Closed chiluintel49 closed 5 days ago
@chiluintel49 Please share CIS configuration and error log, steps to reproduce this issue to automation_toolchain_pm automation_toolchain_pm@f5.com
Created [CONTCNTR-4711] for internal tracking.
@chiluintel49 /Common/clientssl is only added when there is only one passthrough VS with unique IP address as it is required by CIS traffic handling iRule and it doesn't impact any traffic flow in case of passthrough.
We verified with VS that a combination of passthrough, reencrypt, edge with the same IP address, we do not add any /Common/clientssl and everything works as expected.
For Virtual Servers configured with passthrough termination, CIS adds a default client SSL profile, as AS3 schema requires a default client SSL profile for any HTTPS Virtual Server. Although BIG-IP does not use it to offload SSL for passthrough termination, it may use it intermittently.
@trinaths Thanks for the reply but your statement is little contradictory. Are saying virtual server with passthrough tlsprovile does not work when applied via CIS?
@trinaths would you please provide more details about the proposed workaround to avoid issue reproduction?
Setup Details
CIS Version : 2.15.1 Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: BIG-IP 16.1.3.1 Build 0.0.11 Point Release 1
AS3 Version: 3.x
Agent Mode: AS3/CCCL
Orchestration: K8S/OSCP
Orchestration Version:
Pool Mode: Nodeport
Additional Setup details: <Platform/CNI Plugins/ cluster nodes/ etc>
Description
After creating a virtualserver using passthrough mode we intermittnly see that F5 tries to intercept the SSL traffic and display a certificate from default clientprofile(localdomain.localhost).
Steps To Reproduce
1) Create an application on kubernetes which has its own keystore with certs in it and accessibel via browser and exposed via nodeport 2)create a virtual server using passthrough tlsprofile(https://github.com/F5Networks/k8s-bigip-ctlr/blob/2.x-master/docs/config_examples/customResource/VirtualServerWithTLSProfile/passthrough/passthrough_tls.yaml 3)Constantly hit the URL by closing and reopening the URL
Expected Result
No SSL/TLS cert eror not even intermittently
Actual Result
Intermittenly we are seeing it.
Diagnostic Information
Observations (if any)