Forum Discussion

avnishvyas_1974's avatar
avnishvyas_1974
Icon for Nimbostratus rankNimbostratus
May 24, 2016

Outbound IP forwarding VIP hitting a HTTPS website but not authenticating SSL

Hello People I was requested to configure an outbound VIP to an external resource which would use HTTPS so there is an element of SSL involved here, However as this is an outbound connection. The SSL Offload doesnt take place on the F5 Loadbalancer, But the initiator of the traffic which is a back end server in pool makes the requests. the F5 simply passes this traffic through we have an ACL on our Border firewall and we have proved the connection is making it to the external site, however the Dev guy is complaining to me that hes getting SSL connect error. After providing some solutions which i googled on the internet he needs to download the certificates, key and chain and place them on the server so that the SSL handshake can take place once he gets to the site. Im not sure what else i can do from the F5 perspective as we are not offloading SSL at LTM level. The SSL takes places on the website after we have forwarded the traffic on. The Firewall is doing a basic NAT and prior to us configuring the forwarding VIP and the ACLs, he server guy was unable to connect, so we are almost there in terms of connectivity but there has been no joy with the SSL connection.

 

What can be wrong with the IP Forewarding settings, Ive looked at snat etc which is set to "None" most of all the other settings are default

 

Running out of options here and any suggestions would help me a great deal

 

Thanks in advance for any takers?

 

application delivery
devops
LTM
ssl

7 Replies

Sort By
  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    May 24, 2016

    I would suggest taking a packet capture (tcpdump) on the BigIP filtered on the client's IP. This will allow you to see what is happening on the SSL handshake that might be causing a failure. Depending on the cause this is probably not something that can be fixed on the BigIP. I would suggest the following tcpdump string:

    tcpdump -s0 -i 0.0:nnn -w /var/tmp/ssl.pcap host

    where is the IP address of the system that is initiating the connection. Use ctrl-C to stop the capture. You will need to copy this off box to review in wireshark or another similar packet capture analysis tool. You are specifically interested in the Client and ServerHellos.

  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    May 24, 2016
    hi. it may be an idea to post the anonymised configuration of your forwarding virtual server. it may help.
  • avnishvyas_1974's avatar
    avnishvyas_1974
    Icon for Nimbostratus rankNimbostratus
    May 25, 2016

    Please excuse the obfiscated IP addresses this is due to the nature of the environment. as you can see the forwarding VIP is configured with default settings. Out external Firewall is providing outbound ACL with the source and destination on port 443. The Server guy is doing a curl from the back end server and is getting an error which ive seen on google as being a common issue.

     

    ASC OpenSSL -msg openssl s_client -connect x.x.x.x:443 -msg CONNECTED(00000003)

     

    write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 0 bytes

    New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

     

    ASC OpenSSL –msg other env

     

    CONNECTED(00000003) <<<<<<<<<<<[Proves the connection is leaving the estate and connecting so Big-IP and Firewall rules checkout]

     

    TLS 1.2 [length 0005] 16 03 01 01 2d TLS 1.2 Handshake [length 012d], ClientHello 01 00 01 29 03 03 57 61 40 87 e2 a7 52 be 0b 84 … <<< ??? [length 0005] 16 03 03 00 42 <<< TLS 1.2 Handshake [length 0042], ServerHello 02 00 00 3e 03 03 57 3f 24 c5 a4 73 d1 7b bd 43 … <<< ??? [length 0005] 16 03 03 0f 8c <<< TLS 1.2 Handshake [length 0f8c], Certificate 0b 00 0f 88 00 0f 85 00 05 72 30 82 05 6e 30 82 …

     

    tmsh output ltm virtual { address-status no app-service none auth none auto-lasthop default bwc-policy none clone-pools none cmp-enabled yes connection-limit 0 description IP destination aa.bb.cc.dd:https enabled fallback-persistence none flow-eviction-policy none gtm-score none ip-protocol tcp last hop-pool none mask 255.255.255.255 meta data none mirror disabled mobile-app tunnel disabled nat64 disabled partition common per-flow-request-access-policy none persist none policies none pool none Profile { tcp { context all } } rate-class none rate-limit disabled rate-limit-dst-mask 0 rate-limit-mode object rate-limit-src-mask 0 related-rules none security-logs-profiles none source x.x.x.x source-address-translation { pool none type none } source-port preserve syn-cookie-status-not-activated traffic-classes none translate-address enabled translate port enabled urldb-feed-policy none vlans none vlans-disabled vs-index 21 } END

     

    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      May 25, 2016
      this does look a bit odd. what virtual server type is this? is it a Forwarding IP one?
    • avnishvyas_1974's avatar
      avnishvyas_1974
      Icon for Nimbostratus rankNimbostratus
      May 25, 2016
      its a REDHAT Linux box. To further update on this I noticed the VIP was missconfigured. It was set to Standard and I have since changed it to Forwarding IP, The server guy is getting a different error message now so which is connection refused. So have suggested to add a static route on the server with the destination address to see if he can force traffic via the Self IP gateway.
    • nathe's avatar
      nathe
      Icon for Cirrocumulus rankCirrocumulus
      May 25, 2016
      that makes sense as there was a pool configuration above and a fwd VIP won't have a pool. I would run a packet capture on the bigip when the server guy next tests to see if the connection is hitting the bigip.