Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shane_caznet
New Contributor

Loading Balancing and SSL Offloading Issue

Hi All

I've enabled load balancing on my Fortigate (running 5.2.2 642) and setup virtual servers / real servers for HTTPS, with SSL offloading and a trusted public certificate.

The certificate I've imported works well for on a web server normally.

However, Firefox cannot connect to a website behind the load balanced virtual server with an error "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified."

My understanding is this is because of the ciphers being used.

Firefox tells me the site HTTPS session is using "TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.1".

When this certificate is used with a direct connection to IIS, it uses "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 256 bit keys, TLS 1.2".

 

Am I on the right track with what the problem is here?I can't seem to find how to change teh cipher etc being used. Can anyone guide me in the right direction?

 

5 REPLIES 5
emnoc
Esteemed Contributor III

I doubt that's the issue ( ciphers )

 

What  version on firefox?

If the SSL offload is removed & applied to the server directly, does the error continue?

Is this error only seen with firefox clients?

& are we 100% sure the certificated imported is correct ( server-crt + private-key )?

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
shane_caznet
New Contributor

If I set the Fortigate Web UI to use the same certificate that I've imported, connectivity to it works fine. Firefox shows the connection details as using TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 128 bit keys, TLS 1.2.

 

My real server (10.101.1.2) on port 443 responds correctly on that IP/Port with the Certificate.

 

If I configure a straight TCP virtual server for port 443 to the same IP/PORT as a real server, I get the same error discussed before.

 

We're using Firefox v 37.0.2.

 

If we try to access the virtual server using internet explorer the following error is shown:

"Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://abc.abc.abc.abc again. If this error persists, contact your site administrator."

Paul_S
Contributor

If Internet explorer shows an error too, then something is wrong with your setup.

 

post your VIP CLI config.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Paul_S
Contributor

maybe this will help you

 

Fortigate SSL Inspection - Load Balancer with ICMP http://www.paulscomputers...les/article.php?ID=300

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
Ameer
New Contributor

Can you post the URL that you are trying to access from Firefox?

Labels
Top Kudoed Authors