Forum Discussion

Matt_Kivela's avatar
Matt_Kivela
Icon for Nimbostratus rankNimbostratus
Jul 31, 2017

Log client IP with ssl handshake failure?

BIG-IP v12.1.2 (Build 1.0.271)

One of the new features is to automatically log SSL Handshake Failures, which sounded great.

When I tested it this was the entry made in /var/log/ltm:

Jul 31 08:32:39 tm2-ma-qaappsdmz warning tmm[17995]: 01260009:4: Connection error: ssl_hs_rxhello:7429: unsupported version (40)

That is not particularly helpful because it doesn't tell me who is failing so I can contact them to upgrade their side, just that some client has failed.

Is there a way to enable, in the default logging of handshake failures, the client IP?

LTM
security

7 Replies

Sort By
  • amintej's avatar
    amintej
    Icon for Cirrus rankCirrus
    Jul 31, 2017

    If you want to see source IP, you need to configure Info or Debug level for SSL. System > Logs > Configuration > SSL. Once it is enabled you will see a message similar to this in the ltm file:

     

    SSL Handshake failed for TCP 192.168.174.16:49678 -> 192.168.33.72:443

     

    After troubleshooting your problem, it is recommended disabled debug logging. Please check:https://support.f5.com/csp/article/K15292

     

  • ekaleido_26616's avatar
    ekaleido_26616
    Icon for Cirrocumulus rankCirrocumulus
    Jul 31, 2017

    I had the same issue a while back and Support recommended changing my logging level to stop logging that message and said it was informational only and could be ignored otherwise.

     

    • forsan's avatar
      forsan
      Icon for Altostratus rankAltostratus
      Oct 31, 2017

      Hi @ekaleido, what command did you use to disable that logging message?

       

    • amintej's avatar
      amintej
      Icon for Cirrus rankCirrus
      Oct 31, 2017

      You can set SSL logging to error if you want to avoid that message, go to:

       

      System > Logs > Configuration > SSL > Error.

       

      Default value is Warning.

       

  • ekaleido's avatar
    ekaleido
    Icon for Cirrus rankCirrus
    Jul 31, 2017

    I had the same issue a while back and Support recommended changing my logging level to stop logging that message and said it was informational only and could be ignored otherwise.

     

    • forsan's avatar
      forsan
      Icon for Altostratus rankAltostratus
      Oct 31, 2017

      Hi @ekaleido, what command did you use to disable that logging message?

       

    • amintej's avatar
      amintej
      Icon for Cirrus rankCirrus
      Oct 31, 2017

      You can set SSL logging to error if you want to avoid that message, go to:

       

      System > Logs > Configuration > SSL > Error.

       

      Default value is Warning.