Customer collected captures from Citrix ADC by enabling option SSL master keys option when performing the capture, however, they were unable to decrypt the traffic on Wireshark using the session keys. The vServer for which the customer was attempting to capture traffic flows was an ANY-type vServer, and not an SSL offloading vServer (such as LBVS type SSL, Content Switch, Citrix Gateway, AAA-TM, etc.).
 

---

Instructions

Since ANY protocol does not have the capability for SSL offloading, we will not be able to decrypt the traffic as Citrix ADC is not terminating any SSL traffic. Any SSL traffic that might be passing through from client to back-end server, is doing so without the Citrix ADC terminating the encrypted traffic with an SSL\TLS certificate on the vServer and thus we are unable to see any SSL\TLS-encrypted traffic in a trace.

In such circumstances, administrators should create SSL offloading vServers with a server certificate on the vServer so Citrix ADC can terminate the traffic and administrators can decrypt and analyze the contents.