Forum Discussion

bmohanak_276891's avatar
bmohanak_276891
Icon for Cirrus rankCirrus
Aug 19, 2016

HTTPS Monitoring Failing on Version 11.6.0

Hello,

 

I am working on a F5 VIP Migration Project where we are trying to move our VIPs from an F5 which is running 10.2.4 HF11 to another F5 which is running 11.6.0 HF5, The HTTPS Monitor is failing during the SSL Handshake b/w the F5 and the Pool Members. The Pool Members being the same on the Old and New F5, the Monitor on the New F5 is unable to negotiate on any of the Ciphers

 

SSLDUMP o/p: 2 1 0.0008 (0.0008) C>S Handshake ClientHello Version 3.3 cipher suites Unknown value 0xc014 Unknown value 0xc00a TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc019 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc00f Unknown value 0xc005 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_CAMELLIA_256_CBC_SHA Unknown value 0xc013 Unknown value 0xc009 TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA Unknown value 0x9a Unknown value 0x99 Unknown value 0x45 Unknown value 0x44 Unknown value 0xc018 TLS_DH_anon_WITH_AES_128_CBC_SHA Unknown value 0x9b Unknown value 0x46 Unknown value 0xc00e Unknown value 0xc004 TLS_RSA_WITH_AES_128_CBC_SHA Unknown value 0x96 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Unknown value 0xc011 Unknown value 0xc007 Unknown value 0xc016 TLS_DH_anon_WITH_RC4_128_MD5 Unknown value 0xc00c Unknown value 0xc002 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 Unknown value 0xc012 Unknown value 0xc008 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA Unknown value 0xc017 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA Unknown value 0xc00d Unknown value 0xc003 TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 Unknown value 0xc010 Unknown value 0xc006 Unknown value 0xc015 Unknown value 0xc00b Unknown value 0xc001 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5 Unknown value 0xff compression methods NULL 2 2 0.0014 (0.0005) S>C Alert level fatal value close_notify 2 0.0014 (0.0000) S>C TCP FIN 2 0.0017 (0.0002) C>S TCP FIN

 

Can someone help!!

 

application delivery
LTM

1 Reply

Sort By
  • Chris_Grant's avatar
    Chris_Grant
    Icon for Employee rankEmployee
    Aug 19, 2016

    Our ciphers get more and more restrictive as you increase in version and we weed out insecure ciphers. I would recommend starting here: https://support.f5.com/kb/en-us/solutions/public/16000/500/sol16526

     

    This will explain how to modify the ciphers used by a custom https monitor. If you don't have a customer https monitor you will need to create one. You can see which ciphers are supported here:

     

    https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

     

    Be aware that if your servers are significantly out of date you may need to upgrade them to get a mutually acceptable cipher.