ssl handshare
1 TopicSSL Handshake failed between F5 and backend server
Hi Team , We have an issue accessing the url test-dev-01.example.com via F5 VIP but direct access to server one-test-dev.trading.net is working fine . Error : "connection reset" Please find the vip configuration details below… Please advice if anyone has faced similar issues or possible root cause … thank you. VIP : 10.128.10.5 Url : test-dev-01.example.com port : 443 VIP has http profile , Client SSL profile , Server SSL profile , no default pool ( redirection to pool via policy ), no persistence profiles. Policy/Irule: HTTP Host host is 'test-dev-01.example.com' at request time. 1. Replace HTTP Host with value 'one-test-dev.trading.net' at request time. 2. Forward traffic to pool '/Common/P_one-test-dev.trading.net' at request time. SSL handshake error message : 100.19.10.10 is backend server 10.10.10.250 is SNAT Ip Oct 26 11:20:53 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:11158 Oct 26 11:20:53 bigip-test-f5.com warning tmm3[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1955 Oct 26 11:21:23 bigip-test-f5.com warning tmm6[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:18610 Oct 26 11:22:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:58704 Oct 26 11:22:50 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1303 Oct 26 11:27:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:5403 Oct 26 11:29:08 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:23029 Oct 26 11:37:24 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:48470 [root@bigip-test-f5.com:Active:Standalone] config # curl -kvv https://test-dev-01.example.com * Rebuilt URL to: https://test-dev-01.example.com/ * Trying 10.128.10.5... * Connected to test-dev-01.example.com (10.128.10.5) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=IN; ST=IDV; L=INDIA; O=EXAMPLE; OU=IT; CN=*.example.com; emailAddress=globalitteam@EXAMPLE.com * start date: Jul 30 12:10:00 2020 GMT * expire date: Nov 1 12:10:00 2022 GMT * issuer: DC=EXAMPLE; DC=atlas; CN=Atlas Issuing CAv2 1 * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. > GET / HTTP/1.1 > Host: test-dev-01.example.com > User-Agent: curl/7.47.1 > Accept: */* > * SSL read: error:00000000:lib(0):func(0):reason(0), errno 104 * Closing connection 05.2KViews0likes4Comments