Forum Discussion
Alexey_384
Feb 28, 2014Historic F5 Account
Log shows that you can't pass an access policy. There are a lot of possible misconfigurations, but the common one is an untrusted server certificate. Have you add the CA cert in a cert store? If not you should set it or use an option to ignore the server certificate.
- praveen_145890Feb 28, 2014NimbostratusHi Alexey, Thanks for the reply. I did add the CA and intermediate certificate's to the store. Prior to not adding them I was getting an error saying X509_verify_cert unable to get issuer certificate verify_server_cert_cb return with ret=0 After adding the CA and intermediate certs in the chain, the value of is set to 1. verify_server_cert_cb return with ret=1 I don't know what it means, but was assuming that the certificate checks are valid. I did try the client f5fpc with -x (to ignore certificate checks), and still was running into the same issue of USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor One of the interesting things is that F5 standalone vpn client resolves the host name to an ip address and the SSL certs are not tied to that ip address. The SSL certs have the wildcarded hostname in them. Would appreciate if there are any other ideas. Thanks Praveen
- Alexey_384Feb 28, 2014Historic F5 AccountI would do following: Check BIG-IP logs to determine on what exact step connection is closed. Using tcpdump determine who closes connection big-ip or client. If client.. I'd check all options again. The only issue with establishing connection I faced is an untrusted certificate. If server then: is connection closed during access policy execution or network access establishing? Shouldn't be NA, because browser works. Is access policy configured with the client side checkers? As I remember Linux CLI doesn't support them. Also, login can be allowed for the browsers only. And logon page customisation also may break authentication. BIG-IP can drop connection before access policy execution in case of wrong (absent) client's certificate (depends on client's ssl profile).