Forum Discussion

sistemaspcs_851's avatar
sistemaspcs_851
Icon for Nimbostratus rankNimbostratus
May 19, 2016

virtual command not working

Hello, I hope you could help me (I'm sorry if my question is too simple, i am a begginer in F5 world): I am trying to make it work the solution offered by Colin in this topic: ftps-offload-via...
application delivery
devops
iRules
LTM
sistemaspcs_851's avatar
sistemaspcs_851
Icon for Nimbostratus rankNimbostratus
May 26, 2016

After changing my config to a Standard virtual server for the second one, and even modifying my wildcard from digicert to the default self-signed certificate like you, given that it could seem like a certificate error, now the config is almost the same than yours:

ltm virtual VS-PRE-FTPS_1 {
    destination 10.10.0.235:ftp
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        source_addr_FTPS {
            default yes
        }
    }
    profiles {
        clientssl {
            context clientside
        }
        ftp { }
        tcp { }
    }
    rules {
        irule_FTPS_1
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 44
}
ltm virtual VS-PRE-FTPS_2 {
    destination any:any
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        source_addr_FTPS {
            default yes
        }
    }
    pool pool-preweb-ftp2
    profiles {
        tcp { }
    }
    rules {
        irule_FTPS_2
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address disabled
    translate-port disabled
    vlans-enabled
    vs-index 43
}

But I still have the same error. If run the same curl command that you ran i get the following:

curl -vk --ftp-ssl ftp://10.10.0.235
* About to connect() to 10.10.0.235 port 21
*   Trying 10.10.0.235... connected
* Connected to 10.10.0.235 (10.10.0.235) port 21
< 220 My ftp server
> AUTH SSL
< 234 AUTH TLS Successful
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using AES256-SHA
* Server certificate:
*        subject: /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
*        start date: 2010-10-15 17:07:28 GMT
*        expire date: 2020-10-12 17:07:28 GMT
*        common name: localhost.localdomain (does not match '10.10.0.235')
*        issuer: /C=US/ST=WA/L=Seattle/O=MyCompany/OU=IT/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* SSL_write() returned SYSCALL, errno = 104

* Closing connection 0
curl: (55) SSL_write() returned SYSCALL, errno = 104

And the log indicates that the second iRule is still not being run:

 tail -f /var/log/ltm
May 26 11:05:04 Balanceador1 info tmm1[9724]: Rule /Common/irule_FTPS_1 : client accepted
May 26 11:05:04 Balanceador1 info tmm1[9724]: Rule /Common/irule_FTPS_1 : client data
May 26 11:05:04 Balanceador1 info tmm1[9724]: Rule /Common/irule_FTPS_1 : virtual VS-PRE-FTPS_2
May 26 11:05:04 Balanceador1 info tmm1[9724]: Rule /Common/irule_FTPS_1 : TCP Release Completed

I am confused about if the SSL handshake error is because of the fail calling second VS from the first one, or conversely is the SSL handshake error what is causing the second iRule never be reached

  • IanB's avatar
    IanB
    Icon for Employee rankEmployee
    May 26, 2016
    The line "SSL_write() returned SYSCALL, errno = 104" indicates that curl was sent a TCP reset (errno 104), so you should be seeing a corresponding reset in the ltm log, as long as reset cause logging is enabled.