Forum Discussion

mmwolf's avatar
mmwolf
Icon for Nimbostratus rankNimbostratus
Aug 04, 2019

Virtual server unreachable with 3g and 4g only ADSL

Hello Team,

 

on our production , we have a virtual server with two node . the web site is published on port 443 , it was working normaly but 5 days ago it's doesn't work with 3G and LTE connexion and works good with ADSL .

 

there are no restriction in firewall and when i see traffic bigip on this virtual server , i see all IP address range reach the VS but the web site return ERR_SSL_PROTOCOL_ERR .

 

certificat on virtual server is good when i checked with sslabs

 

procol profile : Fast Layer 4

 

 

 

someone has any idea ?

 

Thanx you

 

Best regards

 

 

 

 

BIG-IP
devops
LTM
security

8 Replies

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Aug 04, 2019

    If the virtual server is a Fastl4, then the certificate comes from the pool member - FastL4 is a TCP passthrough with no SSL termination. Any SSL protocol issues are between the pool member and the client.

     

    Try getting a tcpdump of the traffic between a client and the virtual server, and look at the ClientHello, ServerHello and any Fatal alerts to see who terminates the handshake.

     

    To me, it sounds like a Certificate Trust issue with mobile clients, but I'd need more data to be sure.

  • mmwolf's avatar
    mmwolf
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2019

    hello Blakely ,

     

    please can you give me the command please to use it ?

     

    thanx a lot

     

    Regards

  • mmwolf's avatar
    mmwolf
    Icon for Nimbostratus rankNimbostratus
    Aug 05, 2019

    Hello ,

     

    this is return log with TCPDUMP

     

    13 2 0.0193 (0.0000) S>C Handshake

       ServerHello

        Version 3.3

        session_id[32]=

         19 55 fc 80 e4 56 e3 6d 73 3b aa 33 a4 0d 09 64

         d3 71 e4 ae 20 15 98 2e c7 11 ca ad 1e b2 99 44

        cipherSuite     TLS_RSA_WITH_AES_256_CBC_SHA

        compressionMethod          NULL

    13 3 0.0193 (0.0000) S>C Handshake

       Certificate

    13 4 0.0193 (0.0000) S>C Handshake

       ServerHelloDone

    13 5 0.1083 (0.0889) C>S Handshake

       ClientKeyExchange

    13 6 0.1083 (0.0000) C>S ChangeCipherSpec

    13 7 0.1083 (0.0000) C>S Handshake

    13 8 0.1099 (0.0016) S>C Alert

      level      fatal

      value      handshake_failure

    13  0.1099 (0.0000) S>C TCP FIN

    13  0.1274 (0.0174) C>S TCP FIN

     

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Aug 05, 2019

    So the server is rejecting the handshake after the ChangeCipherSpec:

     

    There should be a value (just a number) for the fatal alert.

    What is that?

  • mmwolf's avatar
    mmwolf
    Icon for Nimbostratus rankNimbostratus
    Aug 06, 2019

    this is capture about error

     

    source : our virtual server on Big Ip and Destination is client IP

     

    Regards

     

     

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Aug 06, 2019

    Handshake Failure 40 indicates "No shared ciphers"

     

    If this is a FastL4 virtual, then the LTM is not part of this conversation, and you will need to look at your server logs to determine why this is occurring.

     

    It could be that the conversation has selected TLS_RSA_WITH_AES_256_CBC_SHA but the server does not have a RSA signed certificate, or it rejects either RSA or CBC ciphers.

     

    Can you check to see a working conversation to see what has been selected?