Adding Peer device issue

Question

Hi Guys,&nbsp;
I have a problem with my customer.
We are working in Test Plant, where we would replace 2 F5 Viprion 4400 (version 11.4.1) with an F5 i2600 (version 12.1.2).
I'm telling you what we would like to do to migrate everything (in Test Plant we are testing the procedure we would like to implement in production, where we will replace two Viprion 4400 with two Viprion 2400):&nbsp;
Added the new F5 to the existing Device Group by creating a new sync VLAN between the 3 devicesSync the configuration on the new deviceFailover of traffic on the new deviceRemove from the device group the two old Viprion
We immediately encountered a problem when we tried adding a peer to insert the new device into the current cluster, in particular we get the following error (via GUI the same error exists on both Viprion and i2600): &nbsp;
iControl connection to 172.16.4.242 failed (where IP 172.16.4.242 is the IP of the new F5 i2600)&nbsp;
Checking the ltm log file, we find the following errors:&nbsp;
Viprion (LTM) Side: SSL_handshake: error: 14094410: SSL routines: SSL3_READ_BYTES: sslv3 alert handshake failure&nbsp;
I2600 (LTM) Side: SSL_handshake: error: 14077102: SSL routines: SSL23_GET_SERVER_HELLO: unsupported protocol&nbsp;
Any idea about this?&nbsp;
BR&nbsp;

kevin_k_51432 · Answer

Greetings,&nbsp;
That seems resemble the following:&nbsp;
K54511423: The system includes insecure ciphers when a device adds another device to the device trust&nbsp;
https://support.f5.com/csp/article/K54511423&nbsp;
Did you happen to use this article to modify the HTTP cipher strength?&nbsp;
K13405: Restricting Configuration utility access to clients using high-encryption SSL ciphers (11.x)&nbsp;
https://support.f5.com/csp/article/K13405&nbsp;
Kevin&nbsp;

andrea_colombo_ · Answer

Hello Kevin,
thank you for your response.
We tried the solution on K13405, but the problem is the same:  iControl connection to 172.16.4.242 failed&nbsp;
Any idea?&nbsp;
BR&nbsp;
Andrea&nbsp;

amintej · Answer

Hello, We had a similar problem when we turned off TLS 1.0 in the httpd interface but it looks like your problem is with SSLv3 protocol. 
Check the current configuration with the next command:
list sys httpd ssl-protocol 
sys httpd { ssl-protocol "all -SSLv2 -SSLv3"}

You can add SSLv3 using modify:
 modify sys httpd ssl-protocol "all -SSLv2 +SSLv3"

kevin_k_51432 · Answer

Hi Andrea,
I've not encountered this issue on any of my BIG-IPs. It looks like the default setting is:
tmsh list sys httpd ssl-protocol
sys httpd {
    ssl-protocol "all -SSLv2 -SSLv3"
}

Do you have the ability to set this on both devices and test? 
tmsh
modify sys httpd ssl-protocol "all -SSLv2 -SSLv3"
save sys config
load sys config
restart sys service httpd

I know you intend to use stronger ciphers only, but it appears this is only possible in v13.0.0 per the bug mentioned above.
Thanks!
Kevin

Forum Discussion

Adding Peer device issue

4 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Device Management

Regex issue

BIG-IQ : Error when adding device

Getting Started with BIG-IP Next: Adding Instances to Central Manager

Error While Adding Peer Devices to Local Trust Domain