Client Hello TLS version issue in only one Pool Member.

Rahul_Kaul · ‎14-Mar-2020

We have a VIP of 1.1.1.1:443 and Pool having 2 pool members(1.1.1.10:443 and 1.1.1.20:443) and currently running fine on array load balancer.

Having encrypted session on both client side and server side.

Android mobile Application server is configured to allow only TLS1.2 traffic.

As soon as traffic was shifted to our F5 device(LTM & ASM) we are facing below issue as viewed in wireshark after tcpdump.

F5 VIP 1.1.1.1:443 >TLS1.1>ClientHello> 1.1.1.10:443

1.1.1.10:443 >TCP_RST> 1.1.1.1:443

Application server is sending RST back to F5 due to TLS 1.1 not allowed.

F5 VIP 1.1.1.1:443 >TLS1.2>ClientHello> 1.1.1.20:443

Application server is accepting and traffic is processed successfully.

Due to above issue, all user traffic is handled by only one server and hence we are facing issues.

LB Method=Least Connection, Persistence=SourcePersistence,SSL Client & Server Profile,SNAT=Yes, map to VIP

Wanted to understand why F5 is sending Client Hello of TLS 1.1 to 1st pool member and TLS 1.2 to 2nd pool member, during initial stage in same Pool ?

Can anybody help me to understand the exact issue faced here and provide solution ?

Mayur_Sutare · ‎14-Mar-2020

What is ssl profile configuration at F5 end?

Rahul_Kaul · ‎14-Mar-2020

SSL Client & Server Profile is configured in VS. In SSL Profile configuration .pfx certificate and key is mapped(nothing else) and as I said the SSL Profiles are working fine for 1 pool member. Most importantly both 2 pool members are working fine on Array device currently.

gdoyle · ‎14-Mar-2020

I would verify the SSL profile on the F5 end and the cipher restrictions on the server itself. I would compare the cipher suite on both pool members to see if there is a difference, it may be that the server that is working is allowing TLS1.1, which you don't actually want according to your post.

Rahul_Kaul · ‎14-Mar-2020

You made 2 statements above and my reply is

1) I verified configuration on both F5 and Array(SSL Profile configuration .pfx certificate and key is mapped(nothing else)). On Array it is working fine.

2) I verified both application server are only processing TLS 1.2 negotiations only and working fine when traffic is passing through Array.

Mayur_Sutare · ‎15-Mar-2020

Hi Rahul,

You can restrict SSL/TLS version to TLS1.2 only and blocking rest on F5 server SSL profile then check. Setting is available as shown below under server ssl profile.

Making changes in these setting should resolve your issue.

Rahul_Kaul · ‎15-Mar-2020

Hi Mayur,

I tried your above solution when we faced the issue. In option list i selected "No TLS 1.1", still issue was persistent. Since customer had moved/routed production traffic on F5 without any pre-planned/emergency downtime, they did not give me enough time to troubleshoot the issue and routed traffic back on Array, also gave me NO troubleshooting captures and images of this technical issue they previously had.

Mayur_Sutare · ‎15-Mar-2020

Ok Rahul but i think only disabling TLS1.1 will not resolve your issue. If you get chance to work on same again in future, then keep TLS1.2 enabled only and rest should be disable and then try.

I hope it will work for you!

Thanks,

Mayur

Rahul_Kaul · ‎15-Mar-2020

Ok Mayur Thanks, can try your suggestion, next time if I hit the same issue again.

DevCentral

Client Hello TLS version issue in only one Pool Member.

DevCentral Featured Member

Khoros Kudos Award 2022