Forum Discussion

Zenz's avatar
Zenz
Icon for Altostratus rankAltostratus
Jan 29, 2020

[SOLVED] Connection error: ssl_null_parse:1387: record protocol version incorrect

Hi, We have this error suddenly in our environment.. We think the party connecting to us (AKAMAI) might changed something..   to understand what the exact error is we are looking for the erro...
application delivery
BIG-IP
LTM
  • Zenz's avatar
    Zenz
    Jan 30, 2020

    Hi Lidev,

     

    thx again for the reply..

     

    we have identified the problem.

    it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore

     

    so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.

     

    some side note:

    our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.

     

     

     

     

Zenz's avatar
Zenz
Icon for Altostratus rankAltostratus
Jan 29, 2020

Hi Lidev,

thx for your quick answer.

However we checked the handshake protocol versions..in the tcp dump, which seems to be no issue.

 

Client Hello =

Version: TLS 1.2 (0x0303)

Cipher Suites (22 suites)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

  Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

  Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

  Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

  Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

  Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

  Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

 

Server Hello:

Version: TLS 1.2 (0x0303)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

 

 

but this seems to be about the "record protocol version"

 

I just found this article:

https://support.f5.com/csp/article/K75464225

do not know yet if its related.