Forum Discussion

avnishvyas_1974's avatar
avnishvyas_1974
Icon for Nimbostratus rankNimbostratus
May 24, 2016

Outbound IP forwarding VIP hitting a HTTPS website but not authenticating SSL

Hello People I was requested to configure an outbound VIP to an external resource which would use HTTPS so there is an element of SSL involved here, However as this is an outbound connection. The SSL...
application delivery
devops
LTM
ssl
avnishvyas_1974's avatar
avnishvyas_1974
Icon for Nimbostratus rankNimbostratus

Please excuse the obfiscated IP addresses this is due to the nature of the environment. as you can see the forwarding VIP is configured with default settings. Out external Firewall is providing outbound ACL with the source and destination on port 443. The Server guy is doing a curl from the back end server and is getting an error which ive seen on google as being a common issue.

 

ASC OpenSSL -msg openssl s_client -connect x.x.x.x:443 -msg CONNECTED(00000003)

 

write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

 

ASC OpenSSL –msg other env

 

CONNECTED(00000003) <<<<<<<<<<<[Proves the connection is leaving the estate and connecting so Big-IP and Firewall rules checkout]

 

TLS 1.2 [length 0005] 16 03 01 01 2d TLS 1.2 Handshake [length 012d], ClientHello 01 00 01 29 03 03 57 61 40 87 e2 a7 52 be 0b 84 … <<< ??? [length 0005] 16 03 03 00 42 <<< TLS 1.2 Handshake [length 0042], ServerHello 02 00 00 3e 03 03 57 3f 24 c5 a4 73 d1 7b bd 43 … <<< ??? [length 0005] 16 03 03 0f 8c <<< TLS 1.2 Handshake [length 0f8c], Certificate 0b 00 0f 88 00 0f 85 00 05 72 30 82 05 6e 30 82 …

 

tmsh output ltm virtual { address-status no app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description IP destination aa.bb.cc.dd:https enabled fallback-persistence none flow-eviction-policy none gtm-score none ip-protocol tcp last hop-pool none mask 255.255.255.255 meta data none mirror disabled mobile-app tunnel disabled nat64 disabled partition common per-flow-request-access-policy none persist none policies none pool none Profile { tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none security-logs-profiles none source x.x.x.x source-address-translation { pool none type none } source-port preserve syn-cookie-status-not-activated traffic-classes none translate-address enabled translate port enabled urldb-feed-policy none vlans none vlans-disabled vs-index 21 } END

 

avnishvyas_1974's avatar
avnishvyas_1974
Icon for Nimbostratus rankNimbostratus
May 25, 2016
its a REDHAT Linux box. To further update on this I noticed the VIP was missconfigured. It was set to Standard and I have since changed it to Forwarding IP, The server guy is getting a different error message now so which is connection refused. So have suggested to add a static route on the server with the destination address to see if he can force traffic via the Self IP gateway.