Forum Discussion
I can submit request using specific cipher suite(s), Is there a specific cipher suite(s) to send with the request that will prevent/reduce such errors?
if i were you, i would try with a few hardware accelerated ciphers to see if there is any difference.
K13213: SSL algorithms that are hardware accelerated (11.x - 12.x)
https://support.f5.com/csp/article/K13213
- jmetertea_34465Dec 25, 2017Nimbostratus
We tried changing web acceleration profiles but still got same issue, is there a specific settings that can help?
- nitassDec 25, 2017Employee
how come it became web acceleration? i thought you were getting ssl handshake failure.
- jmetertea_34465Dec 25, 2017Nimbostratus
My mistake, About the link you posted, my platform is Z100 not found in link, can you advice or which SSL algorithms is relevant to Z100 platform?
- nitassDec 25, 2017Employee
Z100 is virtual edition, isn't it? in that case, K13213 won't help.
not sure if logging reset cause is helpful. have you tried it?
K13223: Configuring the BIG-IP system to log TCP RST packets
- jmetertea_34465Dec 25, 2017Nimbostratus
It's virtual, we don't log TCP so I don't think it's relevant
- boneyardDec 26, 2017MVP
nitass is (i assume) suggestion you to enable logging TCP resets so you might be able to find the cause of the failed handshakes in the log of the F5.
- jaikumar_f5Dec 27, 2017MVP
boneyard, can the TCP RST cause logging be controlled by any parameter (like source or time-limit after capturing few tcp rst's). The reason I'm asking this is because the OP is performing load test and if he enables the RST logging, he's going to/may capture lot of RST failures, which may be lot resource consuming & cause performance issues.
Also would the SSL debugging help here ?
tmsh modify /sys db log.ssl.level value Debug
- boneyardDec 27, 2017MVP
no i don't believe so, although you can send the cause in the tcp reset packet, that would cause less logging at least.
but as you can see in the K article they warn about load and such.
the same will be for putting log.ssl.level to debug.
that is kinda an annoying issue when things fail during a load test, debugging causes more load so ...
you might conclude the cause is the load, does this happen quite early or? if you have doubts about that you probably need to involve support to direct your testing.