For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nurairtt91's avatar
nurairtt91
Icon for Altocumulus rankAltocumulus
Jul 27, 2025

RST after client hello

The HTTPS health check from F5 for the backend server is failing. From the captures, I can see that the backend server is sending RST as soon as it receives SSL client hello from F5. When we tried to access the web page from the LAN network using the browser directly to the backend server (https://(backend_server_IP)), the connection worked just fine. I have attached the capture from both the browser and F5. Why is the server resetting the connection requests only from F5? Any insights would be helpful.

application delivery

10 Replies

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for Nacreous rankNacreous
    Jul 27, 2025

    I don't see any captures.

    But a common issue is SNI. BIG-IP does not use it by default.

    Try to create a specific Server side SSL profile defining the appropriate server name and add it to the monitor.

    Of course if it works do not forget to use it also in the Virtual server 

  • nurairtt91's avatar
    nurairtt91
    Icon for Altocumulus rankAltocumulus
    Jul 27, 2025

    Thanks for your reply. I added SNI and still got the same response. I tried to force it to use TLS1.2 as well but it did not resolve my issue. 

    • Injeyan_Kostas's avatar
      Injeyan_Kostas
      Icon for Nacreous rankNacreous
      Jul 28, 2025

      Could you share you monitor settings and a packet capture?

      Have tried the same request with a curl from F5?

      • nurairtt91's avatar
        nurairtt91
        Icon for Altocumulus rankAltocumulus
        Jul 28, 2025

        Yes, I tried with the Curl command as well. It was reporting "unknown SSL protocol error". I tried to initiate the connection using the openssl command and tried to force it with different TLS versions (1.0, 1.1, and 1.2) and sent SNI, but still no luck.

        SSL handshake only fails for the custom port, but when I initiate using 443, it works fine from F5 (Curl, openssl, and health check).

         

        [Active:Changes Pending] log # openssl s_client -connect x.x.x.x:custom_port -servername example.com
        CONNECTED(00000003)
        write:errno=104
        ---
        no peer certificate available
        ---
        No client certificate CA names sent
        ---
        SSL handshake has read 0 bytes and written 276 bytes
        ---
        New, (NONE), Cipher is (NONE)
        Secure Renegotiation IS NOT supported
        Compression: NONE
        Expansion: NONE
        No ALPN negotiated
        SSL-Session:
            Protocol  : TLSv1.2
            Cipher    : 0000
            Session-ID:
            Session-ID-ctx:
            Master-Key:
            Key-Arg   : None
            PSK identity: None
            PSK identity hint: None
            Start Time: 1753690172
            Timeout   : 300 (sec)
            Verify return code: 0 (ok)