SSL Handshake Failure
Hi,
We are having trouble with one of our newly created VS. It cant seem to be able to 'communicate' to the backend server (NODEs).
We have reachability to the Node IP. We also have an existing VS with NODE IPs from the same subnet as the new one and it is working fine. The setting is identical as well from the working one.
When i did a curl check, i can see that there was an error on the SSL but i cant figure out where the issue is, whether it is on the F5 or on the server end. I don't have access/visibility on the server end so i'm unable to do some check and verification on server end.
We have configured a SSL Client and Server Profile in the VS.
Was wondering if someone can shed some light on this. Would appreciate it much!
Below is the error i get for the SSL.
[Active:In Sync] config curl -vk https://[Node IP]
* About to connect() to [Node IP] port 443 (0)
* Trying [Node IP]... connected
* Connected to [Node IP] ([Node IP]) port 443 (0)
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to [Node IP]:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to [Node IP]:443
[Active:In Sync] config
Below is the setting/config of the VS:
(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual [VS Name] all-properties
ltm virtual [VS Name] {
address-status yes
app-service none
auth none
auto-lasthop default
bwc-policy none
clone-pools none
cmp-enabled yes
connection-limit 0
description none
destination [VS IP]:https
enabled
fallback-persistence none
flow-eviction-policy none
gtm-score 0
ip-protocol tcp
last-hop-pool none
mask 255.255.255.255
metadata none
mirror disabled
mobile-app-tunnel disabled
nat64 disabled
partition Common
per-flow-request-access-policy none
persist {
cookie {
default yes
}
}
policies none
pool [Pool Name]
profiles {
[SSL Profile] {
context clientside
}
http {
context all
}
serverssl {
context serverside
}
tcp {
context all
}
}
rate-class none
rate-limit disabled
rate-limit-dst-mask 0
rate-limit-mode object
rate-limit-src-mask 0
related-rules none
rules none
security-log-profiles none
source 0.0.0.0/0
source-address-translation {
pool none
type automap
}
source-port preserve
syn-cookie-status not-activated
traffic-classes none
translate-address enabled
translate-port enabled
urldb-feed-policy none
vlans none
vlans-disabled
vs-index 15
Below is the setting/config of a working VS that has a node ip from the same subnet.
ltm virtual [VS Name] {
address-status yes
app-service none
auth none
auto-lasthop default
bwc-policy none
clone-pools none
cmp-enabled yes
connection-limit 0
description "description"
destination [VS IP]:https
enabled
fallback-persistence none
flow-eviction-policy none
gtm-score 0
ip-protocol tcp
last-hop-pool none
mask 255.255.255.255
metadata none
mirror disabled
mobile-app-tunnel disabled
nat64 disabled
partition Common
per-flow-request-access-policy none
persist {
cookie {
default yes
}
}
policies none
pool [Pool Name]
profiles {
[SSL Profile] {
context clientside
}
http {
context all
}
serverssl {
context serverside
}
tcp {
context all
}
}
rate-class none
rate-limit disabled
rate-limit-dst-mask 0
rate-limit-mode object
rate-limit-src-mask 0
related-rules none
rules none
security-log-profiles none
source 0.0.0.0/0
source-address-translation {
pool none
type automap
}
source-port preserve
syn-cookie-status not-activated
traffic-classes none
translate-address enabled
translate-port enabled
urldb-feed-policy none
vlans none
vlans-disabled
vs-index 4