Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

CloudFlare 525 Errors - f5 fix?

I recently started routing assets called via https through Cloudflare, a proxy service, amongst other things.

I have an interesting issue where, once i did that, i saw that around 1% of browser requests get presented with a "525" cloudflare ssl handshake error (their generated error), which seems to have this issue calling our origin some .5-1.0% of the time. We did a bunch of packet captures - while its ongoing at this time, I'm curious if other folks have run into an issue like this, and if any setting on their f5 might have helped fix it.

I tried a few things like: - increasing the ssl handshake timeout in my ssl profile - enabling "no session resumption on renegotiation" in my ssl profile

All they tell me is to check my f5 for any settings that might account for why this happens (the RST/reset messages seen ssl streams in the packets). I see stories all over the internet about various "fixes" when someone starts using cloudflare. But many are related to something not working 100% of the time, and in my case, its around 1% error rate.

I have an issue with Cloudflare presenting around 1% of client browser requests with this 525. On our end, we have a public IP natted to an internal vip configured for ssl, with an ssl profile and the certificate applied to the VIP itself - so SSL terminates right on the f5 device. the requests then flow to a pool of proxy servers running nginx, but by that time, there's no encrypted traffic. I've got a PAN firewall in front of the f5s.

I've spent a lot of time trying to resolve this over the last week, including a ticket with f5 that hasn't yet revealed anything. I'm appealing to devcentral to try and find someone who might have dealt with this strange problem. the hard part is the frequency - its enough of an error rate that it needs fixing.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Basic questions:

  1. Have you verified that the SSL cipher suite between cloudflare and F5 are compatible ?
  2. SNI enabled/disabled ?
  3. Have you tested with SSL terminating directly on the server(s) or a test server ?
  4. Any weird logs on the F5 ?
  5. Did this error exist since the initial set up or was noticed recently after a change like code upgrade/downgrade ?
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
  1. the cipher suites are compatible. I made comparisons and even matched CFs entire list and applied it to the f5s. didn't change the error condition

  2. SNI isn't being used. rather, none of the checkboxes or the server name field have any data. as an FYI, there are 3 websites/domains that go to this VIP, but they share one ssl cert with all 3 domain names in it. the cert I'm using does have all 3 domain names (san) in it.

  3. Yes and no. I tried but the nginx proxy isn't configured to handle that ssl traffic and would require other resources to do it, which I can do if necessary.

  4. There are some weird logs on the f5 that I see; but they don't seem to correlate with the 525s.

0
Comments on this Answer
Comment made 16-Feb-2017 by cf_525_pain 13

I actually split up the sites into 3 vips (all using the same ssl profile settings but I created 3 separate ssl client profiles) - specifically so that I could change up any ssl profile settings that were suggested, and only impact one site at a time (the least important one).

0
Comment made 16-Feb-2017 by cf_525_pain 13
  1. I noticed it right away. we actually saw a browser display that 525 error, then had trouble repro'ing it...it happens less than 1% of requests. but I have Catchpoint, I see a few of them in those automated tests each day and many on the cloudflare dashboard. so this could simply be exposing a preexisting condition that now manifests in a browser error. but, I wasn't seeing basic websites tests fail just trying to hit an https page this like does at times.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Connection error: ssl_select_suite:6737: TLS_FALLBACK_SCSV with a lower protocol (86) Connection error: ssl_passthru:4015: not SSL (40) No shared ciphers between SSL peers 141.212.122.129.31995:10.20.223.37.443. Connection error: ssl_null_parse:3103: record protocol version incorrect (47)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi cf_525_pain!

Did You manage to solve the problem?

For several days I have the same problem in my infrastructure. With the Cloudflare in between and SSL terminates right on F5 too.

Regards.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Same exact scenario here. Anyone have a fix?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Still having the issue. No help from F5 or Cloudflare.

0
Comments on this Answer
Comment made 20-Feb-2018 by Daniel Varela 701

Have you ever checked on your firewall? In my case App-id was messing with my application (it wasn’t ssl but http). What I did was disable app-id and just allow access on port 443, you don’t actually need app-id for inbound traffic.

0
Comment made 21-Feb-2018 by JQB 19

That's precisely what I am looking at now, thanks for the feedback. So you disabled app-id for the "web-browsing" application in the PA?

0
Comment made 21-Feb-2018 by Daniel Varela 701

Yes but that was because my application was http, it you case I assume it should be ssl. You need to make your PAN to look only into the tcp port and nothing else.

0
Comment made 21-Feb-2018 by JQB 19

Yes, SSL in my case (as well as http). I am currently using "ssl" and "web-browsing" applications with "application-default". I may just switch to to service ports, as you mentioned.

Image Text

0
Comment made 21-Feb-2018 by Daniel Varela 701

I hope this works for you :)

0
Comment made 30-Apr-2018 by JQB 19

No dice. The errors are still occurring. We're working with our ISP, Palo Alto, F5 and Cloudflare, but no smoking gun so far.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have an virtual server created with many websites hosted in it. It has one public IP assigned to it and is NATed to a private IP. The websites are accessible via HTTP and HTTPS. However one website uses Cloudflare, we experience an error with cloudflare (error 521). I have whitelisted the cloudflare IP addresses onto F5 via Network ›› Packet Filters : Rules

I am running software version 12.1.3

We no longer have blocking both in the F5 and the internal server. This only occurs with websites having Cloudflare configured with it. Is there anything I can check between F5 and Cloudflare?

I have tried applying an iRule that redirects traffic to see if the traffic from Cloudflare IPs are really reaching F5. Sometimes it does redirect but most of the times it servers error 521 immediately.

0
Comments on this Answer
Comment made 1 month ago by Philippe Page 193

Can anyone provide an insight regarding this issue. Anything will do. Thank you.

0
Comment made 1 month ago by Vijay 4910

Throwing a few options:

You said there is no other blocking in place. So, no packet-filters on F5 or any intermediate device ?

When you run a tcpdump, do you see any RST/FIN from F5 or from the pool member to the cloud flare IP ?

Have you tried using OneConnect profile ?

0
Comment made 1 month ago by boneyard 5579

another idea would be to contact F5 support, this is an issue which pops up from time to time, so they might already have some ideas.

0