Page 1 of 1
Check_http error with ssl of asa
Posted: Fri Jun 23, 2017 6:43 am
by majed
Peace, I have 2 cisco asa's, on the newer one check_http is working fine:
Code: Select all
./check_http -I 10.10.12.89 -S
HTTP OK: HTTP/1.1 301 Moved Permanently - 126 bytes in 0.013 second response time |time=0.013359s;;;0.000000 size=126B;;;0
the older one is causing the problem:
Code: Select all
./check_http -I 10.10.110.10 -S
CRITICAL - Cannot make SSL connection.
139921643919000:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
./check_http -V
Code: Select all
check_http v2.0.3 (nagios-plugins 2.0.3)
telnet 10.10.110.10 443
Code: Select all
Trying 10.10.110.10...
Connected to 10.10.110.10.
Escape character is '^]'.
nmap 10.10.110.10 -p T:443
Code: Select all
Nmap scan report for 10.10.110.10
Host is up (0.00052s latency).
PORT STATE SERVICE
443/tcp filtered https
MAC Address: 44:C3:CA:CE:99:37 (Cisco Systems)
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds
what is the problem?
Re: Check_http error with ssl of asa
Posted: Fri Jun 23, 2017 10:09 am
by cdienger
It's something to do with the handshake negotiation. Try the following:
Code: Select all
./check_http -I 10.10.12.89 -S 1
./check_http -I 10.10.12.89 -S 2
./check_http -I 10.10.12.89 -S 3
Re: Check_http error with ssl of asa
Posted: Mon Jun 26, 2017 1:39 am
by majed
# ./check_http -I 10.10.12.89 -S 1
CRITICAL - Cannot make SSL connection.
139926944298648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
# ./check_http -I 10.10.12.891 -S 2
CRITICAL - Cannot make SSL connection.
140089038775960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
# ./check_http -I 10.10.12.89 -S 3
CRITICAL - Cannot make SSL connection.
140619661993624:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
unlucky guess, anything else to try? thanks for the reply!
Re: Check_http error with ssl of asa
Posted: Mon Jun 26, 2017 11:06 am
by cdienger
Do you know if the request is going through a proxy? Check with the network team to verify if needed.
Let's gather the output of:
Code: Select all
openssl s_client -connect 10.10.12.89:443
openssl version
It may also be useful to get a tcpdump:
yum -y install tcpdump
tcpdump -s 0 -i any host 10.10.12.89 -w asa.pcap
Allow this to run just long enough to reproduce the error, use CTRL+C to stop it, and gather the asa.pcap that was generated. Feel free to PM me the results if you'd like to keep info regarding your network private.
Re: Check_http error with ssl of asa
Posted: Tue Jun 27, 2017 2:11 am
by majed
Good to see you again, asa is the gateway to nagios
Code: Select all
#openssl version
OpenSSL 1.0.2k 26 Jan 2017
Code: Select all
# openssl s_client -connect 10.10.12.89:443
CONNECTED(00000003)
139744942528152:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1498547136
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Re: Check_http error with ssl of asa
Posted: Tue Jun 27, 2017 1:23 pm
by cdienger
If you google the error message, the message can mean a lot of things. The tcpdump may help us determine what the problem is. Also, what are security settings on the asa? Is it expect specific tls or ssl version or ciphers? What is the difference between the old asa and the new asa? Is there anything on the asa that would tell us more about why the connection is failing?
Re: Check_http error with ssl of asa
Posted: Tue Jun 27, 2017 1:28 pm
by tgriep
Another ting to look at is if the ASA has a certificate enabled and if not, it would have to be regenerated.
Take a look at this link for help in doing that on the ASA Firewall.
http://www.cisco.com/c/en/us/support/do ... ate-I.html
Re: Check_http error with ssl of asa
Posted: Wed Jun 28, 2017 1:20 am
by majed
Only those who love big brother use google or public search engines, Thanks for the link, it helped me see that on the older asa there was no certificate while on the newer asa there is a self-signed certificate. I generated a self signed certificate, unfortunately the same error remains for some reason. -S 1 -S 2 -S 3 produces the same error.
Code: Select all
CRITICAL - Cannot make SSL connection.
139950325683864:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
what is the next move? send a new tcp dump?
Re: Check_http error with ssl of asa
Posted: Wed Jun 28, 2017 1:39 am
by majed
Well, I read the document till the end, and configured the ssl setting. added active encryption algorithms and added the trust points to the needed interfaces and...wait for it.... it worked! Be happy
and thanks for your tips and relentless aid.
Re: Check_http error with ssl of asa
Posted: Wed Jun 28, 2017 9:58 am
by tgriep
Your welcome, glad it worked for you. I'll close and lock the post as solved but if you have any new questions, feel free to open a new post.