By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Traffic not passing through network load balancer with TLS

0

Hi,

We are seeing traffic in our NLB access logs that does not have TLS cipher information (and 0 bytes). This traffic also does not appear to be routed through to our target instances. Example:

tls 2.0 2024-04-04T13:21:46 net/<nlb> dbe1c5df0beb1hex 77.101.80.129:56371 172.31.35.241:7655 3800 - 0 0 - - - - - - - - - - 2024-04-04T13:21:42

We suspect a problem with some of the third party hardware (EV Chargers) that are communicating with us but we need more information to share with the manufacturers. Restarting the chargers seems to resolve the problem so we are unable to ship the units locally or disconnect them to set up packet tracing.

Does anyone know what exactly would cause access logs on a TLS NLB with 0 bytes and no cipher info? Is it simply a case of failed/incomplete TLS?

Does anyone know of any way to further diagnose what the issue may be with this traffic? e.g. obtain packet captures?

I have turned on VPC flow logs but they do not appear to shed any light on the problem either.

Any though/tips would be appreciated.

Thanks

Topics
Networking & Content Delivery
Tags
Network Load BalancerVPC Flow Logs
Language
English
AWSJackC
asked a month ago74 views
1 Answer
0

So, it seems like those entries in the NLB access logs without TLS cipher info and 0 bytes transferred might be failed or incomplete TLS handshake attempts from the EV chargers. It's likely that the negotiation to establish an encrypted session didn't go through successfully. This could be because of issues either on the chargers' side or due to misconfigurations.

Since restarting the chargers temporarily resolves the problem, there might be some intermittent issues causing TLS failures.

To research deeper into this, you can check out the AWS documentation for details on NLB access log fields. It could help you distinguish between incomplete connections and successful encrypted sessions.

Though AWS doesn't directly support packet captures, one option could be setting up a proxy or an intercepting proxy between the chargers and the NLB to inspect TLS handshakes. Tools like tcpdump on an EC2 instance could be handy for troubleshooting at the packet level.

https://repost.aws/questions/QUigyRDYpPSWayC4568ZedDw/q-whats-the-difference-between-an-alb-configured-with-pass-through-traffic-without-tls-offload-vs-a-nlb-configured-to-pass-through-traffic-without-tls-offload

profile picture
EXPERT
Giovanni Lauria
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content