cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

SSL Handshake failed between F5 and backend server

Sarovani
Cirrostratus
Cirrostratus

Hi Team ,

 

We have an issue accessing the url test-dev-01.example.com via F5 VIP but direct access to server one-test-dev.trading.net is working fine . 

Error : "connection reset" 

 

Please find the vip configuration details below…

Please advice if anyone has faced similar issues or possible root cause …

 

thank you.

 

 

VIP : 10.128.10.5

Url : test-dev-01.example.com 

port : 443 

 

VIP has http profile , Client SSL profile , Server SSL profile , no default pool ( redirection to pool via policy ) , no persistence profiles.

 

 

Policy/Irule:

HTTP Host host is 'test-dev-01.example.com' at request time.

1. Replace HTTP Host with value 'one-test-dev.trading.net' at request time.

2. Forward traffic to pool '/Common/P_one-test-dev.trading.net' at request time.  

 

 

SSL handshake error message : 100.19.10.10 is backend server 10.10.10.250 is SNAT Ip  

Oct 26 11:20:53 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:11158

Oct 26 11:20:53 bigip-test-f5.com warning tmm3[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1955

Oct 26 11:21:23 bigip-test-f5.com warning tmm6[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:18610

Oct 26 11:22:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:58704

Oct 26 11:22:50 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1303

Oct 26 11:27:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:5403

Oct 26 11:29:08 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:23029

Oct 26 11:37:24 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:48470

 

 

0691T00000F6RJbQAN.png 

[root@bigip-test-f5.com:Active:Standalone] config # curl -kvv https://test-dev-01.example.com

* Rebuilt URL to: https://test-dev-01.example.com/

* Trying 10.128.10.5...

* Connected to test-dev-01.example.com (10.128.10.5) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server did not agree to a protocol

* Server certificate:

* subject: C=IN; ST=IDV; L=INDIA; O=EXAMPLE; OU=IT; CN=*.example.com; emailAddress=globalitteam@EXAMPLE.com

* start date: Jul 30 12:10:00 2020 GMT

* expire date: Nov 1 12:10:00 2022 GMT

* issuer: DC=EXAMPLE; DC=atlas; CN=Atlas Issuing CAv2 1

* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

> GET / HTTP/1.1

> Host: test-dev-01.example.com

> User-Agent: curl/7.47.1

> Accept: */*

>

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

* Closing connection 0

4 REPLIES 4

Hi ck_Bengre,

 

Can you try sending a curl request to the server from the F5 command line?

curl -kv "https://100.19.10.10" -H "Host: one-test-dev.trading.net"

 

 

 , I have to request our client team to execute this command .Can you please tell me what is expected from this command .

 

 

If the command returns an SSL error, there may be SNI problem.

https://support.f5.com/csp/article/K41600007

 

If the command returns page content, can you try change server ssl profile to serverssl-secure?

 you are right , client has resolved the issue by creating new VIP for this url and on the server ssl profile they have enabled "default SSL profile for SNI"...

 

But the question is - How did it was working earlier without any SNI enabled on server ssl profile .

 

What is the need to have SNI enabled on the ServerSSL profile . Do we not have any option to configure SNI on the Backend server directly ?