SSL Handshake Error

Is this client side or server side SSL? In other words, is the SSL from a client to the BIG-IP, or from the BIG-IP to the server?

Thank you for the reply, best I can tell from Fiddler is that we're successfully establishing a tunnel to the BIG-IP appliance and the error is from the appliance to the server. I'm 99% sure its the second scenario - BIG-IP to the server. Thank You

Okay, so here's what concerns me.

SSL Handshake failed for TCP x.x.x.x:9200 -> x.x.x.x:3923

So, a few additional questions:

1. Do you intend to re-encrypt to the servers? The connection between the BIG-IP and server?

2. If so, do you have a server SSL profile applied to the VIP?

3. Is the server really listening on the above port, and expecting SSL?

1.) Yes, that connection must also be encrypted and is intentional 2.) Yes. The only enabled 'Options' are "Don't insert empty fragments" 3.) Yes it is - I can hit that server directly with success. We think this might be a CIPHER mis-match (our server SSL profile is set to DEFAULT and we're trying to connect via TLS 1.2 only)

Not sure which LTM version you're on, but server side TLS1.2 is supported in most platforms. There's a couple of things I'd try next:

1. Open an SSH connection to the BIG-IP and issue an openssl s_client command to the server

   openssl s_client -connect x.x.x.x:9200
   

   What do you see? Does it succeed or fail? Does it indicate that Secure Renegotiation is enabled? If it fails, then you may have some unique TLS protocol or cipher requirements.

2. Start an SSLDUMP capture on this internal interface

   ssldump -AdNn -i [internal VLAN name] port [encryption port]
   

   ssldump will show you the SSL handshake process and, hopefully, where the handshake is failing

We'll take that route - thank you Kevin I'm a F5 noob (no idea how I got tasked with this) so your direction is much appreciated. R/ Matt