Forum Discussion
AltostratusSSL handshake fail after software upgrade from 12.1.2 to 13.1.1.5
we see lot many SSL handshake fail warnings in ltm logs for a cleint SSL enabled VIP traffic after software upgrade from 12.1.2 to 13.1.1.5,
Nathan_F__F5_Employee
Hi Mohan,
Does the client SSL profile use the "DEFAULT" cipher string? If it does then that may be the reason for the handshake failures. The default ciphers have changed between versions. For more information please take a look at the following article.
K13156: SSL ciphers used in the default SSL profiles (11.x - 13.x)
https://support.f5.com/csp/article/K13156
-Nathan F
Mohanindeed there are cipher suit differences, but here i dont see any impact of these warnings, seems 13.x logging more messages, i also see connections from same clients are being established, also in tcpdumps there is no such connection issue, also checked the log settings from old and 13.x and its same, i am just afraid so many logs are eating log space and also can suppress important messages, clueless for the moment why 13.x logging more messages where as it is establishing connections and no impact is seen otherwise-
sample message -
Oct 8 23:40:51 lbxxx warning tmm1[18881]: 01260013:4: SSL Handshake failed for TCP xxxx:10089 -> xxxx:443
- boneyard
MVP
you are right Mohan, more SSL logging is enable. i did believe that started in 13.x, this article seems to indicate it was in 12.x. anyway you can change the log level if it indeed is too much for your system
https://support.f5.com/csp/article/K09322055
