Check_http error with ssl of asa

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
majed
Posts: 98
Joined: Mon Mar 17, 2014 5:29 am

Check_http error with ssl of asa

Post by majed »

Peace, I have 2 cisco asa's, on the newer one check_http is working fine:

Code: Select all

./check_http -I 10.10.12.89 -S
HTTP OK: HTTP/1.1 301 Moved Permanently - 126 bytes in 0.013 second response time |time=0.013359s;;;0.000000 size=126B;;;0
the older one is causing the problem:

Code: Select all

 ./check_http -I 10.10.110.10 -S
CRITICAL - Cannot make SSL connection.
139921643919000:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
./check_http -V

Code: Select all

check_http v2.0.3 (nagios-plugins 2.0.3)
telnet 10.10.110.10 443

Code: Select all

Trying 10.10.110.10...
Connected to 10.10.110.10.
Escape character is '^]'.
nmap 10.10.110.10 -p T:443

Code: Select all

Nmap scan report for 10.10.110.10
Host is up (0.00052s latency).
PORT    STATE    SERVICE
443/tcp filtered https
MAC Address: 44:C3:CA:CE:99:37 (Cisco Systems)

Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds
what is the problem?
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_http error with ssl of asa

Post by cdienger »

It's something to do with the handshake negotiation. Try the following:

Code: Select all

./check_http -I 10.10.12.89 -S 1
./check_http -I 10.10.12.89 -S 2
./check_http -I 10.10.12.89 -S 3
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
majed
Posts: 98
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Post by majed »

# ./check_http -I 10.10.12.89 -S 1
CRITICAL - Cannot make SSL connection.
139926944298648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
# ./check_http -I 10.10.12.891 -S 2
CRITICAL - Cannot make SSL connection.
140089038775960:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
# ./check_http -I 10.10.12.89 -S 3
CRITICAL - Cannot make SSL connection.
140619661993624:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

unlucky guess, anything else to try? thanks for the reply!
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_http error with ssl of asa

Post by cdienger »

Do you know if the request is going through a proxy? Check with the network team to verify if needed.

Let's gather the output of:

Code: Select all

openssl s_client -connect 10.10.12.89:443
openssl version
It may also be useful to get a tcpdump:

yum -y install tcpdump
tcpdump -s 0 -i any host 10.10.12.89 -w asa.pcap

Allow this to run just long enough to reproduce the error, use CTRL+C to stop it, and gather the asa.pcap that was generated. Feel free to PM me the results if you'd like to keep info regarding your network private.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
majed
Posts: 98
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Post by majed »

Good to see you again, asa is the gateway to nagios

Code: Select all

#openssl version
OpenSSL 1.0.2k  26 Jan 2017

Code: Select all

# openssl s_client -connect 10.10.12.89:443
CONNECTED(00000003)
139744942528152:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1498547136
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Check_http error with ssl of asa

Post by cdienger »

If you google the error message, the message can mean a lot of things. The tcpdump may help us determine what the problem is. Also, what are security settings on the asa? Is it expect specific tls or ssl version or ciphers? What is the difference between the old asa and the new asa? Is there anything on the asa that would tell us more about why the connection is failing?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_http error with ssl of asa

Post by tgriep »

Another ting to look at is if the ASA has a certificate enabled and if not, it would have to be regenerated.
Take a look at this link for help in doing that on the ASA Firewall.
http://www.cisco.com/c/en/us/support/do ... ate-I.html
Be sure to check out our Knowledgebase for helpful articles and solutions!
majed
Posts: 98
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Post by majed »

Only those who love big brother use google or public search engines, Thanks for the link, it helped me see that on the older asa there was no certificate while on the newer asa there is a self-signed certificate. I generated a self signed certificate, unfortunately the same error remains for some reason. -S 1 -S 2 -S 3 produces the same error.

Code: Select all

CRITICAL - Cannot make SSL connection.
139950325683864:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
what is the next move? send a new tcp dump?
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
majed
Posts: 98
Joined: Mon Mar 17, 2014 5:29 am

Re: Check_http error with ssl of asa

Post by majed »

Well, I read the document till the end, and configured the ssl setting. added active encryption algorithms and added the trust points to the needed interfaces and...wait for it.... it worked! Be happy :) and thanks for your tips and relentless aid.
Seek and you shall find, knock and it shall be opened, cry and you shall find comfort
User avatar
tgriep
Madmin
Posts: 9177
Joined: Thu Oct 30, 2014 9:02 am

Re: Check_http error with ssl of asa

Post by tgriep »

Your welcome, glad it worked for you. I'll close and lock the post as solved but if you have any new questions, feel free to open a new post.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Locked