Symantec VIPDiagnostic.bat connectivity fails on 'LDAP Connectivity from Validation Servers' test
search cancel

Symantec VIPDiagnostic.bat connectivity fails on 'LDAP Connectivity from Validation Servers' test

book

Article ID: 413082

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

The VIPDiagnostic.bat test shows a failed result on the 'LDAP Connectivity from Validation Servers' test. 

vipDiagnostic.log sample:

ERROR "2025-06 11:03:54.141 GMT-0600" "[VipDiagnostic:testLiveUpdateConnectivity] IOException occured while execute request. Error: Certificate for <liveupdate.symantecliveupdate.com> doesn't match any of the subject alternative names: [*.vmware.com, *.broadcom.com]" 
ERROR "2025 -06 11:04:58.715 GMT-0600" "[VipDiagnostic:testCloudConnectivityFromValServer] curl_easy_perform error when trying to connect to https://userservices-auth.vip.symantec.com/vipuserservices/QueryService_1_10. Error: Peer certificate cannot be authenticated with given CA certificates"
ERROR "2025 -06 11:04:58.716 GMT-0600" "[VipDiagnostic:testCloudConnectivityFromValServer] Failed connecting to https://userservices-auth.vip.symantec.com/vipuserservices/QueryService_1_10. Http response code: 0"
ERROR "2025 -06 11:04:58.715 GMT-0600" "[VipDiagnostic:testCloudConnectivityFromValServer] curl_easy_perform error when trying to connect to https://userservices-auth.vip.symantec.com/vipuserservices/QueryService_1_10. Error: Peer certificate cannot be authenticated with given CA certificates"
ERROR "2025-06 11:04:58.716 GMT-0600" "[VipDiagnostic:testCloudConnectivityFromValServer] Failed connecting to https://userservices-auth.vip.symantec.com/vipuserservices/QueryService_1_10. Http response code: 0"

Cause

The test connection to the VIP Cloud from the Validation Server(s) requires authentication from the VIP certificate added to the VIP Enterprise Gateway through port 443 as part of the handshake flow. SSL interceptions prevents the client authentication from completing successfully. 

Resolution

Add an SSL intercept exception for *.vip.symantec.com.

 

Note: Verify SSL interception using OpenSSL to examine the certificate presented by the server to verify if it's the original certificate or one issued by an intercepting proxy. To do this, open an administrator command prompt, navigate to <VIPEG_install>\tools, then run this command:.

  • VIP EG 10.x and later: openssl s_client -connect userservices-auth.vip.symantec.com:443 -CAfile "C:\Program Files\Symantec\VIP_Enterprise_Gateway\conf\root.pem"

  • VIP EG 9.9.x: openssl s_client -connect userservices-auth.vip.symantec.com:443 -CAfile "C:\Program Files (x86)\Symantec\VIP_Enterprise_Gateway\conf\root.pem"

The certificate depth should chain to CN=DigiCert Global Root G2 > CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1 > CN=userservices-auth.vip.symantec.com

Powered by Wolken Software