cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
715
Views
0
Helpful
1
Replies

Fronting Cisco ASA with F5 LTM performing TLS terminiation

watcher602
Level 1
Level 1

All,

  we have a very old cisco ASA providing Anyconnect VPN access which is (finally) being replaced in the near future, however as it only supports TLS1.0 we are attempting to front the ASA on HTTPS with a F5 LTM virtual server (i.e. reverse proxy). If we do not terminate the TLS on the F5 we can connect without issue, however if we implement client and server side SSL profiles (so the TLS session from the client is terminated on the F5 and then re-encrypted between the F5 and the ASA) we can connect but then within a few seconds disconnects and reconnects (and then keep disconnecting, reconnecting) with the Anyconnect client sending RST packets to terminate the session. Looking through the anyconnect eventlog it appears this is the key message:

Function: CTlsTunnelMgr::OnTunnelReadComplete
File: c:\temp\build\thehoff\phoenix_mr40.309462210759\phoenix_mr4\vpn\agent\tlstunnelmgr.cpp
Line: 1941
Invoked Function: CTunnelStateMgr::readTunnel
Return Code: -31653866 (0xFE1D0016)
Description: CSTPPROTOCOL_ERROR_FRAME_SIZE_MISMATCH
callback

Interestingly Openconnect apparently works without issue.

While I realise what we are trying to do is a bit of a hack, has anyone experience of fronting ASAs with a reverse proxy or have thoughts how to get around the issue? F5 support so far have not offered any solutions - I was wondering if the F5 was set as a forward proxy if anyconnect would not baulk at the CSTP frame size mismatch.

Thanks in advance for any thoughts/ideas

1 Reply 1

cisco.13
Level 1
Level 1

Hello @watcher602 

Can you share your F5 profiles (tcp, persistence, monitor,...)?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: