server-side ssl not negotiating

Can you have a look to a pcap with wireshark to see any usefull debug info ? as well you have some statistics in SSL profiles on the big-ip which could help to understand the type of error.

Hi Arnaud,

Wiresharks show that when the server is accessed through the VS, it immediately responds to the ssl handshake with a TCP reset. The server logs (Windows 2008) show the same thing. Unfortunately, I do not know how to find the reason for the reset. The odd thing is, you can go directly to the server no problem. Also https monitors are having no problem. I have set the server-side ssl profile cipher list to 'ALL'.

If you could point me in the right direction, I will look at the SSL profile statistics. In the GUI, I have found the Server SSL statistics, but have not yet discovered how to narrow it down to the SSL profile of interest.

At first I thought this looked like an asymmetrical routing issue, but I have ruled that out. BTW, I can put other HTTPS servers in this pool, and they work just fine. So I think that there is something with this set of servers that is the problem. Just knowing the reason for the handshake refection would be a tremendous step forward. Thanks you for your help.

I found the individual server ssl stats in TMSH. Unfortunately, it only tallies the handshake failures - does not give any clue as to the reason.

I made the server-side SSL profile cipher string = 'TLSv1' only and that made it work.

This is because Windows 2008 no R2 doesn't understand TLSv1.2 handshake initiation and it never allows it to negotiate down to TLSv1.

I made the server-side SSL profile cipher string = 'TLSv1' only and that made it work.

This is because Windows 2008 no R2 doesn't understand TLSv1.2 handshake initiation and it never allows it to negotiate down to TLSv1.