network – F5 Failing SSL Handshake After “Client Hello” (Self Solved)

Ran into an issue after renewing an SSL Certificate used in a few different profiles on an F5 Virprion (v15.1.3.1).

Unfortunately I do not have full admin access to the F5 to turn on debugging. I can view the configurations of the VIPs, profiles, pools, certificates, etc. I am one of the systems admin/engineers for the servers/services behind the load balancing pools and VIPs defined in the F5.

The behavior is also inconsistent.

Running tests using the command openssl s_client -connect <vip hostname>:443 while using tcpdump to capture the port 443 traffic.

Intermittently the command will return:

Connecting to xxx.xxx.xxx.xxx
CONNECTED(00000005)
C08D251301000000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:692:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 232 bytes
Verification: OK

The SSL handshake fails. In the tcpdump capture, when the SSL handshake is failing the F5 is returning a “FIN,ACK” packet in response to the “Client Hello” message from the openssl client. When successful, the F5 sends the expected “Server Hello” packet, and the SSL handshake continues to success.

What would be causing the F5 to fail the SSL handshake some of the time?

Thanks in advance for any clues.

=====

The solution was an odd one. The certificate and trust chain was correct as noted. Replacing the expiring certificate with the renewed one was done properly by our network engineer. Oddly, the simple act of removing the SSL Client Profile from the VIP, update the VIP, add the same Profile back, update the VIP (with no other changes) corrected the issue.