Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  ERR_EMPTY_RESPONSE

    Posted 07-16-2022 17:20
    Hi team We have a two WAF in HA configuration in reverse proxy and one web application doesn't work. This is the issue.

    We took a capture and we saw this problem in the SSL handshake
    173.31.5.42 is the web server
    and 172.31.5.66 is the virtual IP (VRRP)

    The certificate is fine. 
    What can we do?
    We have other web applications with the same topology and configuration, and they work. 
    Thank you.
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Soporte I2Ss
    Engineer Support
    Bogota
    ------------------------------


  • 2.  RE: ERR_EMPTY_RESPONSE

    Posted 07-17-2022 14:50
    Hi,

    I suspect one of three issues. If the certificate is valid.

    1. You did the wrong implementation VRRP cluster.
    You should configure (for instance) ETH2 on both gateway IP addresses for VRRP communication. 172.31.5.x and 172.31.5.y.
    After that, you should add the IP address on the same interface (ETH2) as VIP for the web server.- 172.31.5.66. Please remember about the alias. There you configure the interface inbound and outbound for the VIP. If you do both on the same ETH, then you have "proxy on the stick".
    And WAF should work well.


    and two the most probability:
    2. The problem is with the TLS version supported by the web server. Check TLS version without WAF. for instance: Add "IndicateTLS" to the FireFox browser and check the TLS version. If your webserver is supported the older version TLS1.1 or TLS1.0 then you can be sure that IMPERVA cannot connect to the server.

    3.  Check the time on the webserver, client's computer, and WAF. A difference of more than a few minutes causes incompatibility in the TLS protocol.



    ------------------------------
    Karol Gruszczyński
    IT Security Expert
    Trafford IT
    Warsaw
    ------------------------------