Symptoms
End user clients are unable to establish a TLS connection. Further investigation indicates that the Session ID length field is set to 0, but there is no session ID.
TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 59
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 55
Version: Version: TLS 1.2 (0x0303)
Random: aa957f92a5de4cedcf9750b60b3efab6b345da6c32189e93â¦
Session ID Length: 0
<=== !!!
.....
TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
.....
TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message
.....
Impact
After receiving the invalid server hello message from the BIG-IP system, the client may generate unexpected_message (10) TLS alerts and the client may terminate SSL connection.
Conditions
-- SSL forward proxy virtual server.
-- This can occur intermittently with normal HTTPS traffic. It occurs more frequently if the session cache's cache-timeout value is set to a low value.
