I am getting ssl handshake failures for a basic 443 VIP with a client ssl profile root@(bigip2)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# list sys db log.ssl.level sys db log.ssl.level { value "Debug" } The debug is enabled but ltm logs do not have any extra info about the HS failure reasonJul 7 13:48:13 bigip2 info tmm4[12766]: 01260013:6: SSL Handshake failed for TCP 172.22.200.113:5511 -> 10.1.61.62:443 Thanks for your time!

Which KB article are you talking about? Also, which version are you talking about? You can take a packet capture with generic-alert turned off like DavidMas advised and decrypt the capture on Wireshark.

I am not trying to decrypt anything but looking for the handshake failure reason. This https://support.f5.com/csp/article/K15292#enable

Which version of BIG-IP are you using?

SSL Debug doesn't give any details

12 Replies

Dario_Garrido

MVP

Jul 07, 2019

Hello David.

I recommend you to disable "generic alert" in the ssl profile (client/server) to see more details.

KR,

Dario.

David_M

Cirrostratus

Jul 08, 2019

Did it still it shows nothing like the kb article says it should.

Its just that single line of ssl handshake failure and the cipher info which i log with irules

Jul  8 12:18:10 bigip2 info tmm5[12766]: Rule /Common/track-ssl-hs <CLIENT_DATA>: Client: 172.22.200.113 attempts SSL with ciphers: caca,1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035,000a
Jul  8 12:18:10 bigip2 info tmm6[12766]: 01260013:6: SSL Handshake failed for TCP 172.22.200.113:33589 -> 10.1.61.62:443
Jul  8 12:18:10 bigip2 info tmm5[12766]: Rule /Common/track-ssl-hs <CLIENTSSL_HANDSHAKE>: Client: 172.22.200.113 successfully negotiates ECDHE-RSA-AES256-GCM-SHA384
Jul  8 12:18:10 bigip2 info tmm4[12766]: Rule /Common/track-ssl-hs <CLIENT_DATA>: Client: 172.22.200.113 attempts SSL with ciphers: 2a2a,1301,1302,1303,c02b,c02f,c02c,c030,cca9,cca8,c013,c014,009c,009d,002f,0035,000a
Jul  8 12:18:10 bigip2 info tmm4[12766]: Rule /Common/track-ssl-hs <CLIENTSSL_HANDSHAKE>: Client: 172.22.200.113 successfully negotiates ECDHE-RSA-AES256-GCM-SHA384

Rodrigo_Albuque
MVP
Jul 08, 2019
Which KB article are you talking about? Also, which version are you talking about?

You can take a packet capture with generic-alert turned off like DavidMas advised and decrypt the capture on Wireshark.

Forum Discussion

SSL Debug doesn't give any details

12 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

ASN Details

Ultimate irule debug - Capture and investigate

iRule to log traffic details

APM-DHCP Access Policy Example and Detailed Instructions

Traffic Policies: More detailed information on Actions