Forum Discussion
AltocumulusLTM SSL handshake failuer (40) with IIS SSL setting Accept
I had an issue that communication from client PC failed with one of pool members. Clinet PC can directly access to the problem member without any issue. If it is accessed through VS, the failure happened.
As investigated with packet capture, following error caused the communication failure.
Transport Layer Security
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 26
Alert Message
Level: Fatal (2)
Description: Handshake Failure (40)
As I investigated, I found the problem member's IIS SSL setting is set as "Accept". Other working members are set as "Ignore". As I changed the setting to "Ignore", the problem was gone.
The IIS SSL setting "Accept" is to accept clinet certificate if it is provided by client. If client did not provide client cetificate, IIS still establish connection. On the VS, SSL server profile is used. the profile setting is almost default.
Do you know why BIG-IP fails the SSL communication if the IIS SSL setting is "Accept"?
3 Replies
- zamroni777
MVP
have you configured the CA cert of the client certificates in the vserver's client(side) ssl profile?
https://my.f5.com/manage/s/article/K12140946
How To Configure BIG-IP Part 8 - Client Authentication
SakiyWe only configure server certificate on SSL client profile. No client cert is set.
