cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Software Service with F5

Hello,

Here is the general network path for an application we need to monitor.


  • User - TCP 443 to F5
  • F5 decrypts TCP 443 traffic, injects a string of data, encrypts with TCP 444, forwards to server.

How would I create the software service for this application?

Here is what I did, but I don't think it is giving me what I need.


  • App(F5) - HTTPS analyzer - ipaddr:443
  • App(server) - HTTPS analyzer - ipadrr:444

Problem 1

App(F5) shows 0 Server bytes, xxx Client bytes.
App(server) shows xxx Server bytes, 0 Client bytes.

Problem 2

How do I track the entire conversation from User to F5 to Server?

If I use the Advanced Option under Service Details, I can only assign the NLB NAT masking address (F5?) and not the Port.

If you need any other information to help me resolve this, let me know.

Update:

When I run rcmd show ssldecr keys,the status for this key is status: OK (read)>. Other keys displayed for this command show as status: OK (matched)>. What's the difference?

Also, rcmd show ssldecr status, shows Finished sessions not decrypted=2406 (100% of all finished sessions).

Thanks and God bless,

Genesius

9 REPLIES 9

Babar_Qayyum
Leader

Hello Genesius,

All of the detected encrypted protocols are listed together with their matching keys, if they are seen in the traffic. You can see whether the key exchange was successful; the matched keys are indicated by the Key icon icon. Key and certificate matching enables you to verify that certificates were found and were valid. No matching may indicate that the certificates are out of date or OK status with read.

If the traffic is offloading on the LB then you should use the HTTP analyzer for the applicaiton.

Regards,

Babar

cosmin_gherghel
Dynatrace Pro
Dynatrace Pro

Hi Genesius,

Can you paste the entire output of the rcmd show ssldecr status command? My first thought is that you are only seeing one side of the traffic and cannot decrypt because it doesnt see the SSL handshake.

@Cosmin G.

Here is the output you requested. I have to post as two separate comments (exceeds 200 character limit).

I wish there was a document that would explain what each line in this output means; as well as where to start to resolve the issue. BTW, what is the time frame for this output; last interval/hour/day/since rebooted?

CONFIGURATION: Engine:openssl(thread) status:OK
Keys recognized=3 not recognized=1
Engine states: blocked=0, initializations=1
SESSIONS:
Total number of sessions=537528 (inProgress=395 Finished=537133)
SSL protocol version breakdown per number of sessions:
supported versions: ssl3.0=0 tls1.0=134769 tls1.1=0 tls1.2=1
unsupported versions: ssl2.0=0 other versions=0 no version info=397981
Long handshakes=120818 Short handshakes=13934 Compressed sessions=0 SessionTkt reused=0 SessionId reused=14284
TLS Session Hash Extension detected: 0
Finished sessions decrypted with no errors=46677 (8% of all finished sessions)
Sessions in progress decrypting with no errors=43 (10% of all sessions in progress)
Finished sessions decrypted partially=1 (0% of all finished sessions)
with a packet lost during payload data exchange=1
with a corrupted payload data packet=0
with decryption failed during payload data exchange=0
terminated by alert during payload data exchange=0

Thanks and God bless,
Genesius

@Cosmin G.

Finished sessions not decrypted=490455 (91% of all finished sessions)
with no private key found=0 (new sessions=0 reused sessions=0)
with a packet lost during handshake=24 (new sessions=24 reused sessions=0)
with a corrupted handshake packet or incorrect handshake sequence=58259 (new sessions=58259 reused sessions=0)
with decryption broken during handshake=5 (new sessions=5 reused sessions=0)
with unsupported SSL version=0 (ssl2.0=0 otherVersions=0)
with unsupported SSL feature=18 (unsupported cipher=18 server key exchange=0)
with compression errors=0 (unsupported compression=0, cannot decompress control records=0 data records=0)
with RSA decryption failed=0, RSA invocations blocked=0 (new sessions=0 reused sessions=0)
reused sessions with no matching master session seen before=5446
with incomplete SSL handshake=0 (new sessions=0 reused sessions=0)
closed without data=38689
with invalid 'Hello' packet client=0, server=0
terminated by alert during handshake=0
reuse errors when PMS identified with session id=5871, with session ticket=0
session not seen from the beginning=287430
with other errors=100584
Supplemental Data detected, server=0 client=0
CERTIFICATES:
total server-certificate pairs=8
parsed properly=8 (matched=8 matching failed=0 not used=0)
parsing errors=0 (decode=0 extract=0 RSAerror=0)
RSA DECRYPTOR INTERNAL DIAGNOSTICS:
init/init errors (i=)44418/0
finalize/finalize errors (f=)44418/0
cancel/cancel errors (c=)12/0
parallel curr/avg/max (p=)4294967284/96689/4294967295
find key for cert init/fini/cancel/matched(f=)85/81/4/2
decryption finalize timeout=0
PMS CACHE INTERNAL DIAGNOSTICS:
entries added (a=)226349 (asInitialized=44391 asUninitialized=5253 withErrorCode=176705)
entries changed (c=)29363 (toInitialized=27 toUninitialized=0 toError=29336)
entries deleted (d=)191454
total entries in cache (n=)34895
SESSIONS ON HOLD DIAGNOSTICS:
total: 5522 max: 8 current: 0
PMS found: 6 not found: 5516

Thanks and God bless,
Genesius

@Cosmin G.

I apologize for breaking this up into a Comment and an Answer, but the forum would not accept the second comment to your answer. 😞

Thanks and God bless,
Genesius


Hi Genesius,


This is most likely caused by the traffic quality. I can see that 91% of sessions are not decrypted due to the following reasons.

  • with a corrupted handshake packet or incorrect handshake sequence=58259
  • reused sessions with no matching master session seen before=5446
  • session not seen from the beginning=287430
  • with other errors=100584


This seems to indicate that the traffic cannot be decrypted because there is no complete SSL handshake. Verify that however way traffic is sent to the AMD it includes both client and server communication.

@Cosmin G.

I discovered that our security team had been decrypting the traffic going to the F5 and then re-encrypting it. They're using DH for the re-encryption. I will set up an SSL analyzer for that traffic and see what happens.

Thanks and God bless,
Genesius

Hello Genesius,

Please keep in mind that only the RSA public key cryptography and key exchange algorithm support and DSA, Diffie-Hellman, Fortezza are Unsupported.

Have a look on the below link to see the list of all supported and conditionally supported ciphers on your AMD:

https://community.dynatrace.com/community/display/DCRUMDOC/SSL+support

Regards,

Babar

@Babar Q.

I knew about DH, but not DSA or Fortezza. Thanks for the info.

Thanks and God bless,
Genesius