Inbound SSL decryption - Digicert

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Inbound SSL decryption - Digicert

L4 Transporter

If inbound SSL inspection when using Digicert certificate is not supported, what is the alternative. We have many web-servers using same wildcard cert used for GlobalProtect and wanted use this same certificate but it doesn't work. Is there any other mechanism to implement inbound SSL inspection.

15 REPLIES 15

Hi @raji_toor 

You now reached a point where it is at least possible, that something on the firewall ist not compatible with the F5. So at this point I would recommend to open a support case and then continue with the following troubleshooting (these logs will also be required in the support case). 

Obbiously you need to change the IPs and maybe also the port, depending on your configuration

  • clear counter global
  • debug dataplane packet-diag clear all
  • debug dataplane packet-diag clear log log
  • debug dataplane packet-diag set filter match source 1.1.1.1 destination 2.2.2.2 destination-port 443 protocol 6
  • debug dataplane packet-diag set log feature proxy basic
  • debug dataplane packet-diag set log feature flow basic
  • debug dataplane packet-diag set log on
  • debug dataplane packet-diag set capture on

Then you connect to the VIP with decryption enabled and right after that enter the following command. In the output, maybe you already see a specific counter which could lead to the reason of the problem

  • show counter global filter packet-filter yes

Try to connect a second time and then stop the logging and capture

  • debug dataplane packet-diag set log off
  • debug dataplane packet-diag set capture off

Then aggregate the logs. The output of the command will show you the filename that you need to analyze

  • debug dataplane packet-diag aggregate-logs

Prior to analyze the logfile start now with generating a techsupportfile (for the supportcase)

Maybe for analysis you want to copy the logile away from the firewall to open it in a texteditor but of course you can also view it in cli. About here I don't know what to do exactly, I would scroll through the logs to find something that maybe shows the reason why the TLS handshake fails after the client hello.

 

  • 9437 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!