For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jibinpv_254622's avatar
Jibinpv_254622
Icon for Nimbostratus rankNimbostratus
Feb 28, 2017

F5 sends TCP RST after handshake

We have implemented an Client authentication on one of our services to client. Post that client is getting authenticated fine however ,a TCP RST has been send to client by F5 after the handshake.

We are on V 12.1.1. Have done few captures of the connection request,but no luck to get a valid reason for the reset.

1 1 0.2096 (0.2096) C>S Handshake

  ClientHello
    Version 3.1
    cipher suites
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5
    compression methods
              NULL

1 2 0.2096 (0.0000) S>C Handshake ServerHello Version 3.1 session_id[0]=

    cipherSuite         TLS_RSA_WITH_AES_256_CBC_SHA
    compressionMethod                   NULL

1 3 0.2096 (0.0000) S>C Handshake

  Certificate

1 4 0.2096 (0.0000) S>C Handshake

  CertificateRequest
    certificate_types                   rsa_sign
    certificate_types                   dss_sign
    certificate_types                 unknown value
    certificate_authority

1 5 0.2096 (0.0000) S>C Handshake

  ServerHelloDone

1 6 0.2586 (0.0489) C>S Handshake

  Certificate
  ClientKeyExchange
  CertificateVerify
    Signature[256]=

1 7 0.2586 (0.0000) C>S ChangeCipherSpec

1 8 0.2586 (0.0000) C>S Handshake

1 9 0.2606 (0.0019) S>C ChangeCipherSpec

1 10 0.3293 (0.0687) S>C Handshake

1 11 0.3595 (0.0302) C>S application_data

1 0.3599 (0.0003) S>C TCP RST

application delivery
LTM

6 Replies

  • jaikumar_f5's avatar
    jaikumar_f5
    Icon for Noctilucent rankNoctilucent
    Feb 28, 2017

    Can you show the pcap, referencing the above dump. Do you see any Fatal Error in the SSL section in pcap...

     

  • Jibinpv's avatar
    Jibinpv
    Icon for Nimbostratus rankNimbostratus
    Feb 28, 2017

    Hi Jai, The obove inputs I have pasted is taken as .txt for SSL stream.We did have captured .pcap ,but that hadnt given any specific error statements other than a spurious re-transmission. Im attaching the pcap snap shot.

     

  • Nicholas_P__308's avatar
    Nicholas_P__308
    Icon for Cirrus rankCirrus
    Feb 28, 2017

    Any iRules in use? Access Policy?

     

    Ran into a similar issue, everything was normal, client - server connect went fine but still recieved a 404. Ended up being misplacement of a splash page iRule. It was placed ahead of the information gathering and resulted in error.

     

    • Jibinpv's avatar
      Jibinpv
      Icon for Nimbostratus rankNimbostratus
      Mar 15, 2017

      Hi Nicolas - thanks for the response.

       

      Yes - we did have the irules in place for the pool selection.

       

      The issues here was the SSL persistence on VS. I have that removed and the issues set to fixed.

       

      Now the SSL persistence is enabled via irule as recommended by F5.

       

  • Jibinpv's avatar
    Jibinpv
    Icon for Nimbostratus rankNimbostratus
    Mar 15, 2017

    Many Thanks James.

     

    Have followed the TCP dumps and after analyzing the output we were clearly been able to see the connection request and the reset.

     

    Well the strange thing was that the reset happens as the connection was send to wrong backend server.

     

    And this was been happening due to SSL persistence enabled on the VS. Also as we are using irules for pool selection ,the SSL persistence record get it messed up.

     

    We have the issues fixed by removing the SSL persistence from VS and applied it via irule.

     

    Regards,

     

    Jibin