TLS 1.3 full offloading not working

dhafer · ‎07-04-2021

Hi,

I have vms in a vlan and I am trying to support tls 1.3 load balancer with full offloading, but I can't get it to work (curl stuck then server no response).

Things I tested with same config:

- Virtual IP with tls 1.3 works.

- half offloading with tls1.3 works.

- if I change the config below to support tls 1.2 it works.

On the server side I have nginx with basic tls1.3 config (ssl_protocols TLSv1.3; + certificates setup)

In fortigate I've the certificates setup, and here's the load balancer config:

edit "MY_TLS_LOADBALANCER" set type server-load-balance set extip ------.12 set extintf "port1" set arp-reply enable set server-type https set nat-source-vip disable set gratuitous-arp-interval 0 set http-ip-header enable set http-ip-header-name '' set ssl-client-rekey-count 0 set ssl-hpkp disable set ssl-hsts disable set ldb-method static set persistence none set extport 443 config realservers edit 1 set ip 192.168.20.1 set port 443 set status active set holddown-interval 300 set healthcheck vip set max-connections 0 unset client-ip next end set http-multiplex disable set ssl-mode full set ssl-certificate "my_cert" set ssl-dh-bits 2048 set ssl-algorithm medium set ssl-server-algorithm medium set ssl-pfs require set ssl-min-version tls-1.3 set ssl-max-version tls-1.3 set ssl-server-min-version client set ssl-server-max-version client set ssl-send-empty-frags enable set ssl-client-fallback enable set ssl-client-renegotiation secure set ssl-client-session-state-type both set ssl-client-session-state-timeout 30 set ssl-client-session-state-max 1000 set ssl-server-session-state-type both set ssl-server-session-state-timeout 60 set ssl-server-session-state-max 100 set max-embryonic-connections 1000 next

and firewall rule

set name "TEST_LOCAL_TLS1.3" set srcintf "WAN" set dstintf "MY_VLAN" set srcaddr "all" set dstaddr "LOCAL_HTTPS" set action accept set schedule "always" set service "HTTPS" set inspection-mode proxy set ssl-ssh-profile "protect_server" set logtraffic all set capture-packet enable set fsso disable set tcp-mss-sender 1452 set tcp-mss-receiver 1452 set nat enable set match-vip enable next

I am attaching packet capture of internet facing interface (.34 client it .12 server ip)

and a packet capture of the vlan (192.168.20.1: vm ip, 192.168.254: fg ip)

Any idea what's wrong ?

Thanks and Regards

dhafer · ‎07-10-2021

Issue resolved after upgrading from 6.2.3 to 6.2.9

View solution in original post

dhafer · ‎07-10-2021

Issue resolved after upgrading from 6.2.3 to 6.2.9

boneyard · ‎07-17-2021

thanks for sharing

TLS 1.3 full offloading not working

Nominate a Forum Post for Knowledge Article Creation