LTM SSL reset after clienthelo

Question

Hello.&nbsp;
I have a very strange problems (or it seems to me) when i want to try load balance some appliances with https access. When i try to do an access i receive a reset from the server. When i do a ssldump i see this.&nbsp;
pre-master secret log file, generated by ssldump
24.25.4(443)
1 1  1556279563.8027 (0.0006)  C&gt;SV3.3(91)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          ac f1 6d 22 4d d7 84 6c 5f 7c 75 b6 07 7d 7f d2
          2c e0 38 31 13 53 45 79 77 d5 ab 0c 2c 70 e3 71
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02f
        Unknown value 0xff
        compression methods
                  NULL
1    1556279563.8030 (0.0003)  S&gt;C  TCP RST
New TCP connection 2: 172.26.13.10(62099) &lt;-&gt; 172.24.25.4(443)
2 1  1556279564.4307 (0.0006)  C&gt;SV3.3(91)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          bf 00 36 9d ba 9c 04 bb 53 5d b4 d8 bf 1a 1c f3
          cb cd d4 03 bf d9 b2 9e 48 ea 3a 92 4e d4 f3 30
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02f
        Unknown value 0xff
        compression methods
                  NULL
2    1556279564.4310 (0.0003)  S&gt;C  TCP RST
New TCP connection 3: 172.26.13.10(12313) &lt;-&gt; 172.24.25.4(443)
3 1  1556279564.5464 (0.0006)  C&gt;SV3.3(91)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          4e 9d 0f 22 83 bc d6 5c 58 1e d5 cd 84 00 4a 5a
          e4 cd 24 8d 12 af f3 6e 16 9d 5e b8 2e 46 7b 57
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02f
        Unknown value 0xff
        compression methods
                  NULL
3    1556279564.5467 (0.0003)  S&gt;C  TCP RST&nbsp;
I have change the ciphers to ALL but nothing. I have tried with a performancel4 vs and nothing.&nbsp;
Any idea? Thanks &nbsp;

nathe · Answer

otsokume,
You should expect a ServerHello message after a ClientHello - the fact that you're getting a reset suggests that the cipher suites being offered by the client are not applicable on the F5 via the Client SSL Profile. I assume you've configured a Client SSL Profile and assigned this to the Virtual Server? What is the cipher string configuration on the Client SSL Profile? 
You can check what ciphers are supported based on the cipher string in your profile. If you go to the CLI and run this: tmm --clientciphers 'DEFAULT' this should output all the ciphers (should you be using the DEFAULT cipher string of course. If you've amended this then amend the command aswell.
Your clienthello suggests these two cipher suites are supported only "ECDHE_RSA_WITH_AES_256_GCM_SHA384" and "ECDHE_RSA_WITH_AES_128_GCM_SHA256" - so you need to verify your SSL profile.
Also see these links for further help: SSL Profiles Part 4 and Troubleshooting SSL/TLS
Hope this helps,
N

Forum Discussion

LTM SSL reset after clienthelo

Recent Discussions

F5 Access 3.1.0 for Android problem

iRule to Change Default Pool (not redirect to another pool)?

What is the best practice for migrating from iseries to rseries?

iRule to Force Source IP to Specific Backend Node

checking the fan status on the device.

Related Content

BIGIP resets connecion

F5 Big-IP i4600 Root Password Reset

Wrong Key GUI , Can't reset BIG-IP to factory defaults

After applied ASM Policy to Virtual Server, connections will reset with Internal error in log

Reset Trust after upgrade

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS