TLS handshake fails with any TLS LB VIP FIPS 9700 – Reset code 9811 from ADC

Daylight savings time changed and NTP Servers out-of sync with ADC.

Time mismatch between client-server created by Daylight saving time 2020 began at 2:00 AM Time stamp mismatch in client-server created by Daylight Saving time change and out-of sync NTP server.

TLS is time sensitive, ADC detects a time mismatch and teardown TLS Session sending a RESET with Code 9811

Note regarding REST code 9811

=============================

As part of TLS handshake :: After a “Change Cipher Spec” message from Client machine, ADC should send back another “Change Cipher Spec” confirming the newly created TLS Session, but instead ADC sends a RESET message with RESET code :: 9811 because it detected a time stamps mismatch.


Following this article :: NetScaler Reset Error Codes

https://support.citrix.com/article/CTX200852

Reset code 9811 means :: NSDBG_RST_ERRHANDLER: This reset code is used with SSL. After sending a Fatal Alert, the NetScaler sends a RST packet with this error code. If the client does not display any supported ciphers to the NetScaler appliance, the appliance sends a Fatal Alert and then this RST packet.

In this case this error code is deceiving because the client machine did displayed ciphers available to ADC, but ADC found a mismatch in Time Stamp TLS Session-ID and invalidates the Session.

Cipher used on this Session was :: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Handshake Protocol: Server Hello

Handshake Type: Server Hello (2)

Length: 87

Version: TLS 1.2 (0x0303)

Random: 5e66690d10ed940e434f5ef414065933aac401eaf2806ad7…

Session ID Length: 32

Session ID: 1a1ff2f6e4aaa45336d6c8f3454892b324fea21528474cce…

Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

Compression Method: null (0)

Extensions Length: 15

Extension: application_layer_protocol_negotiation (len=11)

Related:

Leave a Reply