F5 Big-IP to Azure App Gateway Cipher Exchange Issues

From UVOO Tech Wiki
Revision as of 17:00, 26 February 2022 by Busk (talk | contribs) (Busk moved page F5 Big IP Azure Cipher Issues to F5 Big-IP to Azure App Gateway Cipher Exchange Issues without leaving a redirect )
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

F5 14.x issue between F5 BigIP virtual server and azure app gateway.

Interconnected systems have more interconnected issues. Limiting scope of configs is one way to prevent functionality and performance issues. Such seems to be the case with the Prod AGW and Prod F5. It is possible that in 15.x or 16.x this is fixed but there is nothing on the release notes I could find.

In order to fix tcp reset acks from F5 because of failed cipher exchange between F5 BigIP and Azure AGW we are going to make some changes to F5 virtual server's server ssl profile.

Ordering ciphers by strength puts ECDHE-RSA-AES256-GCM-SHA384 at the top of the list. This is preferred. This may increase CPU some but it will increase encryption strength and may will prevent ssl cipher exchange issues, at least with the Azure App Gateway

Let's look at what the azure AGW provides, it is limited which is good as those are a decade old and you don't want to support old ciphers because of old apps as that exposes your network to risk.

echo quit | openssl s_client -connect az-agw.example:443 2>/dev/null | grep -i cipher
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

Current server ssl profile for vs server

tmm --serverciphers 'DEFAULT' | sed 1d | awk '{print $3}' | head -n 1

ECDHE-RSA-AES128-GCM-SHA256

Now with our change look at what the top cipher is

# tmm --serverciphers 'DEFAULT:@STRENGTH' | sed 1d | awk '{print $3}' | head -n 1
ECDHE-RSA-AES256-GCM-SHA384

You can modify your backend-server-ssl-profile via a command like this to order by strength

tmsh modify /ltm profile server-ssl backend-server-ssl-profile - ciphers 'DEFAULT:@STRENGTH'

Run your test - we allow spoofing here for SNIs but you don't need to use --resolve option if you don't want. 10.x.x.y is F5BigIP LTM VS ip

seq 1000 | xargs -n 1 -P 60 bash -c "curl https://www.example.com/path/health --resolve www.example:443:10.x.x.y -s | grep -i health > /dev/null || echo 1"