Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Open SSL error - error:140770FC

Hello guys

I have a question i see in logs : Thu Apr 14 07:59:49 CEST 2016 err Epalvslb42 bigd[7154] 01060111 Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Thu Apr 14 07:59:49 CEST 2016 err Epalvslb42 bigd[7154] 01060111 Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol. Thu Apr 14 07:59:54 CEST 2016 err Epalvslb42 bigd[7154] 01060111 Open SSL error - error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol.

How can i check which vip/pool have issues regarding those logs I can only "shoot" that it can be vip which have some issues today.

I got vip on port 82 and pool on 80 Vip : protocol profile -client standard_tcp_wan... protocol profile -server standard_tcp_lan HTTP profile none And SSL profile client is set . No irules .

0
Rate this Discussion

Replies to this Discussion

placeholder+image

So to start with you should check the ssl profile on all of your SSL client or server virtual servers.

Ideally if you have a packet recording tool that collects data over time you can revert back to the timeframe in which the error occurred.
if you dont have that packet recording tool, i would see if a customer or external client is trying to use a specific cipher that maybe isnt supported. Are you using elliptical curve ciphers? can you print out the supported cipher strings on your ssl profiles? perhaps an external customer is trying to use a specific cipher that isnt supported by your ssl profile or BIG IP version?

you can use openssl s_client -connect your_virtual_server:port -cipher xxxx

0
Comments on this Reply
Comment made 14-Apr-2016 by slesh 200
Problem solved - there was wrong health monitor on pool ( https ). But what i wanted to know is what exactly i can find out which vip was affected ( we went back in logs to check when thise error occur 1st time and we checked what was configured that day . But what when logs will not have such a info after month for example.
0
Comment made 14-Apr-2016 by jgranieri 520
you could always trace the health-check failure or that is throwing errors to find out what pool its assigned to. once you know the pool then you can search your config to find out which VS that particular pool is assigned to.
1
placeholder+image

Hello again Same issue but now we are unable to find pool with bad monitor to many pools and logs dont reach that far ... Does anyone have some good command which can filter it ? We were trying :

 list ltm pool one-line | grep -E ':(443|https) .*session monitor-enabled state down.*(Standard_HTTPS)'

with different version of it and we found one node which had bad h monitor but problem still persists any idea ?

0