Error: "hub: SSL handshake'" and single client tunnel can not connect to hub

book

Article ID: 34951

calendar_today

Updated On:

Products

DX Infrastructure Management NIMSOFT PROBES CA Unified Infrastructure Management for z Systems CA Unified Infrastructure Management SaaS (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM) DX SaaS

Issue/Introduction

After setting up the hub tunnel and certificate we cannot get the tunnel to connect.

  • UIM upgrade fails
  • UIM CABI upgrade unable to connect
  • UIM hub hand shake error after upgrade
  • UIM upgrade stuck at x percentage (3% of others)

The client side hub logs show the following errors:

May 9 15:23:33:849 [2832] hub: SSL handshake start from 69.176.98.24/48003: before/connect initialization
May 9 15:23:33:849 [2832] hub: SSL state (connect): before/connect initialization
May 9 15:23:33:849 [2832] hub: SSL state (connect): SSLv3 write client hello A
May 9 15:23:33:880 [2832] hub: ssl_connect - SSL_connect error (5) on new SSL connection
May 9 15:23:33:880 [2832] hub: SSL_connect error occured
May 9 15:23:33:880 [2832] hub: TSESS could not connect to tunnel 69.176.98.24:48003 (0)
May 9 15:23:33:880 [2832] hub: CTRL could not connect to server 69.176.98.24/48003

The server side Hub logs show:

May 9 15:09:38:129 [140089799726848] hub: TSESS-A-47-124 session looping (60) wait_time is now: 605
May 9 15:09:38:199 [140090869274368] hub: SSL handshake start from 209.249.244.5/63959: before/accept initialization
May 9 15:09:38:199 [140090869274368] hub: SSL state (accept): before/accept initialization
May 9 15:09:38:205 [140090051352320] hub: Sent heartbeat on queue route 'Audit_to_On-Prem'
May 9 15:09:38:211 [140090869274368] hub: SSL alert (write): fatal: handshake failure
May 9 15:09:38:211 [140090869274368] hub: ssl_server_wait - SSL_accept error (1) on new SSL connection: 209.249.244.5
May 9 15:09:38:211 [140090869274368] hub: [1] error:0x1408A0C1:SSL routine:SSL3_GET_CLIENT_HELLO:no shared cipher

You are able to telnet to the proper IP address and port, a wire-shark trace route looks normal.

Cause

  • A security device is decrypting and encrypting the SSL packet, therefore causing the "SSL_connect error (5)" error.
  • A setting on the client firewall called "SSL Decryption" is taking the certificate that is being sent out, trying to decrypt it, and then re-encrypting it and sending it out.

There may be other causes.

Note: This issue is not hub or UIM specific. The problem is external to Nimsoft/UIM and can be seen on any hub version running a tunnel.

Environment

  • UIM 8.x, 9.x, 20.x
  • HUB 7.x, 9.x

Resolution

Removing the "SSL Decryption" setting or adding an exception for your servers should help establish a tunnel connection.


Additional Information

Example Reference Article: https://live.paloaltonetworks.com/docs/DOC-1412