cancel
Showing results for 
Search instead for 
Did you mean: 

[SOLVED] Connection error: ssl_null_parse:1387: record protocol version incorrect

Zenz
Altostratus
Altostratus

Hi,

We have this error suddenly in our environment..

We think the party connecting to us (AKAMAI) might changed something..

 

to understand what the exact error is we are looking for the error codes, but we cannot find it.

Is there an error code list somewhere?

 

Kind Regards,

Zenz

 

 

1 ACCEPTED SOLUTION

Zenz
Altostratus
Altostratus

Hi Lidev,

 

thx again for the reply..

 

we have identified the problem.

it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore

 

so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.

 

some side note:

our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.

 

 

 

 

View solution in original post

6 REPLIES 6

Lidev
MVP
MVP

Hello Zenz,

 

Your connection error message is pretty clear, there's a TLS/SSL protocol version mismatch during the handshake SSL (check the Ciphersuites on both side)

Zenz
Altostratus
Altostratus

Hi Lidev,

thx for your quick answer.

However we checked the handshake protocol versions..in the tcp dump, which seems to be no issue.

 

Client Hello =

Version: TLS 1.2 (0x0303)

Cipher Suites (22 suites)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

  Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

  Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

  Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

  Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

  Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

  Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)

  Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

  Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

  Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

  Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

  Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)

  Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

 

Server Hello:

Version: TLS 1.2 (0x0303)

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

 

 

but this seems to be about the "record protocol version"

 

I just found this article:

https://support.f5.com/csp/article/K75464225

do not know yet if its related.

 

Lidev
MVP
MVP

Do you see any SSL renegociation in your tcpdump ?

To help with troubleshooting, it would be appreciated if you could share your tcpdump.

Zenz
Altostratus
Altostratus

Hi Lidev,

 

thx again for the reply..

 

we have identified the problem.

it was a routing problem, where the response of the backend server did not reach the loadbalancer anymore

 

so TCP and SSL handshake went fine between akamai and our origin (VIP on F5), however, the loadbalancer then wanted to setup the connection with the http server starting with the tcp handshake, where the ack was not received by the loadbalancer anymore, as someone created a VM in the same network with the source IP of the loadbalancer.

 

some side note:

our healthchecks/monitoring from F5 to server are done with different source IP's then the actual traffic is using.

 

 

 

 

Please mark your thread as solved then. You can mark your own answer.

@Zenz

glad to hear that 😌