When configuring encrypted endpoints (eg. httpS://somedomain.com/storefront/somestore) in profiles(this could be in SAML/oAuth/Session profiles), the ADC will automatically created hidden internal services that it will utilize when communicating externally to setup the settings for that backend communication like protocol versions and ciphers.
When upgrading, some of your settings might get lost, and cause trouble thats mentioned in CTX218619 without any real clue on what’s going on. This could be caused by the lack of eccCurve’s bound to that internal service, if you for example only allow TLS1.2 with ecc ciphers on your StoreFront configured in the session profile.
This error was pretty easy to see in a network trace, since the handshake did not complete.
You cannot see the vpndbssvc service(s) in the GUI, but in CLI its no problem, “sh run | grep vpndbssvc”. Rebind the ciphers with the following commands:
set ssl service -eccCurveName P_256
set ssl service -eccCurveName P_224
set ssl service -eccCurveName P_384
set ssl service -eccCurveName P_512