Forum Discussion

Anoop_Dharan_20's avatar
Anoop_Dharan_20
Icon for Nimbostratus rankNimbostratus
May 26, 2018

LTM error message

Hi Team,

 

I receive below messages in /var/log/ltm. Any suggestions ?

 

warning tmm[9502]: 01260009:4: Connection error: ssl_hs_rxhello:7110: unsupported version (40) warning tmm[9502]: 01260009:4: Connection error: ssl_select_suite:6578: TLS_FALLBACK_SCSV with a lower protocol (86) warning tmm1[9502]: 01260009:4: Connection error: ssl_select_suite:6578: TLS_FALLBACK_SCSV with a lower protocol (86) warning tmm[9502]: 01260009:4: Connection error: ssl_hs_rxhello:7110: unsupported version (40)

 

Version : 12.0.0 HF2

 

application delivery
BIG-IP

4 Replies

Sort By
  • Samir_Jha_52506's avatar
    Samir_Jha_52506
    Icon for Noctilucent rankNoctilucent
    May 26, 2018

    A secure connection cannot be established because unsupported protocol. Enable SSL debug n see which vip doesn't support SSL/TLS protocol.

     

    • Anoop's avatar
      Anoop
      Icon for Nimbostratus rankNimbostratus
      May 26, 2018

      As per https://support.f5.com/csp/article/K15292 beginning in 12.0.0, the BIG-IP system automatically logs SSL handshake failure information through standard logging; the use of debug logging for SSL handshake failures is not required.

       

      Should I still enable SSL debug ?

       

    • Anoop's avatar
      Anoop
      Icon for Nimbostratus rankNimbostratus
      May 26, 2018

      DB says ssl log level is warning. I will enable debug and see whats going on. Thanks

       

      sys db log.ssl.level { default-value "Warning" scf-config "false" value "Warning" value-range "Alert Critical Debug Emergency Error Informational Notice Warning" }

       

  • Surgeon's avatar
    Surgeon
    Ret. Employee
    May 26, 2018

    There is SSL version mismatch. Client side uses low version which can not be used by big-ip. big-ip can not lower it's ssl version.

     

    The best way would be to do a packet capture and confirm that.

     

    12.0.0 does not accept SSLv3 by default.