Linux CLI VPN Client - "Server certificate verification failed."
Hi all, We've recently gone live with our VPN (on v13 HF2) and some of our users have reported their having issues accessing the VPN from their Linux command line. On RHEL/Fedora, the VPN connection doesn't work. On Ubuntu, I can see the errors in the logs but it lets me through anyhow. After installing the package, they run the command to connect to the VPN: f5fpc -s -t https://ourvpn.com When querying how the connection went, I can see: f5fpc -i Connection Status: logon failed Server certificate verification failed. The certificate we're using is a properly signed QuoVadis cert. The ~/.F5Networks/standalone.log shows: 2017-07-24,14:39:27:019, 2839,2849,standalone, 0, /LinuxEventHandler.cpp, 924, , LinuxEventHandler::loadCAStore()- Using default Trusted cert store at=/etc/ssl/certs, for CA cert validation 2017-07-24,14:39:27:019, 2839,2849,standalone, 2, /LinuxEventHandler.cpp, 1052, LinuxEventHandler::verify_context_chain(), Server Cert chain is empty 2017-07-24,14:39:27:021, 2839,2849,standalone, 0, /LinuxEventHandler.cpp, 1063, , LinuxEventHandler::verify_context_chain() - X509_verify_cert(): verification error=2, string=unable to get issuer certificate 2017-07-24,14:39:27:021, 2839,2849,standalone, 48, /LinuxEventHandler.cpp, 68, CLinuxEventHandler::HandleEvent(), exit with, 0 2017-07-24,14:39:27:022, 2839,2849,standalone, 2, /USSLChannel.cpp, 312, USSLChannel::Write, SSL_write failed (result: -1, error: SSL_ERROR_SSL) 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UHTTP.cpp, 38, UHTTP::makeRequest(), EXCEPTION - send request error 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UHTTP.cpp, 115, , EXCEPTION caught: UHTTP::makeRequest() - EXCEPTION 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UFirepass.cpp, 679, UFirepass::doGetRequestWithoutRedirect, server returned HTTP code, return code, 0, -1 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 688, UFirepass::doGetRequestWithoutRedirect, (0x27) EXCEPTION - Channel error, 39 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 34, UChannelChain::~UChannelChain(), destroying channel 2. Stats (0) - Recv=3283 Send=524 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 34, UChannelChain::~UChannelChain(), destroying channel 1. Stats (0) - Recv=3283 Send=524 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 782, , EXCEPTION caught: UFirepass::getFirepassToken - EXCEPTION 2017-07-24,14:39:27:022, 2839,2849,standalone, 1, /UFirepass.cpp, 911, UFirepass::DoPrelogon, Failed to obtain logon token: prelogon is not enabled or Firepass server has version below 5.5 2017-07-24,14:39:27:022, 2839,2849,standalone, 48, /UChannelChain.cpp, 55, UChannelChain::BuildChannels(), enter, 0x7: U_ENABLE_SOCKET_CHANNEL U_ENABLE_SSL_CHANNEL U_ENABLE_PROXY_CHANNEL 2017-07-24,14:39:27:022, 2839,2849,standalone, 48,,,, USSLChannel::USSLChannel:RAND_status(1) I've tried uploading the root/intermediate certificates to /etc/ssl/certs but still not luck. The workaround is to use the ignore certificate switch (-x) but I don't really want to do this. f5fpc -s -t https://ourvpn.com/ -x Any ideas?? Thanks, Nick1.6KViews0likes3Commentsf5fpc linux client does it support client cert and username/secret auth?
I can't get the linux CLI client to log on successfully using client certificate and username/secret using a login form. Does the f5fpc linux client support authenticating with a client cert and username/secret? From the server logs I see client cert auth is succeeding. However, it seems that the password (in my case an OTP) is not being received by the server, at least not into the variable "session.logon.last.password" we all know and love, which is resulting in RADIUS auth failure. I tried logging the password (in a test environment of course) per the docs I refer to below, and it's acting as though the variable doesn't exist (I get a TCL error from the "mcget -secure ..." custom variable assign, and when I try printing out the encrypted variable it prints an empty string. Thus I'm doubting the OTP is even making it to the APM. How can I troubleshoot this further? I was going to try passing the traffic through a proxy like burp suite but it seems f5fpc doesn't support local proxy settings. I don't see anything useful in ~/.F5Networks/standalone.log and the APM logs are making it seem like the password isn't arriving. I'm running client v. 7210.2020.0826.1 and BigIP v. 15.1.2.1. I am familiar with these: Using the Linux client f5fpc to connect to the BIG-IP APM network access for the first time Creating a two-factor authentication access policy for use with the Linux f5f5pc command-line client Using mcget -secure to decrypt and display a password for troubleshooting auth issues. (f5.com)Solved1KViews0likes1CommentLinux SSL VPN client error - SSL handshake failed
