Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Ed_Summers's avatar
Ed_Summers
Icon for Nimbostratus rankNimbostratus
Oct 18, 2016

Attributing object to log messages

Since upgrading to v12.1.1 we're seeing SSL errors in /var/log/ltm. I believe this is due to behavior starting in v12.0 per SOL15292 ("Note: Beginning in 12.0.0, the BIG-IP system automatically logs ...
application delivery
event logging
LTM
Ed_Summers's avatar
Ed_Summers
Icon for Nimbostratus rankNimbostratus
Sep 07, 2017

Ran out of time looking at this in the lab today. Maybe someone has additional details that would fill in the gaps on SSL log messages below. I didn't have time to dig further this morning.

  • Virtual Server: /Common/test_https
  • VIP: 10.1.0.65
  • SSL bridged; custom client-ssl profile with cipher string 'DEFAULT:!SSLv3' and default serverssl profile server-side

Test 1: Connect to the virtual server using SSLv3 and view /var/log/ltm

When log.ssl.level = Warning (default value)

Sep 7 01:42:20 lb1 warning tmm1[24695]: 01260009:4: Connection error: ssl_hs_rxhello:7344: unsupported version (40)

I then increased logging to Debug and tried again. For this test the only additional message came at the Info level:

 

Sep  7 01:44:26 lb1 warning tmm3[24695]: 01260009:4: Connection error: ssl_hs_rxhello:7344: unsupported version (40)
Sep  7 01:44:26 lb1 info tmm3[24695]: 01260013:6: SSL Handshake failed for TCP 172.16.1.132:59968 -> 10.1.0.65:443

 

Second test was connecting to the virtual using HTTP instead of HTTPS. Even at the debug level only the following message was logged:

Sep 7 01:46:35 lb1 warning tmm1[24695]: 01260009:4: Connection error: ssl_passthru:4021: not SSL (40)

The partial answer to my original question: Debug isn't necessarily required to obtain attribution of the error to an object for certain errors. In this test we can attribute the virtual at Info logging level for unsupported protocol version errors, but no attribution was available for the 'not SSL' error.

/var/run/bigip_error_maps.dat contains a mapping of error messages (including codes) to log files and levels (Reference: K6420). I thought I would be able to grep the file for all SSL error codes to get an idea at which level they would be logged. Searching the three codes above resulted in the following:

 

0 LOG_WARNING   01260009 BIGIP_SSL_SSLERR_CONN "Connection error: %s:%d: %s (%d)" 
0 LOG_WARNING   01260013 BIGIP_SSL_SSLERR_HANDSHAKE_FAILED "Not used -- implemented via new API to meet ICSA requirements; see ssl.c."

 

The second error (that provided virtual attribution) notes that it is 'Not used' (it also isn't currently logged at the Warn level). I searched the filesystem for ssl.c but turned up nothing. Not surprising - I wouldn't expect to find source code on the system.

Grepped all files in /var/run for 'BIGIP_SSL_SSLERR_HANDSHAKE' but could not find a file with that error message. Apparently the SSL messages are handled elsewhere in current versions.

It is possible that the Info log level for log.ssl.level may provide what is needed but I can't say for sure. Practically - if your system isn't heavily loaded enable Debug level temporarily to get your troubleshooting done. If you're uncertain about the resource load - consult F5 Support. I'm still interested in knowing if/where the SSL messages are now listed, if they're even in a text file now.