Forum Discussion

Nimbostratus

Nov 07, 2013

SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile <sslprofilename>"

I recently moved an HTTPS Virtual Server from an old LTM (running 9.3.1) to a new pair of load balancers running 11.4.1. This particular Virtual Server is using both a client SSL profile and a serve...

Kevin_K_51432
Nov 07, 2013
I don't believe that cipher message is going to map to a specific cipher and I've only ever seen it when the Proxy SSL is configured. Is that a feature you've enabled?

Enabling debug logging for SSL might help, just remember to set it back when done.

tmsh modify sys db log.ssl.level value debug

tmsh modify sys db log.ssl.level value warning

Just a guess; Proxy SSL is enabled and the backend server is using a cipher which isn't in BIG-IP's DEFAULT cipher list. Just some additional background:

http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13389.html

Joe_Volesky_969

Nimbostratus

Nov 07, 2013

Thanks for your reply, and that link to the KB article.

I do have "Proxy SSL" enabled on both SSL profiles - this is kind of new to me, though- on the 9.3.1 platform, this didn't exist, but it seems like the only way I could get the same functionality on 11.4.1. Frankly, this is a simple setup:

2 backend Web servers A and B. There's a single virtual server for port 80 requests and a single virtual server for port 443 requests. There's an iRule in place on the port 80 VS which simply does "when http request, if URI = (a number ofthings) send it to node A, otherwise send it to B". The port 443 VS has a pool associated with it which only includes Server B - all SSL traffic is sent to Server B.

While I have things set up to do x-forwarded-for on the SSL Virtual Server I don't even know that I care to have that functionality - which raises the question of why I'm doing Proxy SSL at all. The "Server B" webserver has the SSL certificate, key, root CA, intermediate certificates just as the F5 does; maybe I'm making this more complicated, and should configure the SSL Virtual server to simply connect the client directly to Server B for all SSL traffic. I'm just not sure I know how to do that - seems like Proxy SSL is the only way I could get it to work...

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

SSL Cipher error in ltm logfile "Cipher XX:Y negotiated is not configured in profile <sslprofilename>"

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Understanding IPSec IKEv2 negotiation on Wireshark

Understanding IPSec IKEv1 negotiation on Wireshark

iRule to decode WebSocket negotiation and frames

Cipher negotiated between F5 and Node

Adding Cipher suite "TLS_RSA_WITH_AES_128_CBC_SHA"

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS