cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

ltmClientSslStatActiveHandshakeRejected for each ssl profile

slashlinux
Nimbostratus
Nimbostratus

Hi team,

 

I have a question/problem. In the company where I work as Devops we have several bigip instances with 6 SSL profile and each is limited depending on connection / sessions and sometimes on these profiles we receive more traffic than we limited the SSL profile and if a single SSL profile has the limit 1000 and reached threshold, then other sessions are rejected, but we do not receive alarms about the rejection session. If we receive alarms about the rejection session, we can increase the upper limit to 10% whenever we have this problem.

 

I mention that all these bigips have only 1 CPU core and are aws instances, so they are not powerful to encrypt every session and that is why they have been limited each SSL profile.

 

Let's take on ssl profile example :

 

ssl_profile_1 - has the following:

 

  • SSL profile limit: F5-BIGIP-LOCAL-MIB::ltmClientSslMaxActiveHandshake."/Common/ssl_profile_1" = Gauge32: 1000
  • Current active handshakes: F5-BIGIP-LOCAL-MIB::ltmClientSslStatCurrentActiveHandshakes."/Common/ssl_profile_1" = Counter64: 1000

 

  1. Is there a MIB that can show the Rejected Handshakes for each ssl profile? ( there is a MIB/oid that shows Rejected Handshakes but is not for ssl profile, is created for Invalid Certificates or other reason - F5-BIGIPLOCALMIB::ltmClientSslStatActiveHandshakeRejected."/Common/ssl_profile_1" = Counter64
  2. What tmsh command should I use for showing the MaxActiveHandshakes limit for ssl profile?

 

Thanks in advance

3 REPLIES 3

Hello SlashLinux.

 

You could collect SSL Handshakes info from your TMSH stats.

root@(bigip)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm profile client-ssl CSSL_profile | grep shake Certificates/Handshakes Mid-Connection Handshakes 0 Secure Handshakes 0 Current Active Handshakes 0 Insecure Handshakes Accepted 0 Insecure Handshakes Rejected 0 Extended Master Secret Handshakes 0 Handshake Failures 0 Active Handshakes Rejected 0 Bypasses By Handshake Alert 0 Verified Handshake Count 0 Connection mirror handshake success 0

After that, you could create a Custom MIB using this:

https://support.f5.com/csp/article/K13596

 

Regards,

Dario.

Regards,
Dario.

slashlinux
Nimbostratus
Nimbostratus

Thank you for your reply but this doesn't solve my problem , look what I have in ltm logs when the ssl_profile sessions reached the threshold :

 

  • Sample logs(/var/log/ltm):

 

Jan 24 17:29:50 bigip warning tmm1[24729]: 01260009:4: Connection error: ssl_check_profile_limits:1868: The number of per TMM active handshakes 100 for /Common/ssl_profile_name-0 on this TMM[1] reached the limit 100/TMM set in profile /Common/ssl_profile_name-1 (80)

Jan 24 17:29:50 bigip warning tmm[24729]: 01260013:4: SSL Handshake failed for TCP 192.168.1.0:53031 -> 192.168.2.0:443

Jan 24 17:29:50 bigip warning tmm[24729]: 01260013:4: Per-invocation log rate exceeded; throttling.

Jan 24 17:29:50 bigip warning tmm1[24729]: 01260009:4: Connection error: ssl_check_profile_limits:1868: The number of per TMM active handshakes 100 for /Common/ssl_profile_name-1 on this TMM[1] reached the limit 250/TMM set in profile /Common/ssl_profile_name-3 (80)

 

Jan 31 14:03:22 bigip warning tmm1[24729]: 01260009:4: Connection error: ssl_check_profile_limits:1868: The number of per TMM active handshakes 100 for /Common/ssl_profile_name-0 on this TMM[1] reached the limit 100/TMM set in profile /Common/ssl_profile_name-1 (80)

Jan 31 14:03:32 bigip warning tmm[24729]: 01260009:4: Connection error: ssl_check_profile_limits:1868: The number of per TMM active handshakes 250 for /Common/ssl_profile_name-0 on this TMM[0] reached the limit 250/TMM set in profile /Common/ssl_profile_name-1 (80)

 

 

Hello SlashLinux

In case of having logs to report those issues, then you can configure custom alerts (using matching expressions from your logs) to trigger SNMP traps.

https://support.f5.com/csp/article/K3727

Regards,

Dario.

Regards,
Dario.