Forum Discussion
David_M
Cirrostratus
CirrostratusSSL Debug doesn't give any details
I am getting ssl handshake failures for a basic 443 VIP with a client ssl profile
root@(bigip2)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list sys db log.ssl.level
sys db log.ssl.level {
value "Debug"
}
The debug is enabled but ltm logs do not have any extra info about the HS failure reason
Jul 7 13:48:13 bigip2 info tmm4[12766]: 01260013:6: SSL Handshake failed for TCP 172.22.200.113:5511 -> 10.1.61.62:443
Thanks for your time!
Hello David.
I recommend you to disable "generic alert" in the ssl profile (client/server) to see more details.
KR,
Dario.
David_MDid it still it shows nothing like the kb article says it should.
Its just that single line of ssl handshake failure and the cipher info which i log with irules
Jul 8 12:18:10 bigip2 info tmm5[12766]: Rule /Common/track-ssl-hs <CLIENT_DATA>: Client: 172.22.200.113 attempts SSL with ciphers: caca,1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035,000a Jul 8 12:18:10 bigip2 info tmm6[12766]: 01260013:6: SSL Handshake failed for TCP 172.22.200.113:33589 -> 10.1.61.62:443 Jul 8 12:18:10 bigip2 info tmm5[12766]: Rule /Common/track-ssl-hs <CLIENTSSL_HANDSHAKE>: Client: 172.22.200.113 successfully negotiates ECDHE-RSA-AES256-GCM-SHA384 Jul 8 12:18:10 bigip2 info tmm4[12766]: Rule /Common/track-ssl-hs <CLIENT_DATA>: Client: 172.22.200.113 attempts SSL with ciphers: 2a2a,1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035,000a Jul 8 12:18:10 bigip2 info tmm4[12766]: Rule /Common/track-ssl-hs <CLIENTSSL_HANDSHAKE>: Client: 172.22.200.113 successfully negotiates ECDHE-RSA-AES256-GCM-SHA384Which KB article are you talking about? Also, which version are you talking about?
You can take a packet capture with generic-alert turned off like DavidMas advised and decrypt the capture on Wireshark.
