best way to reject SSL Connections

Question

We use IPI and we drop the requests via iRule because we cannot use ASM at every VS.
today we reject the connect in then CLIENT_ACCEPTED but the result is a &nbsp;
SSL Handshake failed for TCP  xxx.xxx.xxx.xxx:nnn -&gt; xxx.xxx.xxx.xxx:nnn&nbsp;
in ltm log. do we have to accept that or is there a better way to reject connections like that?&nbsp;
let the connect go on until HTTP_REQUEST is not option because we have the same problem when we use a required Client Certificate where we check for example the UPN and we like to drop the connection if the UPN is invalid or missing.&nbsp;

kevin_stewart · Answer

I guess it depends on how you're doing the reject. If you're sending a reject in CLIENT_ACCEPTED based on the client IP address, you shouldn't be seeing SSL handshake errors. The best you can do though is to simply reject or drop the connection.

andy_mcgrath · Answer

You are getting SSL error as the CLIENT_ACCEPTED event is triggered once the TCP connection has been established so the client has likely already sent the SSL Client Hello before being rejected.&nbsp;
Personally if this is for security and public I would drop the connection instead of rejecting it. These will mean the client TCP connection will timeout.&nbsp;

Forum Discussion

best way to reject SSL Connections

Recent Discussions

APM with EntraID as idP / request signed

Should config via cli rather than gui?

Background Tasks

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Site-to-Site Connectivity in F5 Distributed Cloud Network Connect – Reference Architecture

irule reject request when payload field is null

Trouble redirecting on APM rejection.

iRule rejects connections but there is no reject command

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS