cancel
Showing results for 
Search instead for 
Did you mean: 

Client Hello TLS version issue in only one Pool Member.

Rahul_Kaul
Cirrus
Cirrus

We have a VIP of 1.1.1.1:443 and Pool having 2 pool members(1.1.1.10:443 and 1.1.1.20:443) and currently running fine on array load balancer.

Having encrypted session on both client side and server side.

Android mobile Application server is configured to allow only TLS1.2 traffic.

As soon as traffic was shifted to our F5 device(LTM & ASM) we are facing below issue as viewed in wireshark after tcpdump.

 

F5 VIP 1.1.1.1:443 >TLS1.1>ClientHello> 1.1.1.10:443

1.1.1.10:443 >TCP_RST> 1.1.1.1:443 

Application server is sending RST back to F5 due to TLS 1.1 not allowed.

 

F5 VIP 1.1.1.1:443 >TLS1.2>ClientHello> 1.1.1.20:443

Application server is accepting and traffic is processed successfully.

 

Due to above issue, all user traffic is handled by only one server and hence we are facing issues.

LB Method=Least Connection, Persistence=SourcePersistence,SSL Client & Server Profile,SNAT=Yes, map to VIP

 

Wanted to understand why F5 is sending Client Hello of TLS 1.1 to 1st pool member and TLS 1.2 to 2nd pool member, during initial stage in same Pool ?

 

Can anybody help me to understand the exact issue faced here and provide solution ?

8 REPLIES 8

What is ssl profile configuration at F5 end?

 

 

SSL Client & Server Profile is configured in VS. In SSL Profile configuration .pfx certificate and key is mapped(nothing else) and as I said the SSL Profiles are working fine for 1 pool member. Most importantly both 2 pool members are working fine on Array device currently.

gdoyle
Cirrostratus
Cirrostratus

I would verify the SSL profile on the F5 end and the cipher restrictions on the server itself. I would compare the cipher suite on both pool members to see if there is a difference, it may be that the server that is working is allowing TLS1.1, which you don't actually want according to your post.

You made 2 statements above and my reply is

1) I verified configuration on both F5 and Array(SSL Profile configuration .pfx certificate and key is mapped(nothing else)). On Array it is working fine.

2) I verified both application server are only processing TLS 1.2 negotiations only and working fine when traffic is passing through Array.

Hi Rahul,

 

You can restrict SSL/TLS version to TLS1.2 only and blocking rest on F5 server SSL profile then check. Setting is available as shown below under server ssl profile.

 

Making changes in these setting should resolve your issue.

 

Hi Mayur,

I tried your above solution when we faced the issue. In option list i selected "No TLS 1.1", still issue was persistent. Since customer had moved/routed production traffic on F5 without any pre-planned/emergency downtime, they did not give me enough time to troubleshoot the issue and routed traffic back on Array, also gave me NO troubleshooting captures and images of this technical issue they previously had.

Ok Rahul but i think only disabling TLS1.1 will not resolve your issue. If you get chance to work on same again in future, then keep TLS1.2 enabled only and rest should be disable and then try.

 

I hope it will work for you!

 

Thanks,

Mayur

Ok Mayur Thanks, can try your suggestion, next time if I hit the same issue again.