08-11-2020 02:47 PM
If inbound SSL inspection when using Digicert certificate is not supported, what is the alternative. We have many web-servers using same wildcard cert used for GlobalProtect and wanted use this same certificate but it doesn't work. Is there any other mechanism to implement inbound SSL inspection.
08-15-2020 04:55 AM
Hi @raji_toor
You now reached a point where it is at least possible, that something on the firewall ist not compatible with the F5. So at this point I would recommend to open a support case and then continue with the following troubleshooting (these logs will also be required in the support case).
Obbiously you need to change the IPs and maybe also the port, depending on your configuration
Then you connect to the VIP with decryption enabled and right after that enter the following command. In the output, maybe you already see a specific counter which could lead to the reason of the problem
Try to connect a second time and then stop the logging and capture
Then aggregate the logs. The output of the command will show you the filename that you need to analyze
Prior to analyze the logfile start now with generating a techsupportfile (for the supportcase)
Maybe for analysis you want to copy the logile away from the firewall to open it in a texteditor but of course you can also view it in cli. About here I don't know what to do exactly, I would scroll through the logs to find something that maybe shows the reason why the TLS handshake fails after the client hello.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
