Network connectivity to vCloud Usage Insight fails due to UTM enabled on FortiGate Firewall
Article ID: 321895
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
When you try to test your network connectivity to vCloud Usage Insight in the Usage Meter Initialization Wizard, you could see the below error: Failed to connect to the proxy server. Remote host terminated the handshake.
When you try to test your network connectivity to vCloud Usage Insight in the Usage Meter Initialization Wizard, you could see the below error: Failed to connect to the proxy server. Remote host terminated the handshake.
Environment
VMware vCloud Usage Meter 4.x
Cause
The issue appears when UTM is enabled on the FortiGate Firewall.
Troubleshooting
Procedure
To check your network connectivity to vCloud Usage Insight, do the following:- SSH connect to your Usage Meter appliance as usagemeter and run the following command:
curl -v https://ums.cloud.vmware.com/um/api/ping
You should receive the following response:
"Connected to ums.cloud.vmware.com (xx.xxx.xxx.xxx) port 443 (#0)".
"Connected to ums.cloud.vmware.com (xx.xxx.xxx.xxx) port 443 (#0)".
- Run the following Open SSL command and check if it fetches the correct certificate chain for ums.cloud.vmware.com.
openssl s_client -connect ums.cloud.vmware.com:443 -servername ums.cloud.vmware.com
Below is a sample excluding the certificate details:
CONNECTED(00000003)
depth=2 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2009 xxxx, Inc. - for authorized use only", CN = xxxx Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2012 xxxx, Inc. - for authorized use only", CN = xxxx Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", CN = ums.cloud.vmware.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/CN=ums.cloud.vmware.com
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
1 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=xxxx Root Certification Authority - G2
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
CONNECTED(00000003)
depth=2 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2009 xxxx, Inc. - for authorized use only", CN = xxxx Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2012 xxxx, Inc. - for authorized use only", CN = xxxx Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", CN = ums.cloud.vmware.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/CN=ums.cloud.vmware.com
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
1 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
2 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=xxxx Root Certification Authority - G2
i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
- Run the following command and check if it shows the nslookup details as below:
nslookup ums.cloud.vmware.com
Server: 127.0.0.xx
Address: 127.0.0.xx#53Non-authoritative answer:
ums.cloud.vmware.com canonical name
Address: 127.0.0.xx#53Non-authoritative answer:
ums.cloud.vmware.com canonical name
Resolution
Procedure
To solve the network connectivity issue to vCloud Usage Insight:- Exclude https://ums.cloud.vmware.com from the UTM features on the FortiGate Firewall.
- Disable the following options in the firewall policy for Usage Meter:
- Turn off Web Filter.
- Set SSL Inspection to no-inspection.
Feedback
Yes
No
Powered by
