Forum Discussion

Davect26's avatar
Davect26
Icon for Nimbostratus rankNimbostratus
May 16, 2018

Why would a https monitor send two different Clienthello versions to different VIP pool members on the same box?

I have two different fastl4 VIPs that are configured identical except for the IPs & pool members. They both use a https monitor with cipherlist DEFAULT:+SHA:+3DES:+kEDH. One monitor marks the member up by connecting with TLSv1.2 the other will not and only come up if server side is set to TLS. When I ran an SSLDUMP, I noticed the one working sends ClientHello Version 3.3, but the one not working sends ClientHello Version 3.1. They are both on the same device, running 11.5.3 build 2.104.196 HF2. Why would two different ClientHello versions be sent to different servers? Any assistance would be much appreciated. Thanks, Dave

 

1 Reply

  • This is due to the server already negotiating a lower version. At that point the F5 will start with the previously negotiated version.

     

    To reset this, remove the monitor from the pool and then re-apply.

     

    David Pasch