Forum Discussion
AltostratusHow to determine source of generic SSL failure message
I am getting as many as 15 of these messages per minute! How do I determine what source is failing? I've read multiple articles but don't see a simple answer. The messages are useless to me otherwise.
warning tmm1[11583]: 01260009:4: Connection error: ssl_hs_rxhello:7443: unsupported version (70)
We are running Version 12.0.2 HF2
DennisJannNimbostratus
This particular error message is typically logged when a client connects with an SSL/TLS version (e.g., SSLv3) not supported by your client-ssl profile. This can be quite annoying on Internet-facing devices as your VIPs are constantly being probed, usually without your consent.
The default behavior in BIG-IP 12.0.0 and later is to log SSL errors at level "warning" and higher.
tmsh list sys db log.ssl.level sys db log.ssl.level { value "Warning" }I opened a support case with F5, and they refered me to the documentation on the available log levels:
https://support.f5.com/csp/article/K5532
I changed the logging level to "Error" to suppress these messages and that considerably reduced the amount of noise from SSL warning messages in /var/log/ltm.
tmsh modify sys db log.ssl.level { value "Error" }Before making any changes, I would recommend reviewing the types of SSL alerts and their severity levels in /etc/alertd/bigip_tmm_error_maps.h, so that you can make an informed decision about what kinds of messages will you'll no longer be seeing:
grep SSL /etc/alertd/bigip_tmm_error_maps.hAlso reference:
https://support.f5.com/csp/article/K09322055
If you really want to identify the source addresses, you'd likely have to temporarily set the logging level to Debug, and then change it back to the default after capturing the data.
https://support.f5.com/csp/article/K17045
Hope this helps.