SSL warnings when sending syslog messages form AVI to syslog server over anonymous TLS
Article ID: 428618
Updated On:
Products
Issue/Introduction
SSL error while reading stream; tls_error='SSL routines:(null):unexpected eof while reading'
Environment
All Avi versions
Cause
The below error is observed in the syslog/messages logs of the syslog server when Avi send syslog messages over Anonymous TLS.
SSL error while reading stream; tls_error='SSL routines:(null):unexpected eof while reading'The syslog server configured under Alert Action ( Operation-> Notification->Syslog) has client auth enabled for TLS along with Anonymous TLS (anon_auth).
Below is a sample configuration with the above options enabled.
+-------------------------------+--------------------------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------------------------+
| uuid | alertsyslogconfig-########-####-####-####-##########|
| name | SyslogServer |
| syslog_servers[1] | |
| syslog_server | <external-server-ip> |
| syslog_server_port | <external-server-port> |
| udp | False |
| format | SYSLOG_LEGACY |
| tls_enable | True |
| ssl_key_and_certificate_ref | SyslogCert |
| pkiprofile_ref | SyslogPKI |
| anon_auth | True |
| strict_cert_verify | False |
| tenant_ref | admin |
+-------------------------------+--------------------------------------------------------+With the above options (anon_auth=True) Avi Controller resets the old connection every time Avi sends a new syslog message.
Resolution
Workaround:
You need to set anon_auth to false. This would make sure Avi ALB does not reset the connection and send the next data over the same connection.
Follow the below steps on Avi controller CLI to disable anon_auth
Login to CLI of the controller
Execute the below commands
admin@<Controller-IP>~$ shell
[admin@<Controller-IP>]: > configure alertsyslogconfig <syslog_server_name>
[admin@<Controller-IP>]: alertsyslogconfig> no anon_auth
[admin@<Controller-IP>]: alertsyslogconfig> save
[admin@<Controller-IP>]:> save
+-------------------------------+--------------------------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------------------------+
| uuid | alertsyslogconfig-######-####-####-########### |
| name | SyslogServer |
| syslog_servers[1] | |
| syslog_server | <external-server-ip> |
| syslog_server_port | <external-server-port> |
| udp | False |
| format | SYSLOG_LEGACY |
| tls_enable | True |
| ssl_key_and_certificate_ref | <ssl_certificate_name> |
| pkiprofile_ref | <pki_profile_name> |
| anon_auth | False |
| strict_cert_verify | False |
| tenant_ref | admin |
+-------------------------------+--------------------------------------------------------+Additional Information
This issue will be fixed in future maintenance releases.
Feedback