Hello, We have recently update our SSL VPN infrastructure and after that I haven't been able to create a VPN tunnel from my laptop. I can successfully login to the web interface but when I try to create a tunnel a "Browser is waiting from status from Network Access Application" popup appears and after a short time it goes back to the popup that allows to download the client RPM or DEB. I can see these entries in the ~/.F5Networks/vpn.log when I try (always the same entries): ========================================================================== Kernel version: 1 SMP Debian 4.9.51-1 (2017-09-28) System: Linux Release: 4.9.0-4-amd64 Model: x86_64 Node name: robfas-lin ========================================================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Location: /opt/f5/vpn/f5vpn 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Version: 7140.2017.0414.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Locale: C 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Qt version: 5.7.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 48,,,, current log level = 63 2017-10-13,10:56:06:042, 19333,19333,, 48, /Helpers.h, 96, void f5::qt::setupLogs(const std::string&, const std::string&), OpenSSL supported: true. Lib in use: OpenSSL 1.0.2l 25 May 2017. Build: OpenSSL 1.0.2k 26 Jan 2017 2017-10-13,10:56:06:085, 19333,19333,, 48, /LinuxService.h, 45, void f5::qt::DBusInterface::Open(QStringList, QMap), D-Bus Open() method called 2017-10-13,10:56:06:097, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/my.report.na 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:200, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:201, 19333,19333,, 48, /Session.cpp, 87, void f5::qt::Session::ProfileDownload(), Profile download starting, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:201, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:298, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 48, /Session.cpp, 59, void f5::qt::Session::ProfileDownloadFailed(QString), Profile download failed, Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 222, void f5::qt::SessionManager::SessionError(QString), ----Session 46112466 ends----. Error occured: Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 214, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application.... I'm running on Debian Stretch 64 bit. I tried everything I could think about without success (and at the same time I can login successfully from an Android Tablet). Any tip on what I could try? Could this be related to this bug: ID382396 [Linux CLI] Certificate verification doesn't work for some Linux distributions? Thanks in advance!964Views0likes1CommentLinux SSL VPN client error - GET request timeout/fail
I have a user with a laptop running Linux on a partition who's having trouble connecting to VPN from home (works fine on campus, however). The odd thing is, the first GET request completes and then the second and third appear to time out. The client log showing that is below. Are there any Linux folks here who may have an idea of how to tackle this issue? 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,===================================== 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Location: /opt/f5/vpn/f5vpn 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Version: 7185.2021.0108.1 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Locale: en_US.UTF-8 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,Qt version: 5.5.1 2021-08-09,22:07:56:997, 16069,16069,, 0,,,,===================================== 2021-08-09,22:07:56:997, 16069,16069,, 0,,,, 2021-08-09,22:07:56:997, 16069,16069,, 48,,,, current log level = 63 2021-08-09,22:07:57:006, 16069,16069,, 48, /Helpers.h, 117, void f5::qt::setupLogs(const string&, const string&), QT - OpenSSL supported: true. Lib in use: OpenSSL 1.0.2p14 Aug 2018. Build: OpenSSL 1.0.0-fips 29 Mar 2010 2021-08-09,22:07:57:006, 16069,16069,, 48, /Helpers.h, 118, void f5::qt::setupLogs(const string&, const string&), F5 - OpenSSL build version: OpenSSL 1.0.2p14 Aug 2018 2021-08-09,22:07:57:043, 16069,16069,, 48, /LinuxService.h, 45, void f5::qt::DBusInterface::Open(QStringList, QMap<QString, QVariant>), D-Bus Open() method called 2021-08-09,22:07:57:044, 16069,16069,, 48, /SessionManager.cpp, 198, boost::optional<QString> f5::qt::SessionManager::StartNASession(const QUrl&), otc is non empty, f79db5cb 2021-08-09,22:07:57:047, 16069,16069,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.acme.com/vdesk/get_sessid_for_token.php3 2021-08-09,22:08:00:196, 16069,16069,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 0, 200 2021-08-09,22:08:00:196, 16069,16069,, 48, /SessionManager.cpp, 78, bool f5::qt::retrieveSidFromOtc(const QUrl&, const CString&, CString&), session id(308719ec) for otc(f79db5cb) 2021-08-09,22:08:00:197, 16069,16069,, 48, /SessionManager.cpp, 200, boost::optional<QString> f5::qt::SessionManager::StartNASession(const QUrl&), exchanged session id is, 308719ec 2021-08-09,22:08:00:198, 16069,16069,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.acme.com/my.report.na 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 158, void f5::qt::HttpNetworkManager::RequestAbort(QNetworkReply*, bool) const, Request (https://vpn.acme.com/my.report.na) is being aborted (timeouted) 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 120, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occurred while processing request (5) 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 263, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 5, Operation canceled 2021-08-09,22:08:15:197, 16069,16069,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 5, 0 2021-08-09,22:08:15:197, 16069,16069,, 1, /HttpNetworkManager.cpp, 400, void f5::qt::HttpNetworkManager::RequestFinished(), Error occurred (error code, HTTP code), 5, 0 2021-08-09,22:08:15:198, 16069,16069,, 48, /Session.cpp, 108, void f5::qt::Session::ProfileDownload(), Profile download starting, https://vpn.acme.com/pre/config.php?version=2.0 2021-08-09,22:08:15:198, 16069,16069,, 