DOS_SSL_ERROR event seen on Avi Virtual Service
Article ID: 405707
Updated On:
Products
Issue/Introduction
Users may observe recurring DOS_SSL_ERROR events on an Avi Virtual Service (VS).
End user may experience some slowness or disconnections during the time of the reported event.
Cause
The DOS_SSL_ERROR is typically triggered when a high number of SSL handshake failures. Common reasons for these failures include:
-
No shared cipher between the client and the Virtual Service's SSL profile (cipher mismatch).
-
Clients attempting connections using unsupported or outdated SSL/TLS versions.
-
Certificate validation issues resulting in ssl handshake failure
If a threshold limit is reached for the number of such failures, it leads to the generation of DOS_SSL_ERROR event on the virtual service
The threshold limit is mentioned Avi Load Balancer techdocs : Distributed Denial of Service
Resolution
To address the issue and mitigate service impact:
- Identify the client facing SSL handshake failure. You can find the same under Virtual Service > Security. Below screenshot for reference :
- Once the client IP is identified, you can create a Network Security Policy to drop connections from the misconfigured client IP to prevent further handshake attempts and suppress DOS_SSL_ERROR alerts. It can be configured as below :
-
Navigate to Applications > Virtual Services and click Edit
-
Click Policies in the Edit Virtual Service popup window.
-
Click + icon to create a rule or choose an existing one.
-
Choose "client IP" from the drop-down menu and enter the required client IP.
-
Set the Action to Deny against the connection for which the client IP will be detected
-
Click Save Rule.
-
The above will provide a way to avoid any issues due to DOS_SSL_ERROR to other legitimate requests. However, the actual reason for client ssl handshake should be identified and rectified to correctly resolve the issue. This can be done with the help of Virtual service packet captures : Capturing Virtual Service Traffic using CLI/UI
Feedback
