SSL Handshake failed between F5 and backend server
Hi Team , We have an issue accessing the url test-dev-01.example.com via F5 VIP but direct access to server one-test-dev.trading.net is working fine . Error : "connection reset" Please find the vip configuration details below… Please advice if anyone has faced similar issues or possible root cause … thank you. VIP : 10.128.10.5 Url : test-dev-01.example.com port : 443 VIP has http profile , Client SSL profile , Server SSL profile , no default pool ( redirection to pool via policy ), no persistence profiles. Policy/Irule: HTTP Host host is 'test-dev-01.example.com' at request time. 1. Replace HTTP Host with value 'one-test-dev.trading.net' at request time. 2. Forward traffic to pool '/Common/P_one-test-dev.trading.net' at request time. SSL handshake error message : 100.19.10.10 is backend server 10.10.10.250 is SNAT Ip Oct 26 11:20:53 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:11158 Oct 26 11:20:53 bigip-test-f5.com warning tmm3[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1955 Oct 26 11:21:23 bigip-test-f5.com warning tmm6[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:18610 Oct 26 11:22:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:58704 Oct 26 11:22:50 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1303 Oct 26 11:27:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:5403 Oct 26 11:29:08 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:23029 Oct 26 11:37:24 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:48470 [root@bigip-test-f5.com:Active:Standalone] config # curl -kvv https://test-dev-01.example.com * Rebuilt URL to: https://test-dev-01.example.com/ * Trying 10.128.10.5... * Connected to test-dev-01.example.com (10.128.10.5) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=IN; ST=IDV; L=INDIA; O=EXAMPLE; OU=IT; CN=*.example.com; emailAddress=globalitteam@EXAMPLE.com * start date: Jul 30 12:10:00 2020 GMT * expire date: Nov 1 12:10:00 2022 GMT * issuer: DC=EXAMPLE; DC=atlas; CN=Atlas Issuing CAv2 1 * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET / HTTP/1.1 > Host: test-dev-01.example.com > User-Agent: curl/7.47.1 > Accept: */* > * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 * Closing connection 0
DOS Layer 7 memory consumption
Hello, Recently we had a problem where BIGIP started killing several tcp connections. Analyzing the issue we discovered that the TMM "used memory" was over 85% and BIGIP began to kill the connections. So, we started looking why TMM was using so much memory and found out that the "Memory Pool" with the name "DoS Layer 7 ACY" was using 2.7G (a much higher value than any other entry in the memory pool table). Does this "DoS Layer 7 ACY" use TMM's allocated memory? If yes, is there a way to reduce this amount of memory? ps: BIGIP VE 12.1.1 (LTM, ASM, AVR, AFM and AAM); We use "DOS Layer 7" feature in 15 Virtual Servers (mainly to block bots); We have 5.6G allocated to TMM. Thank you, Cristiano
HTTP URI Replace & Pool selection
Hi All, I have an irule that Checks for incoming URI and selects a pool and replaces uri with new one. I'm not sure what i'm doing wrong, but here is my requirement I have a VIP with dns https://example.mycompany.com. Simple VIP with access policy that uses SAML authentication. No pool is assigned to the VIP since i'm using irule to select the pool. when i go to https://example.mycompany.com/abc/def/blahblah, authentication is successful and uri is changing to https://example.mycompany.com/abcdef but receiving a "connection reset" on the browser page. FYI, All pools are UP(members are listening on 80 or 8080). There is no traffic details when i go to certain pool statistics. I believe pool selection is not happening. Any help is greatly appreciated! Thanks Below is my iRule. when HTTP_REQUEST { switch [string tolower [HTTP::uri]] { "/abc/def/blahblah" { pool abc_pool HTTP::uri "/abcdef" } "/UVW/XYZ/blahblah" { pool uvw_pool HTTP::uri "/UVWXYZ" } } }
