Sending fatal alert HandshakeFailure

There are lots of HandshakeFailure warnings in the Linkerd destination component:

[  5440.899754s]  WARN ThreadId(01) inbound:server{port=8086}: rustls::conn: Sending fatal alert HandshakeFailure    
[  5440.950484s]  WARN ThreadId(01) inbound:server{port=8090}: rustls::conn: Sending fatal alert HandshakeFailure

When I run linkerd check status check is green.

I checked the meshed pods, the communication is fine between them.

I have another environment where linkerd is deployed and there I don’t see such errors.

These are its internal API ports. Is it possible something is connecting to these ports, like a security scanner?

Hi William, thanks for the reply.

I’m not aware of any security scanner in the environment, but maybe you could advise how to check the source of these connections?
I’ve already tried to add debug annotation(config.linkerd.io/enable-debug-sidecar: "true") to destination deployment, but it didn’t work.
Also, I spotted the same handshake error on linkerd-identity component:

│ [ 72778.380697s]  WARN ThreadId(01) inbound:server{port=8080}: rustls::conn: Sending fatal alert HandshakeFailure                                                        │
│ [ 72780.375433s]  WARN ThreadId(01) inbound:server{port=8080}: rustls::conn: Sending fatal alert HandshakeFailure

And linkerd-proxy-injector doesn’t have such logs.

I have managed to deploy debug-sidecar by manually changing deployment manifest(looks like debug annotation didn’t work with core components).
I logged in and ran the following command from debug sidecar:
tcpdump port 8086 -v

This showed me that other sidecars from different services were trying to connect to these internal ports, but they failed.
I guess, the problem is that I accidentally restarted linkerd-identity component, which issued a new certificate and the communication was disrupted with the business services where sidecars had an old one.

Oh, glad you figured it out and sorry for sending you down the wrong path!