NimbostratusHello All,
We have added our webserver to F5 and attached it to Virtual server. We can see Local traffic data in Statistics for the Pool.
But we are getting SSL Handshake failed for TCP x.x.x.x:80 -> x.x.x.x:443. (This is for Webserver and F5 BIG-IP)
Could you please let us know the troublehsooting steps to clear this.
Your assist will be of great help to us.
Thanks
Archana
Cumulonimbusis that client side or server side?
i suggest you capture the tcpdump in f5 then open it in wireshark to see the ssl session setup flow.
usually it happens due to cipher no match between ssl client and ssl server
MVPWhere as the answer can almost always be found in a packet capture, 99% of the time it will be faster to understand what is expected to happen, what the configuration is, and what it actually happening via the normal logs on both the f5 and the backend server.
First clue: tcp:80 ----> :443 SSL handshake failed.
Knowing you cant pass clear case traffic to an encrypted backend and expect the SSL handshake to function. You will need to dive deep into your actual config.
I like to think of the VIP - The LISTEN - as the left side of the equation.
a. - are you listening on port 80, port 443, both or other?
b. - is there a redirect at the f5 or the server in place to move you to another port?
c. - Are there a SSL certificates on the VIP(s)? Client side / server side?
d. - are there any policies or irule in place? if so what is their purpose
On the Pool, translate , backend server, right side of the equation.
a. - what is the service port ? 80, 443, other?
b. -how many members are in the pool?
c. -what kind of monitor are you useing? ICMP - and TCP - are lower quality monitors and should be used sparingly, a HTTP/HTTPS monitor is better, however they will not provide the best detail. Going with a customer monitor that checks for a recv string is usually best.
d. - Have you tried doing a curl to all of the backend nodes? Is the output the same or differnt? use -ivk switches
e. - checking the output of curl - or the server itself, is there a valid cert bound to the port?
f. - if curl fails - can you telnet to the port?
------------------------------------------------------------------------
more details of your actual config would be necessary to provide better troubleshooting. If i were to take a blind stab at the problem, you are listening on port 80 (left) and translating to port 443 (right) , its likely that you dont have "serverssl" or other profile configured to handle the server side encryption.
NimbostratusHello,
Thank you for all the steps mentioned. I have created a SSL Traffic certificate and added it to our website. Still getting SSL handshake failed between Website and F5.
Also we have "serverssl" configured in our Virtual IP.
Could you please let us know how to disable the SSL certificate check from F5 BIG-IP and Webserver?
Your assist will be of great help to us.
Thanks
Muthu Mahadevan
AltostratusHi Muthu,
Have you try to use server-insecure-compatible SSL profile (Server) at the server side?