Linux SSL VPN client error - SSL handshake failed
Hello, We have recently update our SSL VPN infrastructure and after that I haven't been able to create a VPN tunnel from my laptop. I can successfully login to the web interface but when I try to create a tunnel a "Browser is waiting from status from Network Access Application" popup appears and after a short time it goes back to the popup that allows to download the client RPM or DEB. I can see these entries in the ~/.F5Networks/vpn.log when I try (always the same entries): ========================================================================== Kernel version: 1 SMP Debian 4.9.51-1 (2017-09-28) System: Linux Release: 4.9.0-4-amd64 Model: x86_64 Node name: robfas-lin ========================================================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Location: /opt/f5/vpn/f5vpn 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Version: 7140.2017.0414.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Locale: C 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, Qt version: 5.7.1 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, ===================================== 2017-10-13,10:56:06:040, 19333,19333,, 0,,,, 2017-10-13,10:56:06:040, 19333,19333,, 48,,,, current log level = 63 2017-10-13,10:56:06:042, 19333,19333,, 48, /Helpers.h, 96, void f5::qt::setupLogs(const std::string&, const std::string&), OpenSSL supported: true. Lib in use: OpenSSL 1.0.2l 25 May 2017. Build: OpenSSL 1.0.2k 26 Jan 2017 2017-10-13,10:56:06:085, 19333,19333,, 48, /LinuxService.h, 45, void f5::qt::DBusInterface::Open(QStringList, QMap), D-Bus Open() method called 2017-10-13,10:56:06:097, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/my.report.na 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:200, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:200, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:201, 19333,19333,, 48, /Session.cpp, 87, void f5::qt::Session::ProfileDownload(), Profile download starting, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:201, 19333,19333,, 48, /HttpNetworkManager.cpp, 211, void f5::qt::HttpNetworkManager::HttpGet(const QUrl&, uint32_t), starting GET request to, https://vpn.paf.com/pre/config.php?version=2.0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 124, void f5::qt::HttpNetworkManager::error(QNetworkReply::NetworkError), Error occured while processing request(code), 6 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 271, void f5::qt::HttpNetworkManager::Finished(QNetworkReply*), Finished (code, error), 6, SSL handshake failed 2017-10-13,10:56:06:298, 19333,19333,, 48, /HttpNetworkManager.cpp, 420, void f5::qt::HttpNetworkManager::RequestFinished(), Request finished (err code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 1, /HttpNetworkManager.cpp, 424, void f5::qt::HttpNetworkManager::RequestFinished(), Error occured (error code, HTTP code), 6, 0 2017-10-13,10:56:06:298, 19333,19333,, 48, /Session.cpp, 59, void f5::qt::Session::ProfileDownloadFailed(QString), Profile download failed, Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 222, void f5::qt::SessionManager::SessionError(QString), ----Session 46112466 ends----. Error occured: Network error 2017-10-13,10:56:06:298, 19333,19333,, 48, /SessionManager.cpp, 214, void f5::qt::SessionManager::CheckSessions(), No live sessions, quitting application.... I'm running on Debian Stretch 64 bit. I tried everything I could think about without success (and at the same time I can login successfully from an Android Tablet). Any tip on what I could try? Could this be related to this bug: ID382396 [Linux CLI] Certificate verification doesn't work for some Linux distributions? Thanks in advance!
Big IP Edge Client windows 10 no connectivity with VPN - works on windows 7
Hi we are using Big IP Edge client for VPN connection. We validate with user creds, machine certificate check and antivrus check. When connecting from a windows 7 machine all is well and works as expected. When connecting form a windows 10 machine, the VPN connects (Access policy is passed A-OK) and it all seems ok (ip address assigned from correct lease pool etc) but I cannot connect to anything! I can see the traffic leaving the client (when I look at firewall logs the client is sending out the traffic to servers i am trying to RDP to for example) but it seems when the traffic is on its way back it doesn't properly get handled by the client (as if maybe its not getting decrypted by the edge client and sent on to application layer or something like that) Now we are running 11.6 Hotfix 6 which is compatible with windows 10 but so far support haven't been much help. I provided them decrypted tcpdump from F5, wireshark from client, f5wininfo output but last update from support was to disable windows firewall which made no difference (I knew it wouldnt as all outbound traffic allowed anyway and VPN connection is all outbound) then they asked to check that machine has latest windows updates! (As if thats got anything to do with it) This is causing much grief as we are about to rollout win 10 to the company but unless I can get VPN working its delaying rollout. Anyone seen this before? Any help would be greatly appreciated.
