SSL handshake errors when load balancing IDM 19.03 with NetScaler

Loadbalancing VMware Identity Manager with NetScaler is quite easy to setup. Carl Stalhood has written an excellent blog with step-by-step instructions.

However when implementing load balancing of vIDM version 19.03 appliances with NetScaler at a customer, I was not able to establish an secure connection from the NetScaler to the vIDM appliances. The virtual servers stayed in down state and the vIDM url was not accessible.

First I checked the obvious stuff, such as firewall to rule out any blocked ports. This was all ok.

Next up: certificates. Certificates on the NetScaler and the vIDM appliances were valid. Intermediate and root certificates were also uploaded and chained.

TLS 1.0 is disabled on Identity Manager 2.6 and newer. The version of NetScaler was 12.0-56.20_nc_32, which supports TLS 1.2 (See release notes)

Next step was creating a trace log on the NetScaler for deeper investigation.

From the trace we can see that communication is established with TLS 1.2.

The error we get is “Encrypted Alert 21”, which means that decryption fails. (https://tools.ietf.org/html/rfc5246#section-7.2)

To get around this error, we decided to setup a test NetScaler VPX appliance with the same version as the production NetScaler. Obviously SSL connection failed also. After upgrading the NetScaler VPX appliance to the latest release (version 12.1-52.15_nc_64), all SSL errors disappeared, servers were “UP”, and we were able to establish an SLL handshake with the vIDM appliances.

Kudos to my colleague @Vincent_VTH for helping me investigating and fixing this issue.

Leave a Reply

Your email address will not be published. Required fields are marked *