cancel
Showing results for 
Search instead for 
Did you mean: 

linux F5 standalone vpn client issue

praveen_145890
Nimbostratus
Nimbostratus

Hi All,

 

I am able to connect to my remote VPN server through the browser. svpn logs show all the right information during connectivity.

 

However when I run the stand alone client f5fpc with all the right options I am getting an error. This is happening on a linux 64-bit system. Here is a sample of the logs

 

2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 911,, LinuxEventHandler::loadCAStore()- Using default Trusted cert store at=/etc/ssl/certs, for CA cert validation 2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1 2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1 2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1 2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 248, USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 257, , EXCEPTION caught 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1,,,, EXCEPTION - DoFirepassLogin2() - logon failed 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 926, , EXCEPTION caught 2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 932,, Logon failed 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 248, USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 257, , EXCEPTION caught 2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 727, CSessionHandler::session_thread_loop(), DoFirepassLogin() = -2002, Session status: 7.

 

I can ping the remote vpn server (xx.xxx.xxx.xx) from my system. I was wondering if anyone has any ideas on why the client gets a bad file descriptor during connectivity and if there are any pointers in this regard.

 

Thanks Praveen

 

4 REPLIES 4

Alexey_384
Historic F5 Account

Log shows that you can't pass an access policy. There are a lot of possible misconfigurations, but the common one is an untrusted server certificate. Have you add the CA cert in a cert store? If not you should set it or use an option to ignore the server certificate.

 

Hi Alexey, Thanks for the reply. I did add the CA and intermediate certificate's to the store. Prior to not adding them I was getting an error saying X509_verify_cert unable to get issuer certificate verify_server_cert_cb return with ret=0 After adding the CA and intermediate certs in the chain, the value of is set to 1. verify_server_cert_cb return with ret=1 I don't know what it means, but was assuming that the certificate checks are valid. I did try the client f5fpc with -x (to ignore certificate checks), and still was running into the same issue of USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor One of the interesting things is that F5 standalone vpn client resolves the host name to an ip address and the SSL certs are not tied to that ip address. The SSL certs have the wildcarded hostname in them. Would appreciate if there are any other ideas. Thanks Praveen

I would do following: Check BIG-IP logs to determine on what exact step connection is closed. Using tcpdump determine who closes connection big-ip or client. If client.. I'd check all options again. The only issue with establishing connection I faced is an untrusted certificate. If server then: is connection closed during access policy execution or network access establishing? Shouldn't be NA, because browser works. Is access policy configured with the client side checkers? As I remember Linux CLI doesn't support them. Also, login can be allowed for the browsers only. And logon page customisation also may break authentication. BIG-IP can drop connection before access policy execution in case of wrong (absent) client's certificate (depends on client's ssl profile).

kalyan_01_16086
Nimbostratus
Nimbostratus

Praveen,Were you able to resolve this issue. I am running into the same issue. I am too using the -x option. But it does not help. I still keep seeing the USocketBlocking and "Bad file descriptor" error in the standalone.log file. Your input is appreciated.

 

Thanks, Kalyan