Broadcom: Post upgrade from GW 9.4 to 10.1, deprecation of TLS 1.0/1.1 causes Policy Manager not being able to connect to Gateway
Article ID: 254932
Updated On:
Products
Issue/Introduction
Customers that were only using TLS 1.0 as the main protocol for port 8443/9443, have found issues connecting to the Policy Manager post upgrading to Gateway 10.1.
Environment
Gateway 10.1
Cause
For the Gateway Appliance form factor, the Manual Expedited Appliance Upgrade procedure for Gateway 10.1 requires a Database migration from the previous Gateway 9.4 version into the new build. This means that source Gateway settings and configurations are migrated and effective in the destination Gateway 10.1.
In some cases, customers have enabled only TLS 1.0 for the incoming ports 8443 and 9443, which is now deprecated and completely disabled starting from Gateway 10.1.
Reference: Deprecated Features and Support
In such a case, Policy Manager will not be able to connect the Gateway since now uses TLS 1.2 as the default protocol and an SSL Handshake exception can be observed in the Policy Manager logs.
Resolution
Without access to Gateway, ports protocol cannot be changed via Policy Manager > Transport > Manage Listen Ports
As a workaround, we reconfigure port settings by applying changes directly to the Database. NOTE: always backup the database before making any changes.
1. SSH the Gateway node and open MySQL console at the OS prompt
2. Query port 8443 (or 9443) to retrieve the table row GOID value:
# select goid from ssg.connector where port=8443\G
Example...
3. Enable the missing TLS protocols
# update ssg.connector_property set value='TLSv1.1,TLSv1.2,TLSv1.3' where connector_goid=<GOID retrieved from step 2> and name='protocols';
Example...
4. Exit MySQL console and restart the Gateway service to load the new configuration
# service ssg restart
Feedback
