Forum Discussion

Zenz's avatar
Zenz
Icon for Altostratus rankAltostratus
Jan 29, 2020
Solved

[SOLVED] Connection error: ssl_null_parse:1387: record protocol version incorrect

Hi,

We have this error suddenly in our environment..

We think the party connecting to us (AKAMAI) might changed something..

 

to understand what the exact error is we are looking for the error codes, but we cannot find it.

Is there an error code list somewhere?

 

Kind Regards,

Zenz

 

 

application delivery
BIG-IP
LTM
  • Zenz's avatar
    Zenz
    Jan 30, 2020

    Hi Lidev,

     

    thx again for the reply..

     

    we have identified the problem.

    it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore

     

    so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.

     

    some side note:

    our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.

     

     

     

     

6 Replies

Sort By
  • Zenz's avatar
    Zenz
    Icon for Altostratus rankAltostratus
    Jan 30, 2020

    Hi Lidev,

     

    thx again for the reply..

     

    we have identified the problem.

    it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore

     

    so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.

     

    some side note:

    our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.

     

     

     

     

  • Lidev's avatar
    Lidev
    Icon for MVP rankMVP
    Jan 29, 2020

    Hello Zenz,

     

    Your connection error message is pretty clear, there's a TLS/SSL protocol version mismatch during the handshake SSL (check the Ciphersuites on both side)

  • Zenz's avatar
    Zenz
    Icon for Altostratus rankAltostratus
    Jan 29, 2020

    Hi Lidev,

    thx for your quick answer.

    However we checked the handshake protocol versions..in the tcp dump, which seems to be no issue.

     

    Client Hello =

    Version: TLS 1.2 (0x0303)

    Cipher Suites (22 suites)

      Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

      Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

      Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

      Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

      Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

      Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

      Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

      Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

      Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

      Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

      Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

      Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

      Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

      Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

      Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

      Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

      Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

      Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

      Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

      Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

      Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

      Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

     

    Server Hello:

    Version: TLS 1.2 (0x0303)

    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

     

     

    but this seems to be about the "record protocol version"

     

    I just found this article:

    https://support.f5.com/csp/article/K75464225

    do not know yet if its related.

     

  • Lidev's avatar
    Lidev
    Icon for MVP rankMVP
    Jan 30, 2020

    Do you see any SSL renegociation in your tcpdump ?

    To help with troubleshooting, it would be appreciated if you could share your tcpdump.