48, /HttpNetworkManager.cpp, 205, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.acme.com/pre/config.php?version=2.0 2021-08-09,22:08:15:198, 16069,16069,, 48, /SessionManager.cpp, 268, bool f5::qt::SessionManager::CreateAndLaunchSessionInternal(const QUrl&), ----Session 308719ec starts---- 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 158, void f5::qt::HttpNetworkManager::RequestAbort(QNetworkReply*, bool) const, Request (https://vpn.acme.com/pre/config.php?version=2.0) is being aborted (timeouted) 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 120, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occurred while processing request (5) 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 263, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 5, Operation canceled 2021-08-09,22:09:15:198, 16069,16069,, 48, /HttpNetworkManager.cpp, 396, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 5, 0 2021-08-09,22:09:15:198, 16069,16069,, 1, /HttpNetworkManager.cpp, 400, void f5::qt::HttpNetworkManager::RequestFinished(), Error occurred (error code, HTTP code), 5, 0 2021-08-09,22:09:15:198, 16069,16069,, 48, /Session.cpp, 80, void f5::qt::Session::ProfileDownloadFailed(QString), Profile download failed, Network error 2021-08-09,22:09:15:198, 16069,16069,, 48, /SessionManager.cpp, 310, void f5::qt::SessionManager::SessionError(QString), ----Session 308719ec ends----. Error occurred: Network error 2021-08-09,22:09:15:198, 16069,16069,, 48, /SessionManager.cpp, 302, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application.... Thanks!901Views0likes0CommentsKerberos Constrained Delegation to Linux backend
Hello, We are struggling with APM to perform Kerberos SSO toward an SAP system running on Linux, using this DG as ref : https://www.f5.com/pdf/deployment-guides/kerberos-constrained-delegation-dg.pdf. We find this in the APM log : 014d0005:3: Kerberos: can't get S4U2Proxy ticket for server HTTP/sapxxx.domain.com@DOMAIN.COM - Requesting ticket can't get forwardable tickets (-1765328163) As far as we understand the message this could be due to the fact that we are currently using "Trust this user for delegation to any service (Kerberos only)" in the delegation properties of the service account, when we should use "Trust this user for delegation to specified services only" > "Use any authentication protocol". But this doesn't work out of the box as the Linux backend is obviously not available in the AD to be added there. We tried to add a computer object for it but that doesn't help. So our question is : how can we configure the delegation to the Linux SAP backend ? Thanks in advance for your help :-)798Views0likes2CommentsState lookup fails with "access denied" for firewall policy
I am in the process of setting up Ubuntu Linux (20.04) clients with VPN access using f5epi. Everything works, except for a firewall policy. The client side logs contain: 2021-09-29,12:50:17:954, 19837,19837,, 48, , 221, CreateInspector(), Created new OesisModule: SDK Version = '4.3.1161.0', V3V4 Adapter Version = '4.3.980.0' 2021-09-29,12:50:17:954, 19837,19837,, 48, , 224, CreateInspector(), Created new reference 2021-09-29,12:50:17:954, 19837,19837,, 48, , 74, OesisModule:Run(), policyData=type=fw&collect=2&count=1&check_list_type=required&vendor_id1=97&id1=0&version1=&platform1=2&state1=1 2021-09-29,12:50:17:954, 19837,19837,, 48, , 169, OesisLogInfoPolicy(), server configuration check list ===> Type: fw vendor_id: 97 id: 0 version: platform: 2 state: 1 2021-09-29,12:50:19:043, 19837,19837,, 48, , 86, OesisModule:Run(), testing product: id=97001 2021-09-29,12:50:19:043, 19837,19837,, 48, , 98, OesisModule:Run(), Product didn't match with any product from "server configuration check list"-> 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , id=97001 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_id=97 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , version=1.8.4 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , name=IPTables 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , vendor_name=IPTables 2021-09-29,12:50:19:043, 19837,19837,, 48, , 194, , errors=Failed to get 'state'. code: -32 (Access denied) mId: 1 iId: 11 2021-09-29,12:50:19:087, 19837,19837,, 48, , 155, OesisModule:Run(), leave (check failed) I assume the issue is that the iptables state check is trying to do something it is not allowed to do locally. Does anyone recognize this problem or have any information on what OesisModule is trying to access in this case?707Views0likes0CommentsList of Common Linux and/or TMSH commands
Hello, I'm just wondering if anyone has a nice list of the most COMMONLY used linux and/or TMSH commands. I'm looking for something like THIS but with only frequently used commands. If anyone has something like that, it'd be greatly appreciated!Solved555Views0likes1CommentCronjob that checks every 15 min if there is no APM active session, than disable the virt.
Hello there, My goal is to check every 15 minutes if there is no active APM session , if not, disable the virt. i thought i will have a bash script that i can call from crontab with the timing: 0,15,30,45 * * * * /var/tmp/disablevirt and check if there is an active connections with snmpwalk: snmpwalk -Os -c public -v 2c localhost apmPaStatCurrentActiveSessions | grep PROFILENAME if VALUE is equal to 0, run this: tmsh modify ltm virtual virt_NAME disabled else echo "Users are still connected." Thanks for the help.374Views0likes2Comments