Skip to main content
shane_caznet
shane_caznet
New Member
April 27, 2015
Question

Loading Balancing and SSL Offloading Issue

  • April 27, 2015
  • 5 replies
  • 13341 views

Hi All

I've enabled load balancing on my Fortigate (running 5.2.2 642) and setup virtual servers / real servers for HTTPS, with SSL offloading and a trusted public certificate.

The certificate I've imported works well for on a web server normally.

However, Firefox cannot connect to a website behind the load balanced virtual server with an error "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

My understanding is this is because of the ciphers being used.

Firefox tells me the site HTTPS session is using "TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.1".

When this certificate is used with a direct connection to IIS, it uses "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.2".

 

Am I on the right track with what the problem is here?I can't seem to find how to change teh cipher etc being used. Can anyone guide me in the right direction?

 

5 replies

emnoc
emnoc
New Member
April 27, 2015

I doubt that's the issue ( ciphers )

 

What  version on firefox?

If the SSL offload is removed & applied to the server directly, does the error continue?

Is this error only seen with firefox clients?

& are we 100% sure the certificated imported is correct ( server-crt + private-key )?

 

 

shane_caznet
shane_caznetAuthor
New Member
April 27, 2015

If I set the Fortigate Web UI to use the same certificate that I've imported, connectivity to it works fine. Firefox shows the connection details as using TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.2.

 

My real server (10.101.1.2) on port 443 responds correctly on that IP/Port with the Certificate.

 

If I configure a straight TCP virtual server for port 443 to the same IP/PORT as a real server, I get the same error discussed before.

 

We're using Firefox v 37.0.2.

 

If we try to access the virtual server using internet explorer the following error is shown:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://abc.abc.abc.abc again. If this error persists, contact your site administrator."

Paul_S
Paul_S
New Member
April 30, 2015

If Internet explorer shows an error too, then something is wrong with your setup.

 

post your VIP CLI config.

Paul_S
Paul_S
New Member
April 30, 2015

maybe this will help you

 

Fortigate SSL Inspection - Load Balancer with ICMP http://www.paulscomputers...les/article.php?ID=300

Ameer
Ameer
New Member
May 19, 2015

Can you post the URL that you are trying to access from Firefox?

Terms & ConditionsAccessibility statement