Network connectivity to vCloud Usage Insight fails due to UTM enabled on FortiGate Firewall
search cancel

Network connectivity to vCloud Usage Insight fails due to UTM enabled on FortiGate Firewall

book

Article ID: 321895

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
When you try to test your network connectivity to vCloud Usage Insight in the Usage Meter Initialization Wizard, you could see the below error: Failed to connect to the proxy server. Remote host terminated the handshake.

image.png
 


Environment

VMware vCloud Usage Meter 4.x

Cause

The issue appears when UTM is enabled on the FortiGate Firewall.

Troubleshooting

Procedure

To  check your network connectivity to vCloud Usage Insight, do the following:
  1. SSH connect to your Usage Meter appliance as usagemeter and run the following command:
curl -v https://ums.cloud.vmware.com/um/api/ping
You should receive the following response:

"Connected to ums.cloud.vmware.com (xx.xxx.xxx.xxx) port 443 (#0)".
  1. Run the following Open SSL command and check if it fetches the correct certificate chain for ums.cloud.vmware.com.
openssl s_client -connect ums.cloud.vmware.com:443 -servername ums.cloud.vmware.com
Below is a sample excluding the certificate details:

CONNECTED(00000003)
depth=2 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2009 xxxx, Inc. - for authorized use only", CN = xxxx Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "XXXX, Inc.", OU = See www.xxxx.net/legal-terms, OU = "(c) 2012 xxxx, Inc. - for authorized use only", CN = xxxx Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = "VMware, Inc", CN = ums.cloud.vmware.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc/CN=ums.cloud.vmware.com
   i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
 1 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2012 xxxx, Inc. - for authorized use only/CN=xxxx Certification Authority - L1K
   i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
 2 s:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=xxxx Root Certification Authority - G2
   i:/C=US/O=xxxx, Inc./OU=See www.xxxx.net/legal-terms/OU=(c) 2009 xxxx, Inc. - for authorized use only/CN=Entrust Root Certification Authority - G2
  1. Run the following command and check if it shows the nslookup details as below:
nslookup ums.cloud.vmware.com 
Server:         127.0.0.xx
Address:        127.0.0.xx#53Non-authoritative answer:
ums.cloud.vmware.com    canonical name

Resolution

Procedure

To solve the network connectivity issue to vCloud Usage Insight:
  1. Exclude https://ums.cloud.vmware.com from the UTM features on the FortiGate Firewall.
  2. Disable the following options in the firewall policy for Usage Meter:
  • Turn off Web Filter.
  • Set SSL Inspection to no-inspection.
image.png