SSL Termiation with load balancer occassionally causing SSL handshake exception
We are trying to achieve SSL termination using the LTM. The incoming connection from the router is using SSL (TLSv1.2) with client authentication to a virtual server with just the client SSL profile. This is load balanced using the default round robin type to two physical servers on the port 8080 using HTTP. Our issue is that occasionally we receive a Handshake exception (PKIX path building failed) and looking at the log (/var/log/ltm) it is between the router and the virtual server. This only happens when we send multiple messages in quick succession. We assume this is because of some timeout setting and have found and shortened the TCP profile timeout settings, this has reduced the time before we see a TCP FIN message. All attempted connections after this FIN message seem to establish the SSL connection correctly. If more than one connection is made before the FIN, that's when we sometimes get the SSL error. Looking at the wireshark output, we can see each SSL connection tries to establish a new connection (i.e. client hello, server hello followed by the certificate message) even if another connection occurs a few seconds after the first (before the timeout expires). I would expect that the second connection would attempt to re-establish the previously negotiated SSL connection using the SSL session ID. Below is a wireshark excerpt of the SSL messages. with the first connection being successful, and straight after, a certificate Unknown error. x.x.x.x is our router IP and is always the same, and 192.168.30.190 is the IP of our virtual Server. 718 96.389112000 x.x.x.x 192.168.30.190 TLSv1.2 211 Client Hello [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 720 96.391312000 192.168.30.190 x.x.x.x TLSv1.2 4734 Server Hello, Certificate, Server Key Exchange, Server Hello Done [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 725 96.399544000 x.x.x.x 192.168.30.190 TLSv1.2 226 Client Key Exchange [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 727 96.403243000 x.x.x.x 192.168.30.190 TLSv1.2 93 Change Cipher Spec [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 729 96.403633000 x.x.x.x 192.168.30.190 TLSv1.2 132 Hello Request, Hello Request [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 731 96.403825000 192.168.30.190 x.x.x.x TLSv1.2 93 Change Cipher Spec [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 732 96.403909000 192.168.30.190 x.x.x.x TLSv1.2 132 New Session Ticket, Hello Request [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 734 96.405814000 x.x.x.x 192.168.30.190 TLSv1.2 663 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 736 96.408694000 192.168.30.190 x.x.x.x TLSv1.2 1564 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 737 96.408704000 192.168.30.190 x.x.x.x TLSv1.2 1564 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 738 96.408709000 192.168.30.190 x.x.x.x TLSv1.2 1564 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 739 96.408805000 192.168.30.190 x.x.x.x TLSv1.2 1172 Application Data [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 752 97.726426000 x.x.x.x 192.168.30.190 TLSv1.2 211 Client Hello [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 754 97.731289000 192.168.30.190 x.x.x.x TLSv1.2 4734 Server Hello, Certificate, Server Key Exchange, Server Hello Done [ETHERNET FRAME CHECK SEQUENCE INCORRECT] 759 97.739897000 x.x.x.x 192.168.30.190 TLSv1.2 94 Alert (Level: Fatal, Description: Certificate Unknown) [ETHERNET FRAME CHECK SEQUENCE INCORRECT] Can anybody offer any guidance on what may be causing this issue? Or ask us to check for specific configuration settings that may be causing this issue. Many Thanks450Views0likes4Commentsssl offloading question
Hey guys, Silly question not sure why I am guessing myself here. But, on the LTM the ssl profile - client and in the certificates that get uploaded to the ltms, they contain only the private key and cert correct ? and there is no public that gets stored on the LTM ? Thanks234Views0likes6Comments