Issue: Unable to choose "Virtual Servers" after upgrade

Applies to:

  • All versions of TPP 22.2+


Starting with 22.2, the installation settings for device objects require users to fill out the "Associate SSL Profile To" field under SSL Associations. While this may not present an issue to some users, other users may find a failure in their log files stating that the certificate failed to install. Here is one example of a possible error.

Failed to install certificate chain on \VED\Policy\Installations\F5 Appliances - PROD-UAT-DEV\DEV F5 Device\DEV - ddcdevsitlb01\VS-CERTSDEV-443 ( Error: Unable to connect to the remote server. Additional error data System.Net.WebException: Unable to connect to the remote server ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
--- End of inner exception stack trace ---
at Venafi.Drivers.Applications.F5LTM.F5HttpViaRemoteGroupAuth.a(WebException A_0)
--- End of inner exception stack trace ---
at Venafi.Drivers.Applications.F5LTM.F5HttpViaRemoteGroupAuth.a(Action A_0, Int32 A_1, Int32 A_2)
at Venafi.Drivers.Applications.F5LTM.F5HttpViaRemoteGroupAuth.GetResult[TResponse](String path, Dictionary`2 headers, String httpMethod)
at Venafi.Drivers.Applications.F5LTM.F5REST.GetFailoverState()
at Venafi.Drivers.Applications.F5LTM.Provisioning.REST.F5DriverRest.MatchConfiguredFailoverState(String& status)
at Venafi.Drivers.Applications.F5LTMAdvanced.c(String& A_0)
at Venafi.Drivers.Applications.F5LTMAdvanced.a(F5DriverCommand`1 A_0, Func`2 A_1, String& A_2).

Some users may select "No Associations" as a workaround and see a successful install. Thus, they consider the matter solved. However, these successes may be false positives and result in larger failures later on.



While there may be other reasons for this failure to occur, the main known cause of this is the server reaching out to the correct IP address, but failing to reach it. In cases like these, setting "No Associations" may appear to work, but it is actually reaching out to the incorrect IP address. This is why it may cause larger failures down the road.



If you are in a situation where you cannot use the proper settings for SSL Associations, check the log file and see if it is hitting the correct IP address. If not, please consult with your network team to see if the server has the network access needed to install everything correctly.

Was this article helpful?
0 out of 0 found this helpful