Forum Discussion
Please excuse the obfiscated IP addresses this is due to the nature of the environment. as you can see the forwarding VIP is configured with default settings. Out external Firewall is providing outbound ACL with the source and destination on port 443. The Server guy is doing a curl from the back end server and is getting an error which ive seen on google as being a common issue.
ASC OpenSSL -msg openssl s_client -connect x.x.x.x:443 -msg CONNECTED(00000003)
write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
ASC OpenSSL –msg other env
CONNECTED(00000003) <<<<<<<<<<<[Proves the connection is leaving the estate and connecting so Big-IP and Firewall rules checkout]
TLS 1.2 [length 0005] 16 03 01 01 2d TLS 1.2 Handshake [length 012d], ClientHello 01 00 01 29 03 03 57 61 40 87 e2 a7 52 be 0b 84 … <<< ??? [length 0005] 16 03 03 00 42 <<< TLS 1.2 Handshake [length 0042], ServerHello 02 00 00 3e 03 03 57 3f 24 c5 a4 73 d1 7b bd 43 … <<< ??? [length 0005] 16 03 03 0f 8c <<< TLS 1.2 Handshake [length 0f8c], Certificate 0b 00 0f 88 00 0f 85 00 05 72 30 82 05 6e 30 82 …
tmsh output ltm virtual { address-status no app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description IP destination aa.bb.cc.dd:https enabled fallback-persistence none flow-eviction-policy none gtm-score none ip-protocol tcp last hop-pool none mask 255.255.255.255 meta data none mirror disabled mobile-app tunnel disabled nat64 disabled partition common per-flow-request-access-policy none persist none policies none pool none Profile { tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none security-logs-profiles none source x.x.x.x source-address-translation { pool none type none } source-port preserve syn-cookie-status-not-activated traffic-classes none translate-address enabled translate port enabled urldb-feed-policy none vlans none vlans-disabled vs-index 21 } END