Jean-Francois Normand Posted May 3, 2019 Share Posted May 3, 2019 I've got this error when I create a Monitor HTTPS-ECV: Failure - Time out during SSL handshake stage Service Group Config. ProtocolSSL State ENABLED Effective StateDOWN Traffic Domain0 Comment Cache TypeSERVER Cacheable NO Health Monitoring YES AppFlow Logging DISABLED Monitoring Connection Close Bit NONE Number of Active Connections 0 AutoScale Mode DISABLED Cipher Used: TLS v1.2 ECDHE-RSA-AES128-GCM-SHA256 I have another set of NetScaler that is able to connect to the Server with the same configuration (SSL Ciphers, IP, Port, etc) but for an unknown reason this set of NetScaler do not want to connect. I've read pretty much every bit of documentation and forums and was not able to find a cue about how to fix this. Thanks for your help. JF Link to comment Share on other sites More sharing options...
Carl Behrent Posted May 5, 2019 Share Posted May 5, 2019 Does the backend server support TLS1.2? Try turning that off and see if it makes any difference. I'm guessing this is a NetScaler VPX? Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 Hi, Yes it is a VPX. I've tried enable, disabling pretty much every possible combination. And the fun fact is that we have another set of VPX that work and are able to connect. Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted May 6, 2019 Share Posted May 6, 2019 as you get "Failure - Time out during SSL handshake stage" first you should try to validate that there are no routing issues between the these vpx's and the servers. If possible try to create a http service on the netscalers if the servers are listening for http request as well, or any other port/service they are listening on. Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 Hi, The security of the network will not permit the HTTP protocol on the network, so I was not able to do the Test. TCP-ECV is working tho. Is there any way that I can use a SNIP (VIP) of the NetScaler to test HTTPS URL from the command line to confirm that the network is working properly ? Thanks, JF Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted May 6, 2019 Share Posted May 6, 2019 if TCP monitor(i am guessing that it is on the same port) works than i guess it should be fine. Also make sure there are no firewalls to block the traffic between the SNIP and the servers. On the Netscaler, under shell there is telnet and it has an option [-s src_addr]. but it did not work for me. Based on the routes it has ,your Netscaler will pick the SNIP address that it will use to sent the data to the server. Maybe it might be useful to do a tcpdump (/nstrace on a netscaler) or on the server. Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 Hi, I'll try to get more log from the nstrace. Thanks JF Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted May 6, 2019 Share Posted May 6, 2019 if you remove all the monitors it will use teh default one : tcp-default. Using this it will only check if the port is listening, so it does not care of certificates. So probably your https monitor is not set up ok. Can you share your monitor config? it should look like this : add lb monitor <monitorName> <type> -secure YES Also be aware that when the netscaler is connecting to the server it will us a default profile : ns_default_ssl_profile_backend, if you have not create a custom one. Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 I removed all the monitor and it still not working. I've added a profile with just 1.0 and 1.1 and it's still not working. From tcpdump I don't have much except ACK/SEQ. Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted May 6, 2019 Share Posted May 6, 2019 you said tcp-ecv is working "TCP-ECV is working tho." then the default tcp monitor should work also. can you share the dump, screenshot of the dump? Do you see any packets coming from the servers? if you say that this monitor (TCP-ECV ) works that it is not an issue with routing. Also make sure there are no ip conflicts in your network. Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 1 minute ago, Mihai Cziraki1709160741 said: Do you see any packets coming from the servers? if you say that this monitor (TCP-ECV ) works that it is not an issue with routing. Hi, No it does't seems to be a routing issue, the server is responding to the request. I see packet from SRC -> DST and DST -> SRC so the netscaler is able to communicate with the server. At that point it is either the NetScaler backend that is not able to talk with the https server or our firewall IPS is doing something very wrong with the https request. Link to comment Share on other sites More sharing options...
Mihai Cziraki1709160741 Posted May 6, 2019 Share Posted May 6, 2019 if you have firewalls/ips please check them first , as they might block your traffic from the netscaler to your servers. Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 I've been looking for them for about 8hours :) It says everything is accepted and all, and nothing suspicious there, but im still looking. Link to comment Share on other sites More sharing options...
Jean-Francois Normand Posted May 6, 2019 Author Share Posted May 6, 2019 Hi, I found the issue on my side. It was the application dropping the call if the proper host name was not used. Thanks for your help, Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.