Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

HTTPS health monitor issue

sathish_2826
Nimbostratus
Nimbostratus

‎28-Apr-2020 01:30

Hi All,

I am trying to validate the VIP, which is failing in the browser stating that "connection reset",

 

The server that is mapped to the pool is green via the health check, i can use curl -vk https://<serverip>/state.txt --> it gives the right response,

 

If i do the same with the vip, i get the following error, curl -vk https://<VIPip>/state.txt --> Below error

 

> GET /state.txt HTTP/1.1

> Host: xxxxxxxxxxxxxxx

> User-Agent: curl/7.47.1

> Accept: */*

 

 

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

* Closing connection 0

curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

 

 

The server is local to the F5, directly connected,

 

Please let me know if there are any thoughts on this problem.

 

Labels:
0 Kudos
11 REPLIES 11

Lidev
MVP
MVP

‎28-Apr-2020 02:08

Hello sathish,

I've already met this type of SSL errorno 104 when I was using an iRule containing errors with processing on the HTTP responses part.

Regards

0 Kudos

sathish_2826
Nimbostratus
Nimbostratus

‎28-Apr-2020 02:31

Hi Lidev,

 

The Irule used on the vip is a standard rule which is used in 1000's of other vip's with no issues,

 

Do you see any other problem?

0 Kudos

Lidev
MVP
MVP

‎28-Apr-2020 02:36

It's hard to say without more details about the virtual server and monitoring configuration.

I'll still test without the iRule to see if you can reproduce the issue 😉

0 Kudos

sathish_2826
Nimbostratus
Nimbostratus
In response to Lidev

‎28-Apr-2020 03:02

Removing Irule didn't help, anyway, thanks for looking into this 🙂

0 Kudos

Samir
Nacreous
Nacreous

‎28-Apr-2020 02:42

Hope you have applied default "serverssl" profile to VIP and automap.. Apply and capture the packet. Hope it will work

0 Kudos

sathish_2826
Nimbostratus
Nimbostratus

‎28-Apr-2020 02:59

Hi Samir,

Serverssl is applied, SNAT is not required as server is local to the F5, thank you.

0 Kudos

Samir
Nacreous
Nacreous
In response to sathish_2826

‎28-Apr-2020 03:38

Is it working?

0 Kudos

Rodrigo_Albuque
MVP
MVP

‎28-Apr-2020 08:36

Are you able to ping the VIP?

0 Kudos

sathish_2826
Nimbostratus
Nimbostratus

‎28-Apr-2020 09:00

Yes, i do

0 Kudos

Rodrigo_Albuque
MVP
MVP

‎28-Apr-2020 09:07

Is this a production environment with real certificate/key attached to client SSL profile or you're just testing it with default Client SSL profile? Do you have a client SSL Profile attached to the VIP? If so, disable "Generic Alert" option and you can follow the steps in this article to decrypt TLS traffic: https://devcentral.f5.com/s/articles/Decrypting-TLS-traffic-on-BIG-IP

0 Kudos

Renato_Abreu
Altostratus
Altostratus

‎10-Jul-2020 13:13

Any findings? Having the same issue.

0 Kudos
Copyright © 2022 Khoros, LLC