SSLv3 Handshake failure on Cisco ACE (IE)

Unanswered Question
Dec 10th, 2008


I have configured a VIP on the ACE for https and used a self-signed certificate.

Mozilla works perfectly fine however the Internet Explorer returns "Internet Explorer cannot display the webpage".

When I checked via Ethereal, I could notice that following message is shown only for accessing https URL via Internet Explorer and not Mozilla

SSLv3 Alert(Level:Fatal, Description: Handshake Failure)

In short, SSL handshake fails for IE.

Would you know why this happens.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
new_networker Wed, 12/10/2008 - 21:23

Thanks. I have verified the given points but haven't succeeded. Any other clues..

Are there any ACE related tuning-parameters to resolve this problem because the SSL Handshake Failure (40) is sent back by the ACE to the Client - can be seen in Ethereal.

Please assist.

ciscocsoc Fri, 12/12/2008 - 01:53


I don't fully understand the background but some time ago I saw handshake problems. Setting the ssl close-protocol parameter seems to help:

parameter-map type ssl PARAMMAP_SSL

close-protocol disabled



new_networker Fri, 12/12/2008 - 02:57

Hi Cathy,

I tried it but the same results.

I have enabled the debug ssl to dig deeper but it does not give any results. And when I do debug all (test environment) it says debug all is disabled. Would you know how can I enable 'debug all' on ACE. I would like to see every activity through/from the ACE.

SSL Handshake Failure (40) means there is a mismatch of security parameters such as session id, compression method, cryptographic parameters etc. I like to look into those values and understand the difference as opposed to Client Hello. Basically the parameters between Client and Server Hello should be the same. And in my case, instead of getting Server Hello I get the handshake failure.

Have you or anyone ever seen live working example of SSL on Cisco ACE with Internet Explorer.


ciscocsoc Fri, 12/12/2008 - 03:03


Yes, we have SSL termination from IE for many of our systems and it works just fine - with the close-protocol set. In addition I set the acceptable crypto parameters e.g.

parameter-map type ssl PARAMMAP_SSL

cipher RSA_WITH_RC4_128_MD5 priority 2

cipher RSA_WITH_RC4_128_SHA priority 2

cipher RSA_WITH_DES_CBC_SHA priority 3

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 3



close-protocol disabled




This Discussion