Forum Discussion
See, in the Client Hello packet includes the list of protocol and ciphers that the client supports. My suspicion from the things you wrote above would be that the device (F5 BigIP) does not support the ciphers that the server requires.
Perhaps you can confirm this by checking the server config or run the tests from a functioning client and determine one of the supported ciphers from there. If you have no functioning client perhaps looking at the server SSL config would be in order.
Kind regards,
Patrik
Hello Patrick,
'Client hello' has same ciphers and Verson when compared with working and non-working. PFA snap. There are working HTTPS monitor. If you see previous snap, F5 Client Hello is via TLSv1. Why is that? There is no Server SSL profile, so In 12.1.2 version where can we control procol for SSL for HTTPS monitor?
Any suggestions?
Left-Non Working --- Right-Working.
- Aug 24, 2022
Sorry for the short reply, I'm not by my PC. Working and not working above is two different servers and the f5 is the client right?
What I was requesting was a Server hello from the one that does not respond to the F5s monitors, but from another more modern client, like a Linux server with a newer version of curl.
This issue could also be missning SNI info in the F5 monitor requests. I'd focus on the server cipher settings and I'd also check if the server needs SNI To route requests to the correct service.
- HM_U333Aug 25, 2022Cirrus
>> Working and not working above is two different servers and the f5 is the client right?
--- Yes. 2 different pool member, same F5 client. Related to 2 different VIP. Both using HTTPS monitor.
>>This issue could also be missning SNI info in the F5 monitor requests. I'd focus on the server cipher settings and I'd also check if the server needs SNI To route requests to the correct service.
> Thanks for this, Im checking Ciphers. We dont have serverssl profile. How do we use SNI here?