Forum Discussion

Archana's avatar
Archana
Icon for Nimbostratus rankNimbostratus
Jan 04, 2024

SSL handshake failed

Hello All, 

We have added our webserver to F5 and attached it to Virtual server. We can see Local traffic data in Statistics for the Pool. 

But we are getting SSL Handshake failed for TCP x.x.x.x:80 -> x.x.x.x:443. (This is for Webserver and F5 BIG-IP) 

Could you please let us know the troublehsooting steps to clear this. 

Your assist will be of great help to us. 

Thanks 
Archana 

  • Where as the answer can almost always be found in a packet capture, 99% of the time it will be faster to understand what is expected to happen, what the configuration is, and what it actually happening via the normal logs on both the f5 and the backend server.

    First clue:    tcp:80  ---->  :443    SSL handshake failed.

    Knowing you cant pass clear case traffic to an encrypted backend and expect the SSL handshake to function.   You will need to dive deep into your actual config.

    I like to think of the VIP  -  The LISTEN - as the left side of the equation.   

    a. - are you listening on port 80, port 443, both or other?

    b. - is there a redirect at the f5 or the server in place to move you to another port?

    c. - Are there a SSL certificates on the VIP(s)?   Client side / server side?

    d. - are there any policies or irule in place?   if so what is their purpose

    On the Pool, translate  , backend server, right side of the equation.

    a. - what is the service port ?   80, 443, other?

    b. -how many members are in the pool?

    c. -what kind of monitor are you useing?  ICMP - and TCP - are lower quality monitors and should be used sparingly, a HTTP/HTTPS monitor is better, however they will not provide the best detail.  Going with a customer monitor that checks for a recv string is usually best.

    d. - Have you tried doing a curl to all of the backend nodes?    Is the output the same or differnt?   use -ivk switches

    e. - checking the output of curl - or the server itself,  is there a valid cert bound to the port?

    f. - if curl fails - can you telnet to the port?

    ------------------------------------------------------------------------
    more details of your actual config would be necessary to provide better troubleshooting.  If i were to take a blind stab at the problem,   you are listening on port 80 (left) and translating to port 443 (right) , its likely that you dont have "serverssl" or other profile configured to handle the server side encryption. 

     

     

     

     

    • Archana's avatar
      Archana
      Icon for Nimbostratus rankNimbostratus

      Hello, 

      Thank you for all the steps mentioned. I have created a SSL Traffic certificate and added it to our website. Still getting SSL handshake failed between Website and F5. 

      Also we have "serverssl" configured in our Virtual IP. 

      Could you please let us know how to disable the SSL certificate check from F5 BIG-IP and Webserver? 

      Your assist will be of great help to us. 

      Thanks 
      Muthu Mahadevan 

      • your options for SSL traffic are:

        passthru, no client side or server side on the vip   (you cant use cookie or do any kind of irules / inspection with this)

        Offloading Client side on vip - no server side,  this will decrypt traffic and send clear case back to server.

        Bridging - both client side and server side SSL certs are needed.   ** unless you are changing something in the profile to add value, you should use serverssl.  Adding the client side cert to the server side of the f5 - makes things mess when it comes to updating certs and or reading tcpdumps etc.

        https://community.f5.com/t5/technical-forum/ssl-passthrough-ssl-offloading-and-ssl-bridging/td-p/197081

        You have not addressed:
        is this internal only - or on the internet ?
        Is there something you are trouble shooting and you are sure you are accuratly looking at the correct conversation or are you trying to clean the noise in the logs.

  • is that client side or server side?
    i suggest you capture the tcpdump in f5 then open it in wireshark to see the ssl session setup flow.
    usually it happens due to cipher no match between ssl client and ssl server