turn it back on it stops.  

 

so i don't think it has anything to do with asym or sym routing ... I don't think - although I had a GP asym issue that was fixed with 8.0.12

 

my plan now is to setup a test case - limit decrypt to my specific ip address range I can control. then turn some debugging on the PA's and turn of in chip switching.  turn on debug logging and setup packet captures for working and non working scenarios.

 

PA support want me to do packet capture on the iphone - yeah right - not sure how to do that.

 

But I think i can do it in the middle on one of the routers

 

 

its strange why i'm seeing it and others aren't. my main hope of coming here was to get some feedback from others see if ts just me or others are experiencing it.

 

note strangely its affect one branch of the url

 

so the web site reverse proxies confluence and jira and they work fine, just access to the /w - new web site driven by a content management system thats causing the problem.

 

 

A/A makes configuration much more complex and introduces a lot of complexity in network troubleshooting while the payoff is sort of exclusively having the ability to work around asymmetric traffic

 

So in my experience, I've seen many customers deploy AA in an environment that did not benefit from this approach (this is why you get this question from other people as well)

 

anyway,

 

sounds like you have that bit under control. Your troubleshooting steps seem like the best option right now, enable debugging and set packet captures

I can imagine some option in the decryption profile does not compute with the iphone and it is dropping the connection. Have you tried different browsers on iPhone, as some may return more user friendly error messages versus safari  (could be iphone has a different set of trusted root certificates and is not happy with yours, for example

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi

 

Apreciate the answer and it was what I had expected.  I ususally reply maybe PA should stop sell A/A solution !

 

From memory when we did test a person installed chrome, but I think the underlying ssl is done by the OS not the browser..

A

  • 2324 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!