Forum Discussion
southern_shred1
Nimbostratus
NimbostratusSSL VIP accessible from browser but not from CLI
Hi
A VIP with an SSL profile works fine when client connects through a browser.
But connection is refused (TCP reset) when client connects from CLI to VIP.
A TCPdump of the CLI attempts shows show the connection getting "h2.http/1.1".
All port access is 443 and firewall access is in place
TCP dump of initial SYN shows (VIP name is testvip.txt.com)
============================================================== ............y.<".=5....n.}.xL6 .V ._..T.?... ./.0.+.,.......... ...../.5... ...k3t...........testvip.txt.com.......... . .................
................................h2.http/1.1....
Does this rule out the VIP?
I read somewhere I needed to allow access between the Self IP and the NODES?
uzairReset is coming for TCP handshake or SSL handshake ? Please paste the tcpdump output here.
When you say CLI, is this the CLI of the F5 or another device? If the client is on the same subnet as the VIP’s pool members, then you will need to enable SNAT (e.g. SNAT automap).
——
southern_shred11) Yes, the TCP reset is from the TCP handshake
2) The CLI is from the device trying to access the VIP
TCP DUMP, hope this helps
2 0.614331 10.253.140.57 10.252.85.5 TCP 81 43602 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1380 SACK_PERM=1 TSval=339278132 TSecr=0 WS=128 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 3 0.615097 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=1 Ack=1 Win=3737600 Len=0 TSval=339278132 TSecr=702242621 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 4 0.615239 10.253.140.57 10.252.85.5 TLSv1.2 289 Client Hello [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 5 0.637168 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=190 Ack=1369 Win=4027392 Len=0 TSval=339278155 TSecr=702242643 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 6 0.637265 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=190 Ack=2737 Win=4377600 Len=0 TSval=339278155 TSecr=702242643 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 7 0.637269 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=190 Ack=4105 Win=4727808 Len=0 TSval=339278155 TSecr=702242643 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 8 0.637694 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=190 Ack=5473 Win=5078016 Len=0 TSval=339278155 TSecr=702242644 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 9 0.637895 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=190 Ack=5879 Win=5428224 Len=0 TSval=339278155 TSecr=702242644 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 10 0.681912 10.253.140.57 10.252.85.5 TLSv1.2 226 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 11 0.683215 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=316 Ack=5885 Win=5428224 Len=0 TSval=339278201 TSecr=702242689 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 12 0.683313 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=316 Ack=5930 Win=5428224 Len=0 TSval=339278201 TSecr=702242690 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 13 0.683466 10.253.140.57 10.252.85.5 TCP 100 43602 → 443 [ACK] Seq=316 Ack=5986 Win=5428224 Len=0 TSval=339278201 TSecr=702242690 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 14 0.683618 10.253.140.57 10.252.85.5 TLSv1.2 193 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 15 0.683731 10.253.140.57 10.252.85.5 TLSv1.2 178 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 16 0.683854 10.253.140.57 10.252.85.5 TLSv1.2 138 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 17 0.684846 10.253.140.57 10.252.85.5 TCP 81 43604 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1380 SACK_PERM=1 TSval=339278202 TSecr=0 WS=128 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 18 0.685366 10.253.140.57 10.252.85.5 TCP 100 43604 → 443 [ACK] Seq=1 Ack=1 Win=3737600 Len=0 TSval=339278203 TSecr=702242692 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 19 0.685497 10.253.140.57 10.252.85.5 TLSv1.2 289 Client Hello [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 20 0.707325 10.253.140.57 10.252.85.5 TCP 100 43604 → 443 [ACK] Seq=190 Ack=1369 Win=4027392 Len=0 TSval=339278225 TSecr=702242713 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 22 0.707343 10.253.140.57 10.252.85.5 TCP 100 43604 → 443 [ACK] Seq=190 Ack=4105 Win=4727808 Len=0 TSval=339278225 TSecr=702242713 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 23 0.707920 10.253.140.57 10.252.85.5 TCP 100 43604 → 443 [ACK] Seq=190 Ack=5473 Win=5078016 Len=0 TSval=339278225 TSecr=702242714 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 24 0.707926 10.253.140.57 10.252.85.5 TCP 100 43604 → 443 [ACK] Seq=190 Ack=5879 Win=5428224 Len=0 TSval=339278225 TSecr=702242714 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 25 0.710537 10.253.140.57 10.252.85.5 TLSv1.2 226 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 26 0.712239 10.253.140.57 10.252.85.5 TCP 100 43604 → 443 [ACK] Seq=316 Ack=5986 Win=5428224 Len=0 TSval=339278230 TSecr=702242718 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 27 0.712401 10.253.140.57 10.252.85.5 TLSv1.2 193 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 28 0.712406 10.253.140.57 10.252.85.5 TLSv1.2 178 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 29 0.712526 10.253.140.57 10.252.85.5 TLSv1.2 138 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 30 0.713693 10.253.140.57 10.252.85.5 TCP 81 43606 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1380 SACK_PERM=1 TSval=339278231 TSecr=0 WS=128 [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 31 0.714210 10.253.140.57 10.252.85.5 TCP 100 43606 → 443 [ACK] Seq=1 Ack=1 Win=3737600 Len=0 TSval=339278232 TSecr=702242720 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]Try enabling SNAT automap on the VIP as a quick test. If it works you can choose to leave the SNAT automap there or replace it with a SNAT Pool or an intelligent selective SNAT iRule so that it only SNATs the traffic if the client source IP resides in the same subnet as the pool members.
- southern_shred1
ok thanks, it worked after we configured the VIP as passthrough which is what the application required. Thanks for the help
