Check_http error with ssl of asa

This forum is intended for the discussion of Nagios plugin development. Feature requests, patches, bug fixes, and all types of development-related discussions are welcome!

NOTE: The SourceForge.net nagiosplug-devel mailing list has been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

Check_http error with ssl of asa

Postby majed » Fri Jun 23, 2017 6:43 am

Peace, I have 2 cisco asa's, on the newer one check_http is working fine:
Code: Select all
./check_http -I 10.10.12.89 -S
HTTP OK: HTTP/1.1 301 Moved Permanently - 126 bytes in 0.013 second response time |time=0.013359s;;;0.000000 size=126B;;;0

the older one is causing the problem:

Code: Select all
./check_http -I 10.10.110.10 -S
CRITICAL - Cannot make SSL connection.
139921643919000:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:


./check_http -V
Code: Select all
check_http v2.0.3 (nagios-plugins 2.0.3)


telnet 10.10.110.10 443
Code: Select all
Trying 10.10.110.10...
Connected to 10.10.110.10.
Escape character is '^]'.


nmap 10.10.110.10 -p T:443
Code: Select all
Nmap scan report for 10.10.110.10
Host is up (0.00052s latency).
PORT    STATE    SERVICE
443/tcp filtered https
MAC Address: 44:C3:CA:CE:99:37 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds


what is the problem?
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
majed
 
Posts: 82
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Postby cdienger » Fri Jun 23, 2017 10:09 am

It's something to do with the handshake negotiation. Try the following:

Code: Select all
./check_http -I 10.10.12.89 -S 1
./check_http -I 10.10.12.89 -S 2
./check_http -I 10.10.12.89 -S 3
User avatar
cdienger
Support Tech
 
Posts: 707
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_http error with ssl of asa

Postby majed » Mon Jun 26, 2017 1:39 am

# ./check_http -I 10.10.12.89 -S 1
CRITICAL - Cannot make SSL connection.
139926944298648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
# ./check_http -I 10.10.12.891 -S 2
CRITICAL - Cannot make SSL connection.
140089038775960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
# ./check_http -I 10.10.12.89 -S 3
CRITICAL - Cannot make SSL connection.
140619661993624:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

unlucky guess, anything else to try? thanks for the reply!
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
majed
 
Posts: 82
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Postby cdienger » Mon Jun 26, 2017 11:06 am

Do you know if the request is going through a proxy? Check with the network team to verify if needed.

Let's gather the output of:

Code: Select all
openssl s_client -connect 10.10.12.89:443
openssl version


It may also be useful to get a tcpdump:

yum -y install tcpdump
tcpdump -s 0 -i any host 10.10.12.89 -w asa.pcap

Allow this to run just long enough to reproduce the error, use CTRL+C to stop it, and gather the asa.pcap that was generated. Feel free to PM me the results if you'd like to keep info regarding your network private.
User avatar
cdienger
Support Tech
 
Posts: 707
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_http error with ssl of asa

Postby majed » Tue Jun 27, 2017 2:11 am

Good to see you again, asa is the gateway to nagios
Code: Select all
#openssl version
OpenSSL 1.0.2k  26 Jan 2017


Code: Select all
# openssl s_client -connect 10.10.12.89:443
CONNECTED(00000003)
139744942528152:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1498547136
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
majed
 
Posts: 82
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Postby cdienger » Tue Jun 27, 2017 1:23 pm

If you google the error message, the message can mean a lot of things. The tcpdump may help us determine what the problem is. Also, what are security settings on the asa? Is it expect specific tls or ssl version or ciphers? What is the difference between the old asa and the new asa? Is there anything on the asa that would tell us more about why the connection is failing?
User avatar
cdienger
Support Tech
 
Posts: 707
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_http error with ssl of asa

Postby tgriep » Tue Jun 27, 2017 1:28 pm

Another ting to look at is if the ASA has a certificate enabled and if not, it would have to be regenerated.
Take a look at this link for help in doing that on the ASA Firewall.
http://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/200339-Configure-ASA-SSL-Digital-Certificate-I.html
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 6019
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_http error with ssl of asa

Postby majed » Wed Jun 28, 2017 1:20 am

Only those who love big brother use google or public search engines, Thanks for the link, it helped me see that on the older asa there was no certificate while on the newer asa there is a self-signed certificate. I generated a self signed certificate, unfortunately the same error remains for some reason. -S 1 -S 2 -S 3 produces the same error.
Code: Select all
CRITICAL - Cannot make SSL connection.
139950325683864:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

what is the next move? send a new tcp dump?
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
majed
 
Posts: 82
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Postby majed » Wed Jun 28, 2017 1:39 am

Well, I read the document till the end, and configured the ssl setting. added active encryption algorithms and added the trust points to the needed interfaces and...wait for it.... it worked! Be happy :) and thanks for your tips and relentless aid.
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
majed
 
Posts: 82
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Postby tgriep » Wed Jun 28, 2017 9:58 am

Your welcome, glad it worked for you. I'll close and lock the post as solved but if you have any new questions, feel free to open a new post.
Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 6019
Joined: Thu Oct 30, 2014 9:02 am


Return to Nagios Plugin Development

Who is online

Users browsing this forum: No registered users and 1 guest