Forum Discussion

rafaelbn_176840's avatar
rafaelbn_176840
Icon for Altocumulus rankAltocumulus
Oct 27, 2017

Connection error: ssl_passthru:xxxx: not SSL (40)

Hello all!!

I'm posting this as a reference to others.

PROBLEM DESCRIPTION

Since version 12 BIG-IP changed the way it logs SSL errors/warnings. This was discussed on K09322055.

It's common knowledge (as far as I read) that this is not harmful. It's a warn message only.

You can reproduce this error by creating a virtual server with a client-ssl profile and trying to connect to it via http://:443. What this does is force a non-SSL connection on a SSL virtual server. As soon as you do that, you will see messages like these pop on your /var/log/ltm.

Oct 26 11:27:05 bigip1 warning tmm[5067]: 01260009:4: Connection error: ssl_passthru:4021: not SSL (40)
Oct 26 11:27:05 bigip1 warning tmm1[5067]: 01260009:4: Connection error: ssl_passthru:4021: not SSL (40)
Oct 26 11:27:10 bigip1 warning tmm[5067]: 01260009:4: Connection error: ssl_passthru:4021: not SSL (40)

You can also see this happen if you telnet to the virtual server IP on port 443 and do a GET / HTTP/1.1.

If you TCPDUMP/SSLDUMP this you will see a 3way handshake happening but the client never sends the SSL Client Hello. And since the server never gets a client hello, it resets the connection.

[root@bigip1:Active:In Sync] config  ssldump -nr teste.pcap
New TCP connection 1: 192.168.1.224(4391) <-> 192.168.1.20(443)
1    0.0039 (0.0039)  S>C  TCP FIN
1    0.0060 (0.0020)  C>S  TCP FIN
New TCP connection 2: 192.168.1.224(4392) <-> 192.168.1.20(443)
2    0.0040 (0.0040)  S>C  TCP FIN
2    0.0146 (0.0106)  C>S  TCP FIN
New TCP connection 3: 192.168.1.224(4393) <-> 192.168.1.20(443)
3    0.0025 (0.0025)  S>C  TCP FIN
3    0.0057 (0.0031)  C>S  TCP FIN

The thing is that the end user experience with this issue is that it trys to connect to the application, and some time after he/she gets a connection error, and that is often described as "too slow and never works!".

To me this is NOT an issue since the client is trying to connect with no SSL on a SSL virtual server. The BIG-IP is just doing what it's supposed to do.

WORKAROUND - OPTION 1

You can modify the verboseness of the SSL logging. The default level on v12 is "Warning". You can change it to "Error".

(tmos) modify sys db log.ssl.level value Error

This will suppress this message and probably some others, so keep that in mind.

WORKAROUND - OPTION 2

You can modify the client-ssl profile so it can allow non-SSL traffic. The end result will be that even tough the user is using port 443, the traffic is NOT encrypted. And this log message will not appear on your /var/log/ltm and the end user will probably get to the application.

(tmos) modify ltm profile client-ssl my_ssl_profile allow-non-ssl enabled

QUESTIONS STILL NOT ANSWERED

How to identify which VS is generating these messages since changing the log level to "debug" doesn't identify which VS or profile is causing it?

Is there an iRule to identify which VS is logging this? I haven't seen it. If you know this please comment.

Thanks!

application delivery
LTM
TMOS

1 Reply

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Oct 27, 2017

    Hello Rafael,

    Thanks for sharing this information.

    You can log the VS name that generates this warning. You should apply this irule on all your VSs that manages SSL trafic. 

    when CLIENT_ACCEPTED {
    set clientsslhelo "0"
}

when CLIENTSSL_CLIENTHELLO {
    set clientsslhelo "1"
}

when CLIENT_CLOSED {

    if { $clientsslhelo eq "0" } {
        log local0. "Current virtual server name: [virtual name]"
    }
}

    Waiting for your feedback

    Regards