Hi Experts, I have 1 issue that until now I still cannot find a definite answer after googling for a long time.
I have an HA F5, active and standby unit. I created 1 VS and the pool health monitor uses https profile with default settings, see attached image for the health monitor settings.
The results where.
In active unit the pool is down, the health monitor it uses tlsv1 to communicate with the server causing a fatal error protocol version
If I define the port 443 instead of using * All Ports, the pool comes up.
In standby unit the pool is up. the health monitor it uses tls1.2 to communicate with the server and no issues.
This is also using * All Ports and I do not have issue with this standby unit.
See my tcpdump attached here as well.
Now I do not understand why my active unit uses tls1 while standby unit uses tls1.2.
I also understand the ciphers used are DEFAULT that is why the F5 tries to negotiate using tls1.
But how come in standby unit it offers tls1.2?
Please help to enlighten me. What is the best practice?
Any answer is very much appreciated, thank you in advance.
Which BIGIP version you are running? As such not observed such behaviour in BIG-IP.
Gone through both wireshark image and found that one of the connection is going on x.x.x.12 and other is x.x.x.11. To narrow done issue, keep one member in pool and isolate the issue.
Try below options?
Hope this will help you.
Hi Samir, this is an HA, active, standby.
Now .12 is the active unit while .11 is the standby unit.
We are using version 12.1.3
What I dont understand is why on .12 the ltm is negotiating using tls1 while in .11 is tls1.2.
In .12 the pool is down while in .11 the pool is up.
I did openssl on both using the default cipher list on the health monitor profile and the ltm by right is not supposed to use tls1 as there is no tls1 in the list.
I'm sorry I am not able to do this at the moment.