Adding Peer device issue

Question

Hi Guys,&nbsp;
I have a problem with my customer.
We are working in Test Plant, where we would replace 2 F5 Viprion 4400 (version 11.4.1) with an F5 i2600 (version 12.1.2).
I'm telling you what we would like to do to migrate everything (in Test Plant we are testing the procedure we would like to implement in production, where we will replace two Viprion 4400 with two Viprion 2400):&nbsp;
Added the new F5 to the existing Device Group by creating a new sync VLAN between the 3 devicesSync the configuration on the new deviceFailover of traffic on the new deviceRemove from the device group the two old Viprion
We immediately encountered a problem when we tried adding a peer to insert the new device into the current cluster, in particular we get the following error (via GUI the same error exists on both Viprion and i2600): &nbsp;
iControl connection to 172.16.4.242 failed (where IP 172.16.4.242 is the IP of the new F5 i2600)&nbsp;
Checking the ltm log file, we find the following errors:&nbsp;
Viprion (LTM) Side: SSL_handshake: error: 14094410: SSL routines: SSL3_READ_BYTES: sslv3 alert handshake failure&nbsp;
I2600 (LTM) Side: SSL_handshake: error: 14077102: SSL routines: SSL23_GET_SERVER_HELLO: unsupported protocol&nbsp;
Any idea about this?&nbsp;
BR&nbsp;

kevin_k_51432 · Answer

Greetings,&nbsp;
That seems resemble the following:&nbsp;
K54511423: The system includes insecure ciphers when a device adds another device to the device trust&nbsp;
https://support.f5.com/csp/article/K54511423&nbsp;
Did you happen to use this article to modify the HTTP cipher strength?&nbsp;
K13405: Restricting Configuration utility access to clients using high-encryption SSL ciphers (11.x)&nbsp;
https://support.f5.com/csp/article/K13405&nbsp;
Kevin&nbsp;

andrea_colombo_ · Answer

Hello Kevin,
thank you for your response.
We tried the solution on K13405, but the problem is the same:  iControl connection to 172.16.4.242 failed&nbsp;
Any idea?&nbsp;
BR&nbsp;
Andrea&nbsp;

amintej · Answer

Hello, We had a similar problem when we turned off TLS 1.0 in the httpd interface but it looks like your problem is with SSLv3 protocol. 
Check the current configuration with the next command:
list sys httpd ssl-protocol 
sys httpd { ssl-protocol "all -SSLv2 -SSLv3"}

You can add SSLv3 using modify:
 modify sys httpd ssl-protocol "all -SSLv2 +SSLv3"

kevin_k_51432 · Answer

Hi Andrea,
I've not encountered this issue on any of my BIG-IPs. It looks like the default setting is:
tmsh list sys httpd ssl-protocol
sys httpd {
    ssl-protocol "all -SSLv2 -SSLv3"
}

Do you have the ability to set this on both devices and test? 
tmsh
modify sys httpd ssl-protocol "all -SSLv2 -SSLv3"
save sys config
load sys config
restart sys service httpd

I know you intend to use stronger ciphers only, but it appears this is only possible in v13.0.0 per the bug mentioned above.
Thanks!
Kevin

Forum Discussion

Adding Peer device issue

Recent Discussions

AS3 Limitations

Unable to install firmware OS and drop at 10%

Statistics ›› Analytics : HTTP : Overview

How to Renew F5 Device Certificate

F5 ASM CEF Sending Logs in Specific TimeZone

Related Content

BIG-IQ : Error when adding device

DEVICE-0202 Error while adding rSeries as a provider in CM

Error While Adding Peer Devices to Local Trust Domain

Device Management

why the device certificate verify failed when the device certificate is not expired?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS