Forum Discussion
LTM SSL handshake failuer (40) with IIS SSL setting Accept
An LTM SSL handshake failure (40) indicates a problem during the SSL/TLS handshake process between the Local Traffic Manager (LTM) and an IIS server. This issue often arises when there’s a mismatch in SSL settings, such as protocol versions or cipher suites. If the IIS SSL setting is set to Accept, it might be allowing weaker protocols, which could cause compatibility issues with LTM. To resolve this, ensure that both the LTM and IIS are configured to support the same SSL/TLS protocols and cipher suites. Additionally, checking the server certificates for validity and proper installation can help eliminate handshake failures.
Thank you for your reply.
I opened the case with F5 support also. I got following reply. It was indicate the peer-cert-mode on SSL server profile caused the issue when IIS SSL setting is Accept. But I am not sure why it cause the handshake failure.
# tmsh list /ltm prof.ile server-ssl all-properties
[...]
ltm profile server-ssl /Common/XXX_XXX {
alert-timeout 4294967295
app-service none
authenticate once
authenticate-depth 9
authenticate-name none
ca-file none
cache-size 262144
cache-timeout 3600
cert none
chain none
cipher-group none
ciphers DEFAULT:@STRENGTH:!RC4-SHA:!DES:!3DES:!NONE:!SSLv3:!TLSv1
crl-file none
defaults-from /Common/serverssl
description none
expire-cert-response-control drop
generic-alert enabled
handshake-timeout 10
key none
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments no-tlsv1.3 }
partition Common
passphrase ***scrubbed***
peer-cert-mode ignore <<<<==============
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation disabled
retain-certificate true
secure-renegotiation require-strict
server-name none
session-mirroring disabled
session-ticket disabled
sni-default false
sni-require false
ssl-forward-proxy disabled
ssl-forward-proxy-bypass disabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
untrusted-cert-response-control drop
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com