Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Virtual Server Issue with PassThrough TLS profile #3398

Closed
chiluintel49 opened this issue May 1, 2024 · 6 comments
Closed

Virtual Server Issue with PassThrough TLS profile #3398

chiluintel49 opened this issue May 1, 2024 · 6 comments
Labels
bug JIRA

Comments

@chiluintel49
Copy link

chiluintel49 commented May 1, 2024
edited

Setup Details

CIS Version : 2.15.1
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: BIG-IP 16.1.3.1 Build 0.0.11 Point Release 1
AS3 Version: 3.x
Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>

Description

After creating a virtualserver using passthrough mode we intermittnly see that F5 tries to intercept the SSL traffic and display a certificate from default clientprofile(localdomain.localhost).

Steps To Reproduce

  1. Create an application on kubernetes which has its own keystore with certs in it and accessibel via browser and exposed via nodeport
    2)create a virtual server using passthrough tlsprofile(https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/customResource/VirtualServerWithTLSProfile/passthrough/passthrough_tls.yaml
    3)Constantly hit the URL by closing and reopening the URL

Expected Result

No SSL/TLS cert eror not even intermittently

Actual Result

Intermittenly we are seeing it.

Diagnostic Information

<Configuration files, error messages, logs>
Note: Sanitize the data. For example, be mindful of IPs, ports, application names and URLs
Note: The following F5 article outlines the information required when opening an issue.
https://support.f5.com/csp/article/K60974137

Observations (if any)
@chiluintel49 chiluintel49 added bug untriaged no JIRA created labels May 1, 2024
@trinaths
Copy link
Contributor

trinaths commented May 3, 2024

@chiluintel49 Please share CIS configuration and error log, steps to reproduce this issue to automation_toolchain_pm automation_toolchain_pm@f5.com

@trinaths
Copy link
Contributor

trinaths commented May 3, 2024

Created [CONTCNTR-4711] for internal tracking.

@trinaths trinaths added JIRA and removed untriaged no JIRA created labels May 3, 2024
@trinaths
Copy link
Contributor

@chiluintel49
/Common/clientssl is only added when there is only one passthrough VS with unique IP address as it is required by CIS traffic handling iRule and it doesn't impact any traffic flow in case of passthrough.

We verified with VS that a combination of passthrough, reencrypt, edge with the same IP address, we do not add any /Common/clientssl and everything works as expected.

@trinaths
Copy link
Contributor

For Virtual Servers configured with passthrough termination, CIS adds a default client SSL profile, as AS3 schema requires a default client SSL profile for any HTTPS Virtual Server. Although BIG-IP does not use it to offload SSL for passthrough termination, it may use it intermittently.

@chiluintel49
Copy link
Author

@trinaths Thanks for the reply but your statement is little contradictory.
Are saying virtual server with passthrough tlsprovile does not work when applied via CIS?

@shawky90
Copy link

@trinaths would you please provide more details about the proposed workaround to avoid issue reproduction?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug JIRA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@trinaths @shawky90 @chiluintel49