Forum Discussion
NimbostratusVirtual server unreachable with 3g and 4g only ADSL
Hello Team,
on our production , we have a virtual server with two node . the web site is published on port 443 , it was working normaly but 5 days ago it's doesn't work with 3G and LTE connexion and works good with ADSL .
there are no restriction in firewall and when i see traffic bigip on this virtual server , i see all IP address range reach the VS but the web site return ERR_SSL_PROTOCOL_ERR .
certificat on virtual server is good when i checked with sslabs
procol profile : Fast Layer 4
someone has any idea ?
Thanx you
Best regards
Simon_BlakelyEmployee
If the virtual server is a Fastl4, then the certificate comes from the pool member - FastL4 is a TCP passthrough with no SSL termination. Any SSL protocol issues are between the pool member and the client.
Try getting a tcpdump of the traffic between a client and the virtual server, and look at the ClientHello, ServerHello and any Fatal alerts to see who terminates the handshake.
To me, it sounds like a Certificate Trust issue with mobile clients, but I'd need more data to be sure.
mmwolfhello Blakely ,
please can you give me the command please to use it ?
thanx a lot
Regards
- mmwolf
Hello ,
this is return log with TCPDUMP
13 2 0.0193 (0.0000) S>C Handshake
ServerHello
Version 3.3
session_id[32]=
19 55 fc 80 e4 56 e3 6d 73 3b aa 33 a4 0d 09 64
d3 71 e4 ae 20 15 98 2e c7 11 ca ad 1e b2 99 44
cipherSuite TLS_RSA_WITH_AES_256_CBC_SHA
compressionMethod NULL
13 3 0.0193 (0.0000) S>C Handshake
Certificate
13 4 0.0193 (0.0000) S>C Handshake
ServerHelloDone
13 5 0.1083 (0.0889) C>S Handshake
ClientKeyExchange
13 6 0.1083 (0.0000) C>S ChangeCipherSpec
13 7 0.1083 (0.0000) C>S Handshake
13 8 0.1099 (0.0016) S>C Alert
level fatal
value handshake_failure
13 0.1099 (0.0000) S>C TCP FIN
13 0.1274 (0.0174) C>S TCP FIN
- Simon_Blakely
So the server is rejecting the handshake after the ChangeCipherSpec:
There should be a value (just a number) for the fatal alert.
What is that?
- mmwolf
this is capture about error
source : our virtual server on Big Ip and Destination is client IP
Regards
- mmwolf
Handshake Failure (40)
- Simon_Blakely
Handshake Failure 40 indicates "No shared ciphers"
If this is a FastL4 virtual, then the LTM is not part of this conversation, and you will need to look at your server logs to determine why this is occurring.
It could be that the conversation has selected TLS_RSA_WITH_AES_256_CBC_SHA but the server does not have a RSA signed certificate, or it rejects either RSA or CBC ciphers.
Can you check to see a working conversation to see what has been selected?
- JG
Cumulonimbus
There is a knowledge article to assist troubleshooting: K15292: Troubleshooting SSL/TLS handshake failures.