Trouble with big-ip Linux standalone VPN client

Question

Hello,
I can't make the linux standalone VPN client to work properly.
 Everything works well when -x option is used (no certificat check) but when server certificate check is enforced I have this message :
[root@localhost .F5Networks] f5fpc --info
Connection Status: logon failed
Server certificate verification failed.

Digging into the .F5Networks/standalone.log file does not seem to show anything of interest :
 ==========================================================================
2016-02-06,13:15:00:000, 1948,1949,standalone, 0,,,,  
2016-02-06,13:15:00:000, 1948,1949,standalone, 0,,,,  =====================================
2016-02-06,13:15:00:000, 1948,1949,standalone, 0,,,,  ===     THIS IS DEBUG VERSION     ===
2016-02-06,13:15:00:000, 1948,1949,standalone, 0,,,,  ===           ANSI BUILD          ===
2016-02-06,13:15:00:000, 1948,1949,standalone, 0,,,, Set loglevel to LOG_DEBUG_LEVEL for debug mode
2016-02-06,13:15:00:000, 1948,1949,standalone, 48,,,, log level has been changed to 80
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 145, StandaloneMain[client], Initialize Standalone Client...
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 155, StandaloneMain[client], Starting Standalone Client started.
2016-02-06,13:15:00:000, 1948,1949,standalone, 0, , 1049,, LinuxEventHandler::verify_context_chain() - X509_verify_cert(): error=0, string=ok
2016-02-06,13:15:00:000, 1948,1949,standalone, 2, , 227, USSLChannel::Write, SSL_write failed (result: -1, error: 1)
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 38, UHTTP::makeRequest(), EXCEPTION - send request error
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 115, , EXCEPTION caught
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 99, doGetRequestWithoutRedirect(), EXCEPTION - Channel error, 39
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 1228, , EXCEPTION caught
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 554, DoPrelogon, Failed to obtain logon token: prelogon is not enabled or Firepass server has version below 5.5
2016-02-06,13:15:00:000, 1948,1949,standalone, 0, , 1049,, LinuxEventHandler::verify_context_chain() - X509_verify_cert(): error=0, string=ok
2016-02-06,13:15:00:000, 1948,1949,standalone, 2, , 227, USSLChannel::Write, SSL_write failed (result: -1, error: 1)
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 38, UHTTP::makeRequest(), EXCEPTION - send request error
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 115, , EXCEPTION caught
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 99, doGetRequestWithoutRedirect(), EXCEPTION - Channel error, 39
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 605, , EXCEPTION caught
2016-02-06,13:15:00:000, 1948,1949,standalone, 0, , 1049,, LinuxEventHandler::verify_context_chain() - X509_verify_cert(): error=0, string=ok
2016-02-06,13:15:00:000, 1948,1949,standalone, 2, , 227, USSLChannel::Write, SSL_write failed (result: -1, error: 1)
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 38, UHTTP::makeRequest(), EXCEPTION - send request error
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 115, , EXCEPTION caught
2016-02-06,13:15:00:000, 1948,1949,standalone, 1,,,, EXCEPTION - DoFirepassLogin2() - channel error 39
2016-02-06,13:15:00:000, 1948,1949,standalone, 1, , 964, , EXCEPTION caught
2016-02-06,13:15:00:000, 1948,1949,standalone, 0, , 978,, Logon failed

tcpdump on the other hand shows a TLS Alert message :
"TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)" 
which seems to be explicit : a CA validation issue.
I tried to create a custom CA store (containing only the ROOT CA corresponding to my certificate) and pointing the client to the store with -a or -d options but with the same error rising.
I also set the default_log_level to 63 in the f5networks.conf with no luck either.
  I tried also to strace the processes involved but all I can see is "stat/open" call to the CA store with not anything else.
The client OS is a CentOS 6.7 x86_64 (the default store is in /etc/pki/tls/certs and they even provide a symlink from /etc/ssl/certs)
I'm sure that the client is somehow missing the CA bundle (or ignoring it because some format issues) but I have no clue to push the investigations further. What can I do more to investigate the client behaviour ?
Any help is appreciated.
Youssef

youssef_ghorbal · Answer

I opened Service Request to F5 support that identifies this behaviour as a known bug : BugID 559138.
This bug is confirmed for CentOS and Ubuntu (at least)&nbsp;
An Engeneering Hotfix will be shipped for me for the 11.5.4 track and the HF will be integrated to the 11.5 Cumulative HF.&nbsp;

Forum Discussion

Trouble with big-ip Linux standalone VPN client

1 Reply

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Automate F5OS license activation using ansible

AS3 Storage

f5 client certificate forwarding

How to configure pool to go down if multiple members are down

Terraform LTM provider - ICMP disabled on resulting VIPs

Related Content

Automating Certificate Management on F5 BIG-IP

Introducing the F5 AI Assistant for BIG-IP

F5 BIG-IP Zero Trust with BIG-IP SSL Orchestrator

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

BIG-IP Report

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS