linux F5 standalone vpn client issue

Question

Hi All,&nbsp;
I am able to connect to my remote VPN server through the browser. svpn logs show all the right information during connectivity.&nbsp;
However when I run the stand alone client f5fpc with all the right options I am getting an error. This is happening on a linux 64-bit system. Here is a sample of the logs&nbsp;
2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 911,, LinuxEventHandler::loadCAStore()- Using default Trusted cert store at=/etc/ssl/certs, for CA cert validation
2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1
2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1
2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1
2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 612,, verify_server_cert_cb return with ret=1
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 248, USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 257, , EXCEPTION caught
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1,,,, EXCEPTION - DoFirepassLogin2() - logon failed
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 926, , EXCEPTION caught
2014-02-28, 9:22:55:000, 32748,32749,standalone, 0, , 932,, Logon failed
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 248, USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 257, , EXCEPTION caught
2014-02-28, 9:22:55:000, 32748,32749,standalone, 1, , 727, CSessionHandler::session_thread_loop(), DoFirepassLogin() = -2002, Session status: 7.&nbsp;
I can ping the remote vpn server (xx.xxx.xxx.xx) from my system. I was wondering if anyone has any ideas on why the client gets a bad file descriptor during connectivity and if there are any pointers in this regard.&nbsp;
Thanks 
Praveen&nbsp;

alexey_384 · Answer

Log shows that you can't pass an access policy. There are a lot of possible misconfigurations, but the common one is an untrusted server certificate. Have you add the CA cert in a cert store? If not you should set it or use an option to ignore the server certificate.

praveen_145890 · Answer

Hi Alexey,

Thanks for the reply.  I did add the CA and intermediate certificate's to the store. Prior to not adding them I was getting an error saying

X509_verify_cert unable to get issuer certificate
verify_server_cert_cb return with ret=0

After adding the CA and intermediate certs in the chain, the value of is set to 1.
verify_server_cert_cb return with ret=1

I don't know what it means, but was assuming that the certificate checks are valid.

I did try the client f5fpc with -x (to ignore certificate checks), and still was running into the same issue of

USocketBlocking::send(), EXCEPTION - Failed to send data, xx.xxx.xxx.xx, Bad file descriptor

One of the interesting things is that F5 standalone vpn client resolves the host name to an ip address and the SSL certs are not tied to that ip address. The SSL certs have the wildcarded hostname in them.

Would appreciate if there are any other ideas.

Thanks
Praveen

alexey_384 · Answer

I would do following:
Check BIG-IP logs to determine on what exact step connection is closed.
Using tcpdump determine who closes connection big-ip or client.
If client.. I'd check all options again. The only issue with establishing connection I faced is an untrusted certificate.
If server then: is connection closed during access policy execution or network access establishing? Shouldn't be NA, because browser works.
Is access policy configured with the client side checkers? As I remember Linux CLI doesn't support them. Also, login can be allowed for the browsers only. And logon page customisation also may break authentication.
BIG-IP can drop connection before access policy execution in case of wrong (absent) client's certificate (depends on client's ssl profile).

kalyan_01_16086 · Answer

Praveen,Were you able to resolve this issue. I am running into the same issue. I am too using the -x option. But it does not help. I still keep seeing the USocketBlocking and "Bad file descriptor" error in the standalone.log file. Your input is appreciated.&nbsp;
Thanks,
Kalyan&nbsp;

Forum Discussion

linux F5 standalone vpn client issue

4 Replies

Recent Discussions

Transaction looks successful but file not downloading

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

f5fpc linux client does it support client cert and username/secret auth?

Repace standalone licence with different module BigIP VE

APM - Software Check Antivirus does not work on Linux platforms

Standalone BIG-IQ Upgrade Question

iRule based RADIUS Client Stack