iRule matching destination address using VPN
Hello, I have a F5 running LTP/APM and I'm using the EDGE-client for SSL-VPN. As it is now I'm using a full tunnel since I have both outside and inside of the F5 connected to a firewall. Right now i SNAT and everything works fine but I would like to SNAT traffic to the outside (internet) and use NO SNAT to the inside networks. (all private networks) I have found examples where I sort traffic based on the source (client) but I want to check if the resource the vpn-connection is trying to reach is a private address and if so use NO SNAT and if the resource is a public address then use SNAT. In my example I have IP::client_addr which returns the address my client is coming from. But I want to see the address I'm going to, through the vpn-tunnel. I get address 192.168.100.200 on my tunnel-interface on my client. When I try to reach for example www.sunet.se (192.36.171.231) I want to get that IP and match it against the private networks and if it's a match - no nat and otherwise nat. Am I being confusing? 🙂 Iv'e been broswing around the iRule reference but can't find anything that suite my needs. I can get my public IP outside the tunnel, i can get the ip of the VS im connected to, I can get the IP my tunnel-interface has but I can't get the destination Ip. Is it possible? Best regards, // Fredrik when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.0.0.0/8] or [IP::addr [IP::client_addr] equals 192.168.0.0/16] or [IP::addr [IP::client_addr] equals 172.16.0.0/12] } { snat none } else { snat automap} }
DTLS VPN doesn't work when SSL profile not default clientssl
I have setup a very basic SSL vpn with APM and I would like to use DTLS to get best performance. The APM policy just checks for AV and authenticates with AD for the time being, I plan to add 2f later. When I first tested the VPN, I left the default clientssl profile on the VS and just accepted the certificate warnings. It connects fine and I can see in the BigIP client that the protocol in use is DTLS. If I change the SSL profile so that it uses a certificate issued by our domain PKI or even a proper EV sha256 cert it will only establish a TLS 1.2 and DTLS does not work. I can't see anything in the log files to say why this isn't working. I know the firewall is correctly configured as DTLS works fine with the self signed certificate. At the moment I am stuck as the performance of the VPN is nowhere near as good as Cisco AnyConnect over the same link. Its a 2000s BIG-IP 12.0.0 Build 1.0.628 Hotfix HF1.
Cant use windows remote assistance to VPN clients
While testing several of my remote sales employees with the F5 Edge client we found that after they connect, our helpdesk team cannot use remote assistance, remote control, or RDP to the remote sales machines. We also cannot ping the clients after they connect. Is there Remote Control (control) port 2701 Remote Control (data) port 2702 Remote Control (RPC Endpoint Mapper) port 135 Remote Assistance (RDP and RTC) port 3389
APM SSLVPN with layered virtual
Hi guys, I'm trying a new (for me), but oftenly recommended by F5 SEs, setup with layered virtuals. In my testing environment, I have only one single IP address. This is used for a standard virtual server, which will be used as some kind of a jump VS (let's call it 'VS_jump'). I've assigned an LTM policy to this VS, which forwards the traffic to different virtuals, based on the requested host header. Basically this is working finde. But I'm struggling arround with APM and SSLVPN (Network Access). The requests hit the correct VS ('VS_apm-sslvpn') with APM profile assigned and the user is able to authenticate. But after opening the PPP tunnel, it's ending in a timeout for the client. The APM log tells me, that the tunnel was directly closed: PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) started. PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) closed. This issue only occurs, if the APM profile is bound to the forwarded virtual, 'VS_apm-sslvpn'. For testing purposes I've assigned the APM and connectivity profile to 'VS_jump' and the connection came up directly, without any issue. The message PPP tunnel 0x56009ef6dd00 (ID: 703c0a5b) closed. only appears, when the connection is manually disabled. So my question is: Are there any known limitations to SSLVPN, when used in conjunction with layered virtuals? I'm not sure about settings like HTTP-XFF or SNAT - where shall they be set? On 'VS_jump' or 'VS_apm-sslvpn'. Unfortunately I wasn't able to find anything related to SSLVPN and layered virtuals. Any ideas? Thanks in advance. Cheers, Sven
BIG IP Edge Client
Hi, I am working with my Windows desktop from remotely and using the BIG IP Edge client [SSL VPN], when my internet connection drops, the Edge client stops and when it reconnects it prompts me with AD credentials again, As I have typed in my AD credentials at first instance [when first time I launched it], Can I not avoid this authentication again [when internet drops and come back again]?Windows 10 Dial and Edge client 7171
Deploying a the APM client 7171 configured within BigIP 14.0.0.3 for windows. This includs the windows 10 dialer for pre-login to start the VPN then login to windows. With apm client 7170 starts the vpn correctly and then logs into windows. APM client 7171 using the windows 10 dialer errors out - "Communication port has been open successfully" --- hangs on this box for 15 seconds then "Error 1471 Unable to finish the requested operation because specified process is not a GUI process" Nothing is mention in the event viewer. If the client is upgrade from 7170 to 7171, it works without issue, but we have other installation issues with 7170. Launching the BigIP edge client functions correctly and connects to the VPN. Any idea on why 7171 is failing ?
F5 Access for Mac OS client
I've upgraded APM to 13.1.0.1 and would like to test the 'F5 Access for Mac OS' client that can be found in the Appstore. However, it's not working out of the box for me. I've not found any success stories, so I was wondering if it is even production ready. The client immediately gives me this error: Failed to get NA settings The operation couldn’t be completed. (PacketTunnel.VpnFavoriteParamsOperationError error 2. The server says: New session from client IP xxx Session deleted due to user inactivity. All works fine with 'BIG-IP Edge Client'