Forum Discussion
Zenz
Altostratus
Altostratus[SOLVED] Connection error: ssl_null_parse:1387: record protocol version incorrect
Hi,
We have this error suddenly in our environment..
We think the party connecting to us (AKAMAI) might changed something..
to understand what the exact error is we are looking for the error codes, but we cannot find it.
Is there an error code list somewhere?
Kind Regards,
Zenz
Hi Lidev,
thx again for the reply..
we have identified the problem.
it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore
so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.
some side note:
our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.
ZenzHi Lidev,
thx again for the reply..
we have identified the problem.
it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore
so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.
some side note:
our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.
- jaikumar_f5
MVP
Please mark your thread as solved then. You can mark your own answer.
- Lidev
@Zenz
glad to hear that 😌
- Lidev
Hello Zenz,
Your connection error message is pretty clear, there's a TLS/SSL protocol version mismatch during the handshake SSL (check the Ciphersuites on both side)
- Zenz
Hi Lidev,
thx for your quick answer.
However we checked the handshake protocol versions..in the tcp dump, which seems to be no issue.
Client Hello =
Version: TLS 1.2 (0x0303)
Cipher Suites (22 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Server Hello:
Version: TLS 1.2 (0x0303)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
but this seems to be about the "record protocol version"
I just found this article:
https://support.f5.com/csp/article/K75464225
do not know yet if its related.
- Lidev
Do you see any SSL renegociation in your tcpdump ?
To help with troubleshooting, it would be appreciated if you could share your tcpdump.
