Forum Discussion

Ashu_2116's avatar
Ashu_2116
Icon for Nimbostratus rankNimbostratus
Oct 02, 2017

SSL issue between LTM and backend server

I have configured a VS with client and server ssl profile. So when I have only client ssl profile the site works. But when I configure the server ssl profile and change the backend server to be monitored from http to https the site doesn't work also HC fails. The HC works when enabled tcp-443 health monitor but site doesn't work. In IE error received "page can't be displayed" and in FF "secure channel failed". Also if I change the VS from standard to performance layer 4 the site works fine on https. HTTP work fine both in standard and performance vs setup. I have converted the same certificate into pfx format to install on backend windows (172.28.211.4) server. ALSO the curl and openssl from LTM doesn't provide enough information why the LTM is failing to establish a ssl connection with server. I have tried most of the combination of weak and strong ciphers but no luck. [admin@BESEH070:Active:Changes Pending] ~ echo "Q" | openssl s_client -connect 172.28.211.4:443 -cipher '!SSLv2:!SSLv3:!MD5:!EXPORT:RSA+AES:RSA+3DES:RSA+RC4:ECDHE+AES:ECDHE+3DES:ECDHE+RC4' CONNECTED(00000003)

 

write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 105 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE

 

Expansion: NONE

[admin@BESEH070:Active:Changes Pending] ~ echo "Q" | openssl s_client -connect 172.28.211.4:443 CONNECTED(00000003)

 

write:errno=104 no peer certificate available No client certificate CA names sent SSL handshake has read 0 bytes and written 305 bytes

New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE

 

Expansion: NONE

curl -vk 172.28.211.4:443 * About to connect() to 172.28.211.4 port 443 (0) * Trying 172.28.211.4... connected * Connected to 172.28.211.4 (172.28.211.4) port 443 (0)

 

GET / HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1j zlib/1.2.3 libidn/0.6.5 Host: 172.28.211.4:443 Accept: /

 

  • Closing connection 0
  • Failure when receiving data from the peer curl: (56) Failure when receiving data from the peer
BIG-IP
devops
LTM
  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Oct 02, 2017

    Greetings,

     

    The Traffic Management Microkernel (TMM) usually does a pretty good job describing SSL failures. Can you tail the log while connecting through the Standard VIP setup (requires bash)?

     

    tail -f /var/log/ltm

     

    We had quite a few cases like this a few years ago when secure renegotiation was enabled on the profile.

     

    K13512: BIG-IP SSL profiles now require secure renegotiation of SSL connections

     

    https://support.f5.com/csp/article/K13512

     

    If you're not getting good log messages during testing, give the workaround here a try:

     

    K17045: Log messages concerning SSL handshake failures may not include enough detail

     

    https://support.f5.com/csp/article/K17045

     

    Hope this is helpful!

     

    Kevin