Forum Discussion

Rahul_Kaul's avatar
Mar 14, 2020

Client Hello TLS version issue in only one Pool Member.

We have a VIP of 1.1.1.1:443 and Pool having 2 pool members(1.1.1.10:443 and 1.1.1.20:443) and currently running fine on array load balancer.

Having encrypted session on both client side and server side.

Android mobile Application server is configured to allow only TLS1.2 traffic.

As soon as traffic was shifted to our F5 device(LTM & ASM) we are facing below issue as viewed in wireshark after tcpdump.

 

F5 VIP 1.1.1.1:443 >TLS1.1>ClientHello> 1.1.1.10:443

1.1.1.10:443 >TCP_RST> 1.1.1.1:443 

Application server is sending RST back to F5 due to TLS 1.1 not allowed.

 

F5 VIP 1.1.1.1:443 >TLS1.2>ClientHello> 1.1.1.20:443

Application server is accepting and traffic is processed successfully.

 

Due to above issue, all user traffic is handled by only one server and hence we are facing issues.

LB Method=Least Connection, Persistence=SourcePersistence,SSL Client & Server Profile,SNAT=Yes, map to VIP

 

Wanted to understand why F5 is sending Client Hello of TLS 1.1 to 1st pool member and TLS 1.2 to 2nd pool member, during initial stage in same Pool ?

 

Can anybody help me to understand the exact issue faced here and provide solution ?

    • Rahul_Kaul's avatar
      Rahul_Kaul
      Icon for Cirrus rankCirrus

      SSL Client & Server Profile is configured in VS. In SSL Profile configuration .pfx certificate and key is mapped(nothing else) and as I said the SSL Profiles are working fine for 1 pool member. Most importantly both 2 pool members are working fine on Array device currently.

  • gdoyle's avatar
    gdoyle
    Icon for Cirrostratus rankCirrostratus

    I would verify the SSL profile on the F5 end and the cipher restrictions on the server itself. I would compare the cipher suite on both pool members to see if there is a difference, it may be that the server that is working is allowing TLS1.1, which you don't actually want according to your post.

    • Rahul_Kaul's avatar
      Rahul_Kaul
      Icon for Cirrus rankCirrus

      You made 2 statements above and my reply is

      1) I verified configuration on both F5 and Array(SSL Profile configuration .pfx certificate and key is mapped(nothing else)). On Array it is working fine.

      2) I verified both application server are only processing TLS 1.2 negotiations only and working fine when traffic is passing through Array.

  • Hi Rahul,

     

    You can restrict SSL/TLS version to TLS1.2 only and blocking rest on F5 server SSL profile then check. Setting is available as shown below under server ssl profile.

     

    Making changes in these setting should resolve your issue.

     

    • Rahul_Kaul's avatar
      Rahul_Kaul
      Icon for Cirrus rankCirrus

      Hi Mayur,

      I tried your above solution when we faced the issue. In option list i selected "No TLS 1.1", still issue was persistent. Since customer had moved/routed production traffic on F5 without any pre-planned/emergency downtime, they did not give me enough time to troubleshoot the issue and routed traffic back on Array, also gave me NO troubleshooting captures and images of this technical issue they previously had.

  • Ok Rahul but i think only disabling TLS1.1 will not resolve your issue. If you get chance to work on same again in future, then keep TLS1.2 enabled only and rest should be disable and then try.

     

    I hope it will work for you!

     

    Thanks,

    Mayur

    • Rahul_Kaul's avatar
      Rahul_Kaul
      Icon for Cirrus rankCirrus

      Ok Mayur Thanks, can try your suggestion, next time if I hit the same issue again.