Forum Discussion
SSL Handshake failed between F5 and backend server
Hi Team ,
We have an issue accessing the url test-dev-01.example.com via F5 VIP but direct access to server one-test-dev.trading.net is working fine .
Error : "connection reset"
Please find the vip configuration details below…
Please advice if anyone has faced similar issues or possible root cause …
thank you.
VIP : 10.128.10.5
Url : test-dev-01.example.com
port : 443
VIP has http profile , Client SSL profile , Server SSL profile , no default pool ( redirection to pool via policy ) , no persistence profiles.
Policy/Irule:
HTTP Host host is 'test-dev-01.example.com' at request time.
1. Replace HTTP Host with value 'one-test-dev.trading.net' at request time.
2. Forward traffic to pool '/Common/P_one-test-dev.trading.net' at request time.
SSL handshake error message : 100.19.10.10 is backend server 10.10.10.250 is SNAT Ip
Oct 26 11:20:53 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:11158
Oct 26 11:20:53 bigip-test-f5.com warning tmm3[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1955
Oct 26 11:21:23 bigip-test-f5.com warning tmm6[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:18610
Oct 26 11:22:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:58704
Oct 26 11:22:50 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1303
Oct 26 11:27:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:5403
Oct 26 11:29:08 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:23029
Oct 26 11:37:24 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:48470
[root@bigip-test-f5.com:Active:Standalone] config # curl -kvv https://test-dev-01.example.com
* Rebuilt URL to: https://test-dev-01.example.com/
* Trying 10.128.10.5...
* Connected to test-dev-01.example.com (10.128.10.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=IN; ST=IDV; L=INDIA; O=EXAMPLE; OU=IT; CN=*.example.com; emailAddress=globalitteam@EXAMPLE.com
* start date: Jul 30 12:10:00 2020 GMT
* expire date: Nov 1 12:10:00 2022 GMT
* issuer: DC=EXAMPLE; DC=atlas; CN=Atlas Issuing CAv2 1
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: test-dev-01.example.com
> User-Agent: curl/7.47.1
> Accept: */*
>
* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
* Closing connection 0
Hi ck_Bengre,
Can you try sending a curl request to the server from the F5 command line?
curl -kv "https://100.19.10.10" -H "Host: one-test-dev.trading.net"
- Blue_whaleCirrocumulus
, I have to request our client team to execute this command .Can you please tell me what is expected from this command .
- Blue_whaleCirrocumulus
you are right , client has resolved the issue by creating new VIP for this url and on the server ssl profile they have enabled "default SSL profile for SNI"...
But the question is - How did it was working earlier without any SNI enabled on server ssl profile .
What is the need to have SNI enabled on the ServerSSL profile . Do we not have any option to configure SNI on the Backend server directly ?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com