LTM SSL reset after clienthelo

Question

Hello.&nbsp;
I have a very strange problems (or it seems to me) when i want to try load balance some appliances with https access. When i try to do an access i receive a reset from the server. When i do a ssldump i see this.&nbsp;
pre-master secret log file, generated by ssldump
24.25.4(443)
1 1  1556279563.8027 (0.0006)  C&gt;SV3.3(91)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          ac f1 6d 22 4d d7 84 6c 5f 7c 75 b6 07 7d 7f d2
          2c e0 38 31 13 53 45 79 77 d5 ab 0c 2c 70 e3 71
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02f
        Unknown value 0xff
        compression methods
                  NULL
1    1556279563.8030 (0.0003)  S&gt;C  TCP RST
New TCP connection 2: 172.26.13.10(62099) &lt;-&gt; 172.24.25.4(443)
2 1  1556279564.4307 (0.0006)  C&gt;SV3.3(91)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          bf 00 36 9d ba 9c 04 bb 53 5d b4 d8 bf 1a 1c f3
          cb cd d4 03 bf d9 b2 9e 48 ea 3a 92 4e d4 f3 30
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02f
        Unknown value 0xff
        compression methods
                  NULL
2    1556279564.4310 (0.0003)  S&gt;C  TCP RST
New TCP connection 3: 172.26.13.10(12313) &lt;-&gt; 172.24.25.4(443)
3 1  1556279564.5464 (0.0006)  C&gt;SV3.3(91)  Handshake
      ClientHello
        Version 3.3
        random[32]=
          4e 9d 0f 22 83 bc d6 5c 58 1e d5 cd 84 00 4a 5a
          e4 cd 24 8d 12 af f3 6e 16 9d 5e b8 2e 46 7b 57
        cipher suites
        Unknown value 0xc030
        Unknown value 0xc02f
        Unknown value 0xff
        compression methods
                  NULL
3    1556279564.5467 (0.0003)  S&gt;C  TCP RST&nbsp;
I have change the ciphers to ALL but nothing. I have tried with a performancel4 vs and nothing.&nbsp;
Any idea? Thanks &nbsp;

nathe · Answer

otsokume,
You should expect a ServerHello message after a ClientHello - the fact that you're getting a reset suggests that the cipher suites being offered by the client are not applicable on the F5 via the Client SSL Profile. I assume you've configured a Client SSL Profile and assigned this to the Virtual Server? What is the cipher string configuration on the Client SSL Profile? 
You can check what ciphers are supported based on the cipher string in your profile. If you go to the CLI and run this: tmm --clientciphers 'DEFAULT' this should output all the ciphers (should you be using the DEFAULT cipher string of course. If you've amended this then amend the command aswell.
Your clienthello suggests these two cipher suites are supported only "ECDHE_RSA_WITH_AES_256_GCM_SHA384" and "ECDHE_RSA_WITH_AES_128_GCM_SHA256" - so you need to verify your SSL profile.
Also see these links for further help: SSL Profiles Part 4 and Troubleshooting SSL/TLS
Hope this helps,
N

Forum Discussion

LTM SSL reset after clienthelo

1 Reply

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

BIGIP resets connecion

After applied ASM Policy to Virtual Server, connections will reset with Internal error in log

Wrong Key GUI , Can't reset BIG-IP to factory defaults

F5 Big-IP i4600 Root Password Reset

Getting TCP Reset-0 from server when routing HTTPS traffic via F5