Forum Discussion

Nimbostratus

Jan 04, 2024

SSL handshake failed

Hello All, We have added our webserver to F5 and attached it to Virtual server. We can see Local traffic data in Statistics for the Pool. But we are getting SSL Handshake failed for TCP x.x.x...

PhatANhappy

MVP

Jan 05, 2024

Where as the answer can almost always be found in a packet capture, 99% of the time it will be faster to understand what is expected to happen, what the configuration is, and what it actually happening via the normal logs on both the f5 and the backend server.

First clue: tcp:80 ----> :443 SSL handshake failed.

Knowing you cant pass clear case traffic to an encrypted backend and expect the SSL handshake to function. You will need to dive deep into your actual config.

I like to think of the VIP - The LISTEN - as the left side of the equation.

a. - are you listening on port 80, port 443, both or other?

b. - is there a redirect at the f5 or the server in place to move you to another port?

c. - Are there a SSL certificates on the VIP(s)? Client side / server side?

d. - are there any policies or irule in place? if so what is their purpose

On the Pool, translate , backend server, right side of the equation.

a. - what is the service port ? 80, 443, other?

b. -how many members are in the pool?

c. -what kind of monitor are you useing? ICMP - and TCP - are lower quality monitors and should be used sparingly, a HTTP/HTTPS monitor is better, however they will not provide the best detail. Going with a customer monitor that checks for a recv string is usually best.

d. - Have you tried doing a curl to all of the backend nodes? Is the output the same or differnt? use -ivk switches

e. - checking the output of curl - or the server itself, is there a valid cert bound to the port?

f. - if curl fails - can you telnet to the port?

------------------------------------------------------------------------
more details of your actual config would be necessary to provide better troubleshooting. If i were to take a blind stab at the problem, you are listening on port 80 (left) and translating to port 443 (right) , its likely that you dont have "serverssl" or other profile configured to handle the server side encryption.

Archana
Nimbostratus
Jan 09, 2024
Hello,

Thank you for all the steps mentioned. I have created a SSL Traffic certificate and added it to our website. Still getting SSL handshake failed between Website and F5.

Also we have "serverssl" configured in our Virtual IP.

Could you please let us know how to disable the SSL certificate check from F5 BIG-IP and Webserver?

Your assist will be of great help to us.

Thanks
Muthu Mahadevan
- emre_ovali
  Altostratus
  Jan 09, 2024
  Hi Muthu,
  Have you try to use server-insecure-compatible SSL profile (Server) at the server side?
  - PhatANhappy
    MVP
    Jan 09, 2024
    Or perhaps fix the SSL cert on the backend.
- PhatANhappy
  MVP
  Jan 09, 2024
  your options for SSL traffic are:
  
  passthru, no client side or server side on the vip (you cant use cookie or do any kind of irules / inspection with this)
  
  Offloading Client side on vip - no server side, this will decrypt traffic and send clear case back to server.
  
  Bridging - both client side and server side SSL certs are needed. ** unless you are changing something in the profile to add value, you should use serverssl. Adding the client side cert to the server side of the f5 - makes things mess when it comes to updating certs and or reading tcpdumps etc.
  
  https://community.f5.com/t5/technical-forum/ssl-passthrough-ssl-offloading-and-ssl-bridging/td-p/197081
  
  You have not addressed:
  is this internal only - or on the internet ?
  Is there something you are trouble shooting and you are sure you are accuratly looking at the correct conversation or are you trying to clean the noise in the logs.