Forum Discussion
SSL Configuration Using IIS 6
Hello,
I need help to protect my website using F5 BIG IP-i2600. My current situation like this:
- I have 2 domain using 2 different server.
- I purchase multidomain SSL Certificate for this 2 domain
- SSL Certificate (certificate, key and ca bundle) installed on web server (IIS 6) and also uploaded to F5
- Create SSL client and server profile. Attach it to virtual server (listening on HTTPS port) with pool member also use port 443
- Create https NAT to forward my ip public to virtual server IP
When I try to access my site using https, it gave me PR_CONNECT_RESET_ERROR, I use Firefox browser. Another domain don't have this issue (apache), i can access it using https. And i also can access the site using https if the connection not using F5/direct to web server
Checked all the settings and it is identical to other domain that don't have issue. Any suggestion? maybe there are settings related to IIS 6 web server?
- Simon_Blakely
Employee
You need to take a tcpdump on the BigIP to see where the reset is being generated from, and why.
tcpdump -n -v -s0 -i0.0:nnnp host <vip IP> and port 443
Also, try running a curl command to the VIP
curl -kv https://<vip fqdn>/ --resolve <vip fqdn>:443:<vip IP>
- Adr_Ant
Nimbostratus
This is the result from tcpdump and curl command
tcpdump -n -v -s0 -i0.0:nnnp host 192.168.2.19 and port 443
tcpdump: listening on 0.0:nnnp, link-type EN10MB (Ethernet), capture size 65535 bytes
10:39:38.645396 IP (tos 0x0, ttl 63, id 28006, offset 0, flags [DF], proto TCP (6), length 52)
112.78.146.106.57576 > 192.168.2.19.https: Flags [S], cksum 0xf033 (correct) , seq 3791145506, win 43690, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 in slot1/tmm0 lis= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal= 00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
10:39:38.645429 IP (tos 0x0, ttl 255, id 35770, offset 0, flags [DF], proto TCP (6), length 48)
192.168.2.19.https > 112.78.146.106.57576: Flags [S.], cksum 0xc596 (incorrect -> 0x705f), seq 3635828138, ack 3791145507, win 4380, options [mss 1460,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=100208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
10:39:38.645568 IP (tos 0x0, ttl 63, id 28007, offset 0, flags [DF], proto TCP (6), length 40)
112.78.146.106.57576 > 192.168.2.19.https: Flags [.], cksum 0x0294 (correct), ack 1, win 43690, length 0 in slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=100208004000024 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
10:39:38.645677 IP (tos 0x0, ttl 63, id 28008, offset 0, flags [DF], proto TCP (6), length 557)
112.78.146.106.57576 > 192.168.2.19.https: Flags [P.], cksum 0x612b (correct), seq 1:518, ack 1, win 43690, length 517 in slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=0 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
10:39:38.645712 IP (tos 0x0, ttl 255, id 35774, offset 0, flags [DF], proto TCP(6), length 40)
192.168.2.19.https > 112.78.146.106.57576: Flags [.], cksum 0xc58e (incorrect -> 0x9818), ack 518, win 4897, length 0 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
10:39:38.646475 IP (tos 0x0, ttl 255, id 35776, offset 0, flags [DF], proto TCP(6), length 142)
192.168.2.19.https > 112.78.146.106.57576: Flags [P.], cksum 0xc5f4 (incorrect -> 0x51d6), seq 1:103, ack 518, win 4897, length 102 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
10:39:38.646502 IP (tos 0x0, ttl 255, id 35778, offset 0, flags [DF], proto TCP (6), length 85)
192.168.2.19.https > 112.78.146.106.57576: Flags [P.], cksum 0xc5bb (incorrect -> 0xa48f), seq 103:148, ack 518, win 4897, length 45 out slot1/tmm0 lis=/Common/VS_PASUTRA flowtype=64 flowid=5600010DEE00 peerid=0 conflags=120208004000024 inslot=1 inport=1 haunit=1 priority=3 peerremote=00000000:00000000:00000000:00000000 peerlocal=00000000:00000000:00000000:00000000 remoteport=0 localport=0 proto=0 vlan=0
----------------------------------------------
curl -kv https://pasutra.net/ --resolve pasutra.net:443:192.168.2.19
* Added pasutra.net:443:192.168.2.19 to DNS cache
* Hostname pasutra.net was found in DNS cache
* Trying 192.168.2.19...
* Connected to pasutra.net (192.168.2.19) port 443 (#0)
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* subject: CN=santosjayaabadi.co.id
* start date: Feb 4 00:00:00 2020 GMT
* expire date: Feb 3 23:59:59 2021 GMT
* issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: pasutra.net
> User-Agent: curl/7.47.1
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
I've sort of run out of ideas beyond posting here and looking for some ideas on where to look.
- Simon_Blakely
Employee
So the client-side SSL profile is working.
You probably have an issue with the server-side SSL profile establishing a connection to the pool member.
Try using the serverssl-insecure-compatible server-ssl profile on the virtual (for the server-ssl profile)
- Adr_Ant
Nimbostratus
ahh you're right..i can access the web using https now. i think it is because IIS 6 still support or use low strength ciphers. thank you so much for your insight...really appreciate it
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com