A customer conducted an upgrade to their 12.1 firmware to a newer build. Before the upgrade, the secure option for rpcNode (Secure RPC) was disabled and HA sync was successful.

Status of Secure RPC can be seen in System > Network > RPC.

After upgrading from 12.1-59.16 to 12.1-62.104, secure option for rpcNode became enabled automatically as a known enhancement in later 12.1 builds.


Then we found HA sync failed with this SSL error ” nsconf: nsnetssl_connect: SSL_connect failed for X.X.X.X:3008: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number”.

Reference note: Secure RPC and nonsecure RPC operate on different ports for synchronization, with secure operating on TCP 3008 and nonsecure operating on TCP 3010.

In the case of this customer, Client Hello was RESET by peer node. But I can see the Client Hello is normal. Internal service nsrpcs-127.0.0.1-3008 is UP. TLS 1.0-TLS 1.2 for nsrpcs-127.0.0.1-3008 is also enabled.
 

Problem Cause

This issue is caused by the expired license.

Because of NSCONFIG-2702, secure option for rpcNode is enabled by default if customer upgrades to 12.1-61.X+.

However, without proper license, ADC will have only EXPORT ciphers to be negotiated and HA sync with SSL connection was failing due to this.