To properly understand why the SSL handshake failure has occurred, please enable TCPDump on the Pulse Connect Secure device for the internal port, replicate the issue and download the raw file format.
Using
wireshark, open the raw capture and filter for packets for the problematic backend resource (i.e ip.addr==1.2.3.4). From the filter packets, check for the following sequence:
- Pulse Connect Secure device sends a Client Hello
- Backend resource responds with a Server Hello
- Backend resource sends Server Key Exchange
- Pulse Connect Secure device sends Client Key Exchange
- Pulse Connect Secure and backend resource send encrypted data
In most cases, the ssl handshake failure occurs due no response to the Client Hello. This issue can occur for multiple reasons, but here is a list of commonly known issues: