Forum Discussion
NimbostratusSSL issue with LTM
Hi there,
I have a problem configuring a pool on our LTM using port 443. I'm new to Big-IP, but there's no one in the company that can help me with that issue, so I post here. Excuse me if that's not the right place for that kind of question.
The load balncer is Big-IP LTM 9.1.2.
What I've done:
I created a health monitor for the pool that has authentication set up with username and password. The heallth monitor works because I can see that the pool is available. The pool has only one member for now. I have the node up and running, created also the virtual server and assigned the new pool to it. The node has servlet that listens at port 443.
When I try to open https://mysite.com/Servlet in the browser in just timed out.
When I write the adress of the pool member, it works.
I tried to test the configuration running:
curl -v --user username https://mysite.com/Servlet
and I've got:
curl -v --user username https://mysitecom.com/Servlet
Enter host password for user 'myuser':
* About to connect() to mysite.com port 443 (0)
* Trying x.x.x.x... connected
* Connected to mysite.com (x.x.x.x) port 443 (0)
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to mysite.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to mysite.com:443
When I run the same curl commabd on the big-ip console I got the right answer from the servlet.
I suspect that is some SSL protocol issue on the big-ip but I'm not sure where to look. This load balancer is production device and I can't poke around without knowing what I'm doing.
Any ideas or hints?
Thank you.
11 Replies
What_Lies_Bene1Cirrostratus
Do you have an SSLClient or SSLServer profile assigned to the Virtual Server? Should the server be terminating the SSL or the F5? That's one old version of the software btw.
Oleg_68955Hi Steve,
I didn't asign SSLClient or SSLServer profile to the Virtual Server. Not sure if and how I have to do anything with that. I don't know which one should terminate the SSL. Do you know how can I found out that?
Thank you for the hints!
- What_Lies_Bene1Can I ask, is the hostname resolving correctly and if so, have you confirmed that the client has a route to the Virtual Server address/range?
Curl probably doesn't support SSL/TLS. - Oleg_68955
No issues with IP addresses, routes or resolving hostnames.
What do you mean that curl doesn't support SSL/TLS?
I used curl to connect to another pool that exists on this LTM and it worked as expected, but not with this pool.
- What_Lies_Bene1
Was the other Pool using SSL? Anyway, it would seem you're browser can't access the site or alternatively, the real servers don't have a route back to the client IP address (which MUST go via the F5). Can you check that please. It might also be useful if you could post the Virtual Server configuration in text form (tmsh list ltm...)
- Oleg_68955
I have some progress thanks to the hints from Steve. I assigned SSL Profile (Client) to the Virtual server, but I'm not sure if I have to do the same with SSL Profile (Client) (we have pools with both and only with the SSL Profile (Client) set up) and now I have this results ffrom curl:
Enter host password for user 'username':
* About to connect() to mysite.com port 443 (0) * Trying x.x.x.x... connected * Connected to mysite.com (x.x.x.x) port 443 (0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-MD5 * Server certificate: * subject: C=US; ST=mystate; L=myplace; O=mycompany; CN=*.mysite.com * start date: 2012-05-23 00:00:00 GMT * expire date: 2014-05-23 23:59:59 GMT * common name: *.mysite.com (matched) * issuer: C=US; O=Thawte, Inc.; CN=Thawte SSL CA * SSL certificate verify ok. * Server auth using Basic with user 'username' > GET /Servlet HTTP/1.1 > Authorization: Basic dGNsYXNzaWZpZXIxNTp0ZXN0Q2xhc3MzLjU= > User-Agent: curl/7.21.4 (universal-apple-darwin11.0) libcurl/7.21.4 OpenSSL/0.9.8r zlib/1.2.5 > Host: mysite.com > Accept: */* > * SSL read: error:00000000:lib(0):func(0):reason(0), errno 54 * Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 54 - What_Lies_Bene1That error code (54) is 'connection reset by peer' which backs up my theory that the server is routing traffic back to the client directly, not via the BIG-IP.
- Oleg_68955
It turns out that the issue is the value of SNAT Pool: It should be "Auto Map", not "None" as it was. This options is visible only when Advanced configuration is chosen, not Basic and that's why I missed that. Problem solved.
Steve, thanks for the help!
- What_Lies_Bene1You're welcome.
dd007_132137I am seeing the same error from curl as Oleg posted. I also have auto-map selected in my SNAT pool. Here's the error:
About to connect() to dd-test.api.devabcdcentral.com port 443 (0) * Trying 10.162.143.11... * connected * Connected to dd-test.api.devabcdcentral.com (10.162.143.11) port 443 (0) * successfully set certificate verify locations: * CAfile: ca.pem CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using RC4-SHA * Server certificate: * subject: C=US; ST=Missouri; L=Kansas CIty; O=abcd Corporation; CN=*.api.devabcdcentral.com * start date: 2013-02-25 17:23:45 GMT * expire date: 2015-02-26 00:57:04 GMT * subjectAltName: dd-test.api.devabcdcentral.com matched * issuer: C=US; O=Entrust, Inc.; OU=www.entrust.net/rpa is incorporated by reference; OU=(c) 2009 Entrust, Inc.; CN=Entrust Certification Authority - L1C * SSL certificate verify ok. > POST /collector/dropbox?datatype=test HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5 > Host: dd-test.api.devabcdcentral.com > Accept: */* > Content-Length: 5746 > Expect: 100-continue > Content-Type: multipart/form-data; boundary=----------------------------8e653031b25f > * SSL read: error:00000000:lib(0):func(0):reason(0), errno 54 * Closing connection 0 curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 54The command I am trying is:
curl https://dd-test.api.devabcdcentral.com/collector/dropbox?datatype=test -F myFile=@pom.xml -v --key key.pem --cacert ca.pem --cert client.pem:ddtestCould someone please share some pointers on what could be wrong here? Just fyi, my iRule looks like this:
when HTTP_REQUEST { if {([string tolower [HTTP::host]] equals "collector.api.devabcdcentral.com")} { log local0. "I'm in your lost section logging your iRulez" } } when RULE_INIT { set static::tlsdebug 1 set static::cert_cache_time 3600 log local0. "********** I'm in new collector endpoints' iRule (0) ************ $static::cert_cache_time" } When a client starts the handshake, fall back to ignore mode this is for renegotiating an authenticated session. when CLIENTSSL_CLIENTHELLO { set sn [session lookup ssl [SSL::sessionid]] log local0. "********** I'm in new collector endpoints' iRule (1) ************ $sn" if {not ([info exists reneg]) || $reneg == 0} { SSL::cert mode ignore log local0. "********** Ignoring cert mode ************" } } when CLIENTSSL_HANDSHAKE { if { [SSL::cert count] > 0 } { Set the serial number for this request and stash it in session. set sn [string map {"" ""} [X509::serial_number [SSL::cert 0]]] session add ssl [SSL::sessionid] $sn $static::cert_cache_time Release the collected transaction. HTTP::release } set reneg 0 }
