SSL handshake failed

Question

Hello All,&nbsp;We have added our webserver to F5 and attached it to Virtual server. We can see Local traffic data in Statistics for the Pool.&nbsp;But we are getting SSL Handshake failed for TCP x.x.x.x:80 -&gt; x.x.x.x:443. (This is for Webserver and F5 BIG-IP)&nbsp;Could you please let us know the troublehsooting steps to clear this.&nbsp;Your assist will be of great help to us.&nbsp;Thanks&nbsp;Archana&nbsp;

zamroni777 · Answer

is that client side or server side?i suggest you capture the tcpdump in f5 then open it in wireshark to see the ssl session setup flow.usually it happens due to cipher no match between ssl client and ssl server

phatanhappy · Answer

Where as the answer can almost always be found in a packet capture, 99% of the time it will be faster to understand what is expected to happen, what the configuration is, and what it actually happening via the normal logs on both the f5 and the backend server.
First clue:&nbsp; &nbsp; tcp:80&nbsp; ----&gt;&nbsp; :443&nbsp; &nbsp; SSL handshake failed.
Knowing you cant pass clear case traffic to an encrypted backend and expect the SSL handshake to function.&nbsp; &nbsp;You will need to dive deep into your actual config.
I like to think of the VIP&nbsp; -&nbsp; The LISTEN - as the left side of the equation.&nbsp; &nbsp;
a. - are you listening on port 80, port 443, both or other?
b. - is there a redirect at the f5 or the server in place to move you to another port?
c. - Are there a SSL certificates on the VIP(s)?&nbsp; &nbsp;Client side / server side?
d. - are there any policies or irule in place?&nbsp; &nbsp;if so what is their purpose
On the Pool, translate&nbsp; , backend server, right side of the equation.
a. - what is the service port ?&nbsp; &nbsp;80, 443, other?
b. -how many members are in the pool?
c. -what kind of monitor are you useing?&nbsp; ICMP - and TCP - are lower quality monitors and should be used sparingly, a HTTP/HTTPS monitor is better, however they will not provide the best detail.&nbsp; Going with a customer monitor that checks for a recv string is usually best.
d. - Have you tried doing a curl to all of the backend nodes?&nbsp; &nbsp; Is the output the same or differnt?&nbsp; &nbsp;use -ivk switches
e. - checking the output of curl - or the server itself,&nbsp; is there a valid cert bound to the port?
f. - if curl fails - can you telnet to the port?
------------------------------------------------------------------------more details of your actual config would be necessary to provide better troubleshooting.&nbsp; If i were to take a blind stab at the problem,&nbsp; &nbsp;you are listening on port 80 (left) and translating to port 443 (right) , its likely that you dont have "serverssl" or other profile configured to handle the server side encryption.&nbsp;
&nbsp;
&nbsp;
&nbsp;
&nbsp;

emre_ovali · Answer

Hi Muthu,&nbsp;Have you try to use server-insecure-compatible SSL profile (Server) at the server side?&nbsp;&nbsp;

phatanhappy · Answer

your options for SSL traffic are:
passthru, no client side or server side on the vip&nbsp; &nbsp;(you cant use cookie or do any kind of irules / inspection with this)
Offloading Client side on vip - no server side,&nbsp; this will decrypt traffic and send clear case back to server.
Bridging - both client side and server side SSL certs are needed.&nbsp; &nbsp;** unless you are changing something in the profile to add value, you should use serverssl.&nbsp; Adding the client side cert to the server side of the f5 - makes things mess when it comes to updating certs and or reading tcpdumps etc.
https://community.f5.com/t5/technical-forum/ssl-passthrough-ssl-offloading-and-ssl-bridging/td-p/197081You have not addressed:is this internal only - or on the internet ?Is there something you are trouble shooting and you are sure you are accuratly looking at the correct conversation or are you trying to clean the noise in the logs.

phatanhappy · Answer

Or perhaps fix the SSL cert on the backend.

Forum Discussion

SSL handshake failed

Recent Discussions

F5 ip intelligence database in bigip

F5 bigip recursive DNS AUTO resolver CACHE FLUSH TIMEPERIOD

Azure to APM to StoreFront

AS3 Foundations: Migrating and Deploying Applications in VSCode

AS3 Foundations: Creating New Apps and Using Shared Objects

Related Content

HTTPS - Monitor SSL Handshake

Can I display ssl handshake fail reason using irule?

Avoid SSL Handshake When Pool is Unavailable

Anybody have "SSL Handshake fail Alert (num) " list ??

SSL PROXY