Forum Discussion

Blue_whale's avatar
Blue_whale
Icon for Cirrocumulus rankCirrocumulus
Oct 27, 2021

SSL Handshake failed between F5 and backend server

Hi Team ,

 

We have an issue accessing the url test-dev-01.example.com via F5 VIP but direct access to server one-test-dev.trading.net is working fine . 

Error : "connection reset" 

 

Please find the vip configuration details below…

Please advice if anyone has faced similar issues or possible root cause …

 

thank you.

 

 

VIP : 10.128.10.5

Url : test-dev-01.example.com 

port : 443 

 

VIP has http profile , Client SSL profile , Server SSL profile , no default pool ( redirection to pool via policy ) , no persistence profiles.

 

 

Policy/Irule:

HTTP Host host is 'test-dev-01.example.com' at request time.

1. Replace HTTP Host with value 'one-test-dev.trading.net' at request time.

2. Forward traffic to pool '/Common/P_one-test-dev.trading.net' at request time.  

 

 

SSL handshake error message : 100.19.10.10 is backend server 10.10.10.250 is SNAT Ip  

Oct 26 11:20:53 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:11158

Oct 26 11:20:53 bigip-test-f5.com warning tmm3[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1955

Oct 26 11:21:23 bigip-test-f5.com warning tmm6[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:18610

Oct 26 11:22:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:58704

Oct 26 11:22:50 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:1303

Oct 26 11:27:23 bigip-test-f5.com warning tmm4[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:5403

Oct 26 11:29:08 bigip-test-f5.com warning tmm1[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:23029

Oct 26 11:37:24 bigip-test-f5.com warning tmm[21070]: 01260013:4: SSL Handshake failed for TCP 100.19.10.10:443 -> 10.10.10.250:48470

 

 

 

[root@bigip-test-f5.com:Active:Standalone] config # curl -kvv https://test-dev-01.example.com

* Rebuilt URL to: https://test-dev-01.example.com/

* Trying 10.128.10.5...

* Connected to test-dev-01.example.com (10.128.10.5) port 443 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

* CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS change cipher, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Finished (20):

* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

* ALPN, server did not agree to a protocol

* Server certificate:

* subject: C=IN; ST=IDV; L=INDIA; O=EXAMPLE; OU=IT; CN=*.example.com; emailAddress=globalitteam@EXAMPLE.com

* start date: Jul 30 12:10:00 2020 GMT

* expire date: Nov 1 12:10:00 2022 GMT

* issuer: DC=EXAMPLE; DC=atlas; CN=Atlas Issuing CAv2 1

* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

> GET / HTTP/1.1

> Host: test-dev-01.example.com

> User-Agent: curl/7.47.1

> Accept: */*

>

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 104

* Closing connection 0

4 Replies

  • Hi ck_Bengre,

    Can you try sending a curl request to the server from the F5 command line?

    curl -kv "https://100.19.10.10" -H "Host: one-test-dev.trading.net"
    • Blue_whale's avatar
      Blue_whale
      Icon for Cirrocumulus rankCirrocumulus

       , I have to request our client team to execute this command .Can you please tell me what is expected from this command .

       

       

      • Enes_Afsin_Al's avatar
        Enes_Afsin_Al
        Icon for MVP rankMVP

        If the command returns an SSL error, there may be SNI problem.

        https://support.f5.com/csp/article/K41600007

         

        If the command returns page content, can you try change server ssl profile to serverssl-secure?