Why does SSL handshakes sometimes fail when there are multiple backends behind a load balancer?
Datapower is used to connect to a single VIP (or load balancer) which has multiple backend servers behind it. Each backend server supports different TLS version and/or ciphers. The Datapower SSL Client Profile is also configured to support the same TLS versions/ciphers of the various backends, however, intermittent SSL handshake failures occur.
Why does SSL handshakes sometimes fail when there are multiple backends behind a load balancer?
Intermittent SSL handshake failures can occur for this scenario if SSL caching is enabled.
This is because Datapower is not aware that it is connecting to a load balancer. Furthermore, it is not possible for it to know there are multiple backends behind the load balancer that might be using different TLS versions/ciphers. It simply connects to the configured IP and tries to resume the previous SSL session until the cache expires.
So if the request is routed to a different backend than the previous cached session, the connection will fail.
To avoid this, it is recommended to either:
a. Have all the backends support the same TLS versions/ciphers.
b. Turn off SSL caching
Note, SSL caching is not beneficial in this scenario anyway because Datapower will never actually resume a handshake if a different backend is selected each time.