SSL handshake issue - ADC RST code 9811
Article ID: CTX258301
Updated On:
Description
- SSL Handshake failed between the Client and SSL VIP where the ADC resets the connection with TCP RST code 9811.
- This reset code is used with SSL. After sending a Fatal Alert, the ADC sends a RST packet with this error code. If the client does not display any supported ciphers to the ADC appliance, the appliance sends a Fatal Alert and then this RST packet.
- ECDSA Ciphers that are bound to the SSL VIP is matching with the Ciphers from the Client Hello. However ADC rejects the connection.
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(256) Mac=AEAD HexCode=0xc02c
Cipher Name: TLS1.2-ECDHE-ECDSA-AES128-GCM-SHA256 Priority : 5
Description: TLSv1.2 Kx=ECC-DHE Au=ECDSA Enc=AES-GCM(128) Mac=AEAD HexCode=0xc02b
- ECC Curves are bound to the SSL VIP
Resolution
ECDSA Ciphers are supported only Citrix ADC MPX and SDX appliances with N3 chips.
It is not supported if the appliance is installed with N2 chip.
Use the show ns hardware command to find out if your appliance has N3 chips. Example below:
It is not supported if the appliance is installed with N2 chip.
Use the show ns hardware command to find out if your appliance has N3 chips. Example below:
sh ns hardware
Platform: NSMPX-22000 16*CPU+24*IX+12*E1K+2*E1K+4*CVM N3 2200100
Please check the below article for supported appliances:
https://docs.citrix.com/en-us/citrix-adc/12-1/ssl/ciphers-available-on-the-citrix-ADC-appliances/ecdsa-cipher-suite-support-on-mpx-appliances.html
Problem Cause
The ADC appliance was MPX 5550 running N2 chips and hence it failed.
Was this article helpful?
Yes
No
Powered by
