Forum Discussion
ali_64819
Nimbostratus
NimbostratusF5 Big-Ip upgraded to 11.1, "Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure" and many other errors
Hello everyone, can anybody help me in resolving these errors.
i have recently upgraded F5 Big-Ip from 10.2 to 11.1 and recieving the following errors. 1. "Open ssl error -error:140790E5:SSL routines:SSL23 _WRITE:ssl handshake failure" (Navigating to System-->logs --> local traffic) 2. F5 big-IP is not sending all the logs to LOG Management system (Symantec SIM). Logs related to ASM are not present in the Symantec SIM, although i use to recieve the logs before the upgrade, F5 is only sending Partial logs to Symantec SIM, i can only view LTM Logs and some ASM LOGs which are of severity info,notice in Symantec SIM.
Moe_JartinCirrus
Agreed. The fix for us was to remove the SSL health check one-by-one from each of the pools. We finally found one pool that was causing the issue. To be clear though, this is not a problem with the pool but rather a change in behavior on the F5 side from 10.x to 11.x. I still think F5 needs to fixed the issue or give the option to ignore untrusted certs for health checks (or whatever is the root cause of the error).
Joe M
emilio_104458Posted By nitass on 07/09/2012 07:30 AM
i deleted all custom ssl profile and ssl certificate (only default ones now is present) and i still have:
Jul 9 16:17:31 f5 err bigd[17045]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure.why is ssl profile?? i thought we were talking about https monitor, weren't we?
oh sorry...my misunderstanding becouse some research talk about ssl profile.
i've no custom https monitor. only the following default https monitors are present:https HTTPS Common
https_443 HTTPS Common
https_head_f5 HTTPS Common
only https is used....
as soon i've deleted each use of that monitor for any pools, the error disappear...
what do u suggest to continue use this monitor?
thanks a lot
nitassEmployee
can you list all the https monitors you have?
b monitor (https monitor name) list- emilio_104458Posted By nitass on 07/09/2012 08:28 AM
can you list all the https monitors you have?
b monitor (https monitor name) list
root@f5(Active)(/Common)(tmos) list ltm monitor https
ltm monitor https https {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
destination *:*
interval 5
send "GET /\\r\\n"
time-until-up 0
timeout 16
}
ltm monitor https https_443 {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from https
destination *:https
interval 5
send "GET /\\r\\n"
time-until-up 0
timeout 16
}
ltm monitor https https_head_f5 {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from https
destination *:*
interval 5
recv Server\\:
send "HEAD / HTTP/1.0\\r\\n\\r\\n"
time-until-up 0
timeout 16
} - nitassi am not sure but would you mind trying custom https monitor with cipherlist ALL instead?
e.g.root@ve10(Active)(tmos) list ltm monitor https myhttps ltm monitor https myhttps { cipherlist "ALL" compatibility "enabled" defaults-from https destination *:* interval 5 send "GET /\r\n" time-until-up 0 timeout 16 } - emilio_104458nothing :(
i've created the following monitor:
root@f5(Active)(/Common)(tmos) list ltm monitor https https_override
ltm monitor https https_override {
cipherlist ALL
compatibility enabled
defaults-from https
destination *:*
interval 5
send "GET /\\r\\n"
time-until-up 0
timeout 16
}
root@
but as soon i've linked it to a pool, the following error on the /var/log/ltm
Jul 10 11:43:52 f5 err bigd[17045]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure.
Jul 10 11:44:17 f5 err bigd[17045]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure.
Jul 10 11:44:42 f5 err bigd[17045]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure.
Jul 10 11:45:07 f5 err bigd[17045]: 01060111:3: Open SSL error - error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure. - nitassis the pool member really running https service?
can you try curl against the pool member (from bigip)?
e.g.
curl -Ik https://x.x.x.x
x.x.x.x is pool member ip - emilio_104458[root@f5:Active] config curl https://192.168.32.129:443
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - nitass[root@f5:Active] config curl https://192.168.32.129:443 can you try "-Ik" option? will you still get an error?
e.g.
curl -Ik https://192.168.32.129 - emilio_104458with -IK opation, works
curl -Ik https://192.168.32.129
HTTP/1.1 200 OK
Date: Tue, 10 Jul 2012 15:10:44 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 21 Nov 2011 02:51:30 GMT
ETag: "cc80-ced-c3831080"
Accept-Ranges: bytes
Content-Length: 3309
Content-Type: text/html; charset=ISO-8859-