F5 Big-Ip upgraded to 11.1, "Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure" and many other errors

with -IK opation, works i am run out of ideas. can you try to capture packet? is there anything suspicious?

 

 

steps could be like this.

 

1/ remove https monitor from pool member

 

2/ start tcpdump

 

e.g.

 

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x and host 192.168.32.129 and port 443

 

x.x.x.x is non-floating selfip

 

 

3/ assign https monitor to pool member

 

4/ stop tcpdump (^c)

We had an issue with https monitors not including the host name in the GET and failing as a result. The requirement, or lack thereof, of a host name appears to differ between HTTP 1.1 and HTTP 1.0.

 

 

You can try forcing HTTP 1.0 in your monitor and see if the server is willing to respond to that. If that does not work I would try incorporating a host name into the monitor. We actually ended up making a different monitor for every https server in our config. Here is an example.

 

 

 

ltm monitor https custom_example_ssl {

 

cipherlist DEFAULT:+SHA:+3DES:+kEDH

 

compatibility enabled

 

defaults-from https

 

description "Custom monitor pointing to f5healthmonitor virtual on IIS"

 

destination *:*

 

interval 5

 

recv "HTTP/1.1 200 OK"

 

send "GET /f5healthmonitor/index.htm HTTP/1.1\\r\\nHost: www.example.com\\r\\nConnection: Close\\r\\n\\r\\n"

 

time-until-up 0

 

timeout 16

 

}

i think that a monitor should be as more generic as possibile....mostly ones defined by default on the f5....

 

@nitass i will dump connection as soon as possible...

 

 

thanks

Posted By nitass on 07/10/2012 08:22 AM

 

with -IK opation, works i am run out of ideas. can you try to capture packet? is there anything suspicious?

 

 

steps could be like this.

 

1/ remove https monitor from pool member

 

2/ start tcpdump

 

e.g.

 

tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x and host 192.168.32.129 and port 443

 

x.x.x.x is non-floating selfip

 

 

3/ assign https monitor to pool member

 

4/ stop tcpdump (^c)

 

hi nitass,

 

just a doubt, if i remove https monitor from my pool, if i dump with filter host and port of specific pool member, i think i've no traffic on that dump...right?

 

 

i think i resolved it....i don't know if is solution for "all"...

 

 

using the following send string into https monitor seems no error appears:

 

 

GET /\r\n\r\n

 

 

(just duplicate the \r\n)

 

 

 

does it convince you?

 

 

 

just a doubt, if i remove https monitor from my pool, if i dump with filter host and port of specific pool member, i think i've no traffic on that dump...right?i would remove monitor from pool before starting tcpdump because i want to capture from the 1st monitor packet. i have come across an issue which i was unable to decrypt tcpdump if i do not capture from the 1st packet.

 

 

using the following send string into https monitor seems no error appears:

 

 

GET /\r\n\r\n

 

 

(just duplicate the \r\n)i am not sure but i think ssl handshake failure should happen before sending GET request. for double \r\n, it depends on what bigip version and http protocol you are using.

 

 

sol2167: Constructing HTTP requests for use with the HTTP or HTTPS application health monitor

 

http://support.f5.com/kb/en-us/solutions/public/2000/100/sol2167.html

 

 

so, the issue is gone, isn't it? really?

yes,

 

with this new monitor

 

(send string modified and cypher = ALL) the issue was resolved.

 

 

thanks for ur time :)