Forum Discussion
pullb0x
Nimbostratus
NimbostratusBackend Server respond with * LibreSSL SSL_read: Connection reset by peer, errno 54
Hi
I am new to F5 and LTM and apologize if this is the wrong forum or if I am not providing the appropriate information etc.
I have a custom mobile app I wrote where via custom headers I want to filter via Irule if the traffic is allowed to my backend server.
I configured a virtual server accepting HTTPS traffic on port 443. I added a SSL profile for my certificates (self signed) to the Client SSL Profile. I did specify the default serverssl profile for the Server SSL profile.
I created a pool with two nodes ( both pointing to the same server one via Ip the other via FQDN both for HTTPS)
I added the Pool to the virtual server and add my irule to the virtual server.
When I
- working: open in a browser the virtual server IP, I can see that the Irules are parsed (LTM log) and the irules exception is shown in the browser. Due to the nature of the irule it does not forward to the pool but I get the "missing values" response from the irule.
- working: I can curl the virtual server and receive the same results as above
- no working: If I point my mobile App to the virtual server I can see the irule being parsed "successfully" (below snipped is from the ltm log) but I receive then (after several seconds) "webpage not available ERR_CONNECTION_RESET"
Log
Oct 20 14:43:32 bigip1 info tmm1[16591]: Rule /Common/MobileBot <HTTP_REQUEST>: Valid request
Oct 20 14:43:32 bigip1 info tmm1[16591]: Rule /Common/MobileBot <HTTP_REQUEST>: Success going to pool now! - working: If I curl the endpoint directly I get the correct response from the server.
- working: If I open the endpoint in a browser I am served the correct website.
- not working: If I remove the Irules and point to the virtual server I see the same result as when I use my custom mobile App, after several seconds I get Connection reset by peer, LibreSSL SSL_read: Connection reset by peer.
- not working: Curl to the virtual server w/o irules receive the same error as above.
It is not a network/routing issue as I can curl the backend server successfully directly from the F5 terminal.
I have to assume that I have a F5 configuration issue and I would appreciate it if someone could point me in the appropriate direction.
I very much appreciate any help and apologize for the long post.
Thank YOU pullbox
SamirMVP
Try to capture the traffic via tcpdump and see if you can see any bloackage 3-Handshake.
if you have time just remove ServerSSL and add serverssl-insecure-compatible. if any issue with server SSL error. Give one try and share result.
pullb0xSamir,
thank you for the feedback.
serverssl-insecure-compatible did not change anything.
Still have to pull the tcpdump.
Amine_KadimiTry to log the reset cause (https://my.f5.com/manage/s/article/K13223) and see if F5 provides any cause for the reset packet.
Since the iRule logs goes up to the HTTP request, I suspect either a connection problem with the server or a pool member selection failure, the reset logs will tell you
- pullb0x
Thank you so much for the feedback.
After I enabled it, this is what I am seeing.
-------------------------------------------
TCP/IP Reset Cause
RST Cause: Count
-------------------------------------------
Flow expired (sweeper) 4
No flow found for ACK 1
No local listener 32027
No server selected 1
RST from BIG-IP internal Linux host 187450
TCP RST from remote system 3
TCP retransmit timeout 172
handshake timeout 4- Amine_Kadimi
These are only statistical counters, you need to look at /var/log/ltm or tcpdump to find the message related to the reset cause