For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ReynaldoQ_14206's avatar
ReynaldoQ_14206
Icon for Nimbostratus rankNimbostratus
May 24, 2017

This site can' be reached error

Hello ,

 

I just setup a virtual server with an http to https redirection on a BIGIP ver 11.6.0 but when trying to connect via browser I get "This site can't be reached " error. From the log I see messages like this with http header value changing;

 

HTTP header (34020) exceeded maximum allowed size of 32768 (Client side: vip=/Common/vs_vantage-php7- beta_80 profile=http addr=XX.XX.XX.43 port=80 rtdom_id=0 client_ip=184.75.14.18

 

Also I ran the following and it seems getting connected:

 

-sh-4.1$ openssl s_client -showcerts -connect vantage-php7-beta.interactivedata.com:443 CONNECTED(00000003) depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA verify return:1 depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G2 verify return:1 depth=0 C = US, ST = Massachusetts, L = Bedford, O = Interactive Data Corporation, CN = *.interactivedata.com

 

verify return:1

Certificate chain 0 s:/C=US/ST=Massachusetts/L=Bedford/O=Interactive Data Corporation/CN=*.interactivedata.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MIIFZzCCBE+gAwIBAgIMFHeoWRQykn/db9CkMA0GCSqGSIb3DQEBCwUAMGYxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g RzIwHhcNMTYwOTIxMjMyNjAyWhcNMTgwOTIyMjMyNjAyWjB+MQswCQYDVQQGEwJV UzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czEQMA4GA1UEBxMHQmVkZm9yZDElMCMG A1UEChMcSW50ZXJhY3RpdmUgRGF0YSBDb3Jwb3JhdGlvbjEeMBwGA1UEAwwVKi5p bnRlcmFjdGl2ZWRhdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC

 

-----END CERTIFICATE----- 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA -----BEGIN CERTIFICATE----- MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv

 

-----END CERTIFICATE-----

Server certificate subject=/C=US/ST=Massachusetts/L=Bedford/O=Interactive Data Corporation/CN=*.interactivedata.com

 

issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2

No client certificate CA names sent

 

Server Temp Key: DH, 1024 bits SSL handshake has read 3216 bytes and written 437 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 79057A6B150CDC27482C6FD0E799BBE4A826B3113334F9303B41B21773FB4CD0 Session-ID-ctx: Master-Key: 4C8D65F01D14425F0160ACEB80B49D9767900B26A0214789D3324E2D3E440164437820B9351AE27FF568D7C4D9F63716 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1495570845 Timeout : 300 (sec)

 

Verify return code: 0 (ok)

read:errno=104 -sh-4.1$

 

Do you know what setup in LTM I should start looking?

 

Thanks for the help. Rey

 

application delivery
LTM

1 Reply

  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    May 24, 2017

    Hi Reynaldo,

     

    Check the following parameter in the HTTP Profile :

     

    Maximum header size : This setting specifies the maximum size in bytes that the BIG-IP system allows for all HTTP request headers combined, including the request line. If the combined headers length in bytes in a client request exceeds this value, the system stops parsing the headers and resets the TCP connection. The default value is 32,768 bytes.

     

    Regards