SSL Troubleshoot (fatal Description : handshake failure)

Question

Hi,&nbsp;I have a service that run in two DCs one primary and another secondary. the service is configured like the following:&nbsp;Client --&gt; tcp/443 LTM  -----&gt;tcp/80 backend.&nbsp;however, the service has stopped working on the primary DC and this is the error I am seeing on wireshark:339	5.076474	10.10.22.33	10.60.132.140	SSLv3	61	Alert (Level: Fatal, Description: Handshake Failure)&nbsp;However, when I failover to the secondary site everything works and I don;t see the above error.  I have triple checked everything on both LTMs in both DCs and everything matches 100%.&nbsp;Can anyone please point me in the right direction?&nbsp;Regards,&nbsp;

dario_garrido · Answer

It seems any problem with the codec"Device error:&nbsp;crypto codec No codec available to initialize request context".&nbsp;I've never seen this kind of issue, so it seems a bug related with the release. I recommend you to open a TS case.&nbsp;BTW, have you disable "generic alert" option in your SSL profile?&nbsp;Also, it would be helpfull to decrypt the traffic to figure out the exact message you are receiving after the "ChangeCipherSpec" message.REF - https://support.f5.com/csp/article/K16700REF - https://support.f5.com/csp/article/K19310681&nbsp;KR,Dario.

dario_garrido · Answer

Hello QasimIt could be many things starting from release version and ending to certificate (and a lot of things more).I recommend you to connect using openssl and try to figure out the error message.openssl s_client -connect &lt;virtual_server&gt;:&lt;port&gt;Also in /var/log/ltm you could have more info about the error. You could also disable 'Generic Alert' in your SSL profile to get more info.There is a great guide for troubleshooting this issue herehttps://support.f5.com/csp/article/K15292KR,Dario.

dario_garrido · Answer

BTW, SSLv3 seems a very poor cipher suite...&nbsp;Maybe the cipher set is different in both DC.

qasim · Answer

Thanks Dario,&nbsp;&nbsp;Aug&nbsp;8 18:27:10&nbsp;LLB02-SEC warning tmm[17405]: 01260009:4: Connection error: ssl_hs_ciphprivdec:3622: crypto_req_process (80)Aug&nbsp;8 18:27:10&nbsp;LLB02-SEC crit tmm[17405]: 01010025:2: Device error: crypto codec No codec available to initialize request context.&nbsp;

qasim · Answer

Ok cheers Dario&nbsp;I have raised this with TS now.&nbsp;kind regards,

Forum Discussion

SSL Troubleshoot (fatal Description : handshake failure)

Recent Discussions

BIG-IP Oauth Client and AS

F5 BOT DEFENSE AWAF blocked some legitimate browsers

Advice to partial rename uri path

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

Related Content

Access Troubleshooting: BIG-IP APM OIDC integration

How to Troubleshoot SNI

8. SYN Cookie: Troubleshooting tcpdump

Virtual-wire Configuration and Troubleshooting

Re: SYN Troubleshooting: Stats

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS