Forum Discussion

southern_shred1's avatar
southern_shred1
Icon for Nimbostratus rankNimbostratus
Feb 28, 2019

SSL VIP accessible from browser but not from CLI

Hi

 

A VIP with an SSL profile works fine when client connects through a browser.

 

But connection is refused (TCP reset) when client connects from CLI to VIP.

 

A TCPdump of the CLI attempts shows show the connection getting "h2.http/1.1".

 

All port access is 443 and firewall access is in place

 

TCP dump of initial SYN shows (VIP name is testvip.txt.com)

 

============================================================== ............y.<".=5....n.}.xL6 .V ._..T.?... ./.0.+.,.......... ...../.5... ...k3t...........testvip.txt.com.......... . .................

 

................................h2.http/1.1....

Does this rule out the VIP?

 

I read somewhere I needed to allow access between the Self IP and the NODES?

 

  • ok thanks, it worked after we configured the VIP as passthrough which is what the application required. Thanks for the help

     

  • Try enabling SNAT automap on the VIP as a quick test. If it works you can choose to leave the SNAT automap there or replace it with a SNAT Pool or an intelligent selective SNAT iRule so that it only SNATs the traffic if the client source IP resides in the same subnet as the pool members.

     

  • 1) Yes, the TCP reset is from the TCP handshake

    2) The CLI is from the device trying to access the VIP

    TCP DUMP, hope this helps

    2 0.614331       10.253.140.57         10.252.85.5           TCP      81     43602 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1380 SACK_PERM=1 TSval=339278132 TSecr=0 WS=128 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      3 0.615097       10.253.140.57        10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=1 Ack=1 Win=3737600 Len=0 TSval=339278132 TSecr=702242621 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      4 0.615239       10.253.140.57         10.252.85.5           TLSv1.2  289    Client Hello [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      5 0.637168       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=190 Ack=1369 Win=4027392 Len=0 TSval=339278155 TSecr=702242643 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      6 0.637265       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=190 Ack=2737 Win=4377600 Len=0 TSval=339278155 TSecr=702242643 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      7 0.637269       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=190 Ack=4105 Win=4727808 Len=0 TSval=339278155 TSecr=702242643 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      8 0.637694       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=190 Ack=5473 Win=5078016 Len=0 TSval=339278155 TSecr=702242644 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
      9 0.637895       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=190 Ack=5879 Win=5428224 Len=0 TSval=339278155 TSecr=702242644 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     10 0.681912       10.253.140.57         10.252.85.5           TLSv1.2  226    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     11 0.683215       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=316 Ack=5885 Win=5428224 Len=0 TSval=339278201 TSecr=702242689 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     12 0.683313       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=316 Ack=5930 Win=5428224 Len=0 TSval=339278201 TSecr=702242690 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     13 0.683466       10.253.140.57         10.252.85.5           TCP      100    43602 → 443 [ACK] Seq=316 Ack=5986 Win=5428224 Len=0 TSval=339278201 TSecr=702242690 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     14 0.683618       10.253.140.57         10.252.85.5           TLSv1.2  193    Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     15 0.683731       10.253.140.57         10.252.85.5           TLSv1.2  178    Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     16 0.683854       10.253.140.57         10.252.85.5           TLSv1.2  138    Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     17 0.684846       10.253.140.57         10.252.85.5           TCP      81     43604 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1380 SACK_PERM=1 TSval=339278202 TSecr=0 WS=128 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     18 0.685366       10.253.140.57         10.252.85.5           TCP      100    43604 → 443 [ACK] Seq=1 Ack=1 Win=3737600 Len=0 TSval=339278203 TSecr=702242692 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     19 0.685497       10.253.140.57         10.252.85.5           TLSv1.2  289    Client Hello [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     20 0.707325       10.253.140.57         10.252.85.5           TCP      100    43604 → 443 [ACK] Seq=190 Ack=1369 Win=4027392 Len=0 TSval=339278225 TSecr=702242713 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     22 0.707343       10.253.140.57         10.252.85.5           TCP      100    43604 → 443 [ACK] Seq=190 Ack=4105 Win=4727808 Len=0 TSval=339278225 TSecr=702242713 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
     23 0.707920       10.253.140.57         10.252.85.5           TCP      100    43604 → 443 [ACK] Seq=190 Ack=5473 Win=5078016 Len=0 TSval=339278225 TSecr=702242714 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
     24 0.707926       10.253.140.57         10.252.85.5           TCP      100    43604 → 443 [ACK] Seq=190 Ack=5879 Win=5428224 Len=0 TSval=339278225 TSecr=702242714 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
     25 0.710537       10.253.140.57         10.252.85.5           TLSv1.2  226    Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
     26 0.712239       10.253.140.57         10.252.85.5           TCP      100    43604 → 443 [ACK] Seq=316 Ack=5986 Win=5428224 Len=0 TSval=339278230 TSecr=702242718 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
     27 0.712401       10.253.140.57         10.252.85.5           TLSv1.2  193    Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     28 0.712406       10.253.140.57         10.252.85.5           TLSv1.2  178    Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     29 0.712526       10.253.140.57         10.252.85.5           TLSv1.2  138    Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     30 0.713693       10.253.140.57         10.252.85.5           TCP      81     43606 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1380 SACK_PERM=1 TSval=339278231 TSecr=0 WS=128 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
     31 0.714210       10.253.140.57         10.252.85.5           TCP      100    43606 → 443 [ACK] Seq=1 Ack=1 Win=3737600 Len=0 TSval=339278232 TSecr=702242720 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
    
  • When you say CLI, is this the CLI of the F5 or another device? If the client is on the same subnet as the VIP’s pool members, then you will need to enable SNAT (e.g. SNAT automap).

     

    ——

     

  • uzair's avatar
    uzair
    Icon for Nimbostratus rankNimbostratus

    Reset is coming for TCP handshake or SSL handshake ? Please paste the tcpdump output here.