For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Aug 07, 2014

SSL errors during load test

We are currently load testing an application and receive SSL errors when reaching a certain number of users. We have tested using two different scripts, at one script, the SSL errors occur at 900 users, when running the other script, the errors begin at 1200 users. No errors are shown in the Big-IP log. The SSL errors that occur on the script are Error -27780: [GENERAL_MSG_CAT_SSL_ERROR]connect to host “name of url” failed: [10045] Connection reset by peer.

 

I am leaning towards this being a script error since two scripts produce errors at different user counts. However, I want to rule out any issues on the F5. We are running version 11.3 HF8.

 

Is this something anyone has run across?

 

Thanks.

 

5 Replies

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Aug 07, 2014

    Hi MNB, This appears to be more of an application layer issue (than SSL). It's very vague currently. A great initial t-shooting step might be to enable RST logging. This is basically logging some additional diagnostic with each RST:

     

    http://support.f5.com/kb/en-us/solutions/public/13000/200/sol13223.html

     

    Hope this offers some help, Kevin

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Aug 07, 2014

    If the RST logging doesn't prove helpful, here's some good info on SSL debug logging:

     

    Enabling SSL debug logging

     

    https://support.f5.com/kb/en-us/solutions/public/15000/200/sol15292.html?sr=39449817

     

    Kevin

     

    • mnb_63148's avatar
      mnb_63148
      Icon for Nimbostratus rankNimbostratus
      Aug 07, 2014
      Thanks, Kevin. I apologize for the vagueness. I was not initially involved in the beginning of the troubleshooting and did not have a packet capture at the time. I now have a capture. C-> S SSLv2 Client Hello C<- S SSLv3 Server Hello C<- S SSLv3 Continuation Data C<-S SSLv3 Continuation Data, Continuation Data C->S Client Key Exchange C<-S Change Cipher Spec, Encrypted Handshake Message C->S Application Data C<-S Continuation Data C->S Encrypted Alert C->S RST, ACK It looks like the client-side/load-tester side is initiating the Reset. Also, the record layer at the beginning is SSLv2 and the Handshake Message is SSLv3. We are on 11.3 HF8 and it does not support SSLv2 in its default cipher suite. However, the client-side still sent Application Data/A GET Request to F5.
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Aug 08, 2014

    Hi NMB, changeCipherSpec is a good sign typically. Also some application data is sent. I think probably some issue with app layer. Did you try RST diagnostic? Maybe something in your application logs?

     

    Kevin