Forum Discussion

Misty_Spillers_'s avatar
Misty_Spillers_
Icon for Nimbostratus rankNimbostratus
Aug 09, 2013

F5 edge client error "failed to negotiate with server" IOS/Android (Firepass)

 

Our Firepass boxes are rarely changed. We have 2 of them that are not in a cluster but they do sit behind a Bip IP LTM for SSL offload which has been working great for years.

 

 

All the sudden IOS and Android clients cannot connect (Both Firepass vpns). This has worked great since the clients was released. IOS gets "Failed to negotiate with server" (Goes through the auth part, Firepass log shows a successful connection) Android just spins until it gets a generic cannot connect to server error.

 

 

Firepass has these hotfixes installed, HF-70-8 was the last major change, I don't know if the problem has been there since then but no one reported it. I installed at the mini HF's hoping to fix this problem.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I'm in the middle of a migration to APM which hasn't been pretty and taking much longer than it should, unfortunately the Firepass’s fell out of support before the full migration could happen. So I'm hoping someone here may have heard of this.

 

 

Thanks,

 

Misty

 

 

APM
remote access
security

6 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 12, 2013
    haven't experienced this specific case, but as you have a LTM in between have you checked everything is fine there? both on the cert section (something that explain the sudden issue) and looking with tcpdump what exactly happens? i admit the fact that the the firepass log shows a successful connection doesnt point to it being the LTM, but it might be a good point to start digging.
  • Misty_Spillers's avatar
    Misty_Spillers
    Icon for Nimbostratus rankNimbostratus
    Aug 12, 2013
    Nothing has really changed there. It is an older LTM. Used this document to setup the offload YEARS ago http://www.f5.com/pdf/deployment-guides/bigip94-firepass-dg.pdf. We use the same link for all VPN access and the normal VPN seem fine. No certificate issues. The tcpdump is a good idea though. I'll check that out.
  • Misty_Spillers's avatar
    Misty_Spillers
    Icon for Nimbostratus rankNimbostratus
    Aug 14, 2013
    More info I knew it had to be one of 2 things. Either the HF I installed some time ago broke it and just not too many people use it or, the more likely problem, is that the edge client was undated and as people update their phones it is breaking. Sure enough, the problem is the latter which explains why the reports are coming in more and more. I have an iPad 2 at home frozen in time, its IOS is 6.1.3 (my phone is on 6.1.4 so not very out of date there) the VPN client is 1.0.4 (current is 1.0.5) and it works fine. I’m guessing that since every Firepass user in the world isn’t complaining it that it may have to do with the SSL offloading we have on the LTM.
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 14, 2013
    sounds like a possible explanation, might be wise to start looking at TAC if you can right now. let them figure it out :) they might have similar experiences recently. if you can't then it will probably be more debugging or looking if it works without the SSL offloading.
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Aug 14, 2013
    We have firepass patched with all the current patches. It is also clustered sitting behind an LTM but not offloading SSL. I have tested with the EdgeClient 1.0.5 and it works great. I think you are on the right track with looking on the LTM to resolve this issue.
  • Marco_Castro_11's avatar
    Marco_Castro_11
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2014

    Hi Seth Cooper,

     

    How do you configured LTM vs for firepass pool but not offloanding ssl?

     

    I'm trying to config that with LTM 11.4.1 and latest firepass version but page can't be displayed.

     

    Thnks, Mc