ubable to connect from VMA to spefic host

[mejokj]

Hello,

I am trying to connect from VMA box and it shows the below error.

++++++++++++++++++++++++++

vi-admin@snagiosvra:~> ~/box293_check_vmware.pl --timeout 90 --concurrent_checks 50 --server invddsdsawe --check Host_CPU_Usage --host \"lab.test.com\"
UNKNOWN: Server version unavailable at 'https://invddsdsawe:443/sdk/vimService.wsdl' at /usr/lib/perl5/5.10.0/VMware/VICommon.pm line 726.

+++++++++++++++++++++++++++

but for other servers, it's working only for some servers have this issue.

when I wget the page
+++++++++++++++++++++++++++++
vi-admin@snagiosvra:~> wget --no-check-certificate https://invddsdsawe:443/sdk/vimService.wsdl
--2020-02-24 15:32:52-- https://invddsdsawe/sdk/vimService.wsdl
Resolving invddsdsawe.. 11.62.12.10
Connecting to iinvddsdsawe|11.62.12.10|:443... connected.
Unable to establish SSL connection.
++++++++++++++++++++++++++++++

Below is the version
++++++++++++++++++++++
vi-admin@nagiosvra:~> perl -MLWP -le "print(LWP->VERSION)"
5.837
++++++++++++++++++++++

Firewall port and ping to the server is working from VMA. But when wget from the nagios server its downloading. Kinldy help us to fix this issue.

[cdienger]

I wonder if there is something wrong with the certificates. Run the following to get a packet capture and send it to me via a PM:

Code: Select all

yum -y install tcpdump
tcpdump -s 0 -i any port 443 -w output.pcap

Let this run just long enought to run this command on another terminal:

Code: Select all

~/box293_check_vmware.pl --timeout 90 --concurrent_checks 50 --server invddsdsawe --check Host_CPU_Usage --host \"lab.test.com\"

Use CTRL+C to stop the tcpdump and PM me the output.pcap this created.

[mejokj]

Hello,
I have sent you the tcpdump output. Kindly check it.

[cdienger]

Response was sent yesterday. Please check your PMs.

[cdienger]

It appears that a TCP connection is established but then the service closes the connection after snagiosvra sends the "Client Hello". snagiosvra is using TLS 1.0 . invddsdsawe may require a different version like 1.1, 1.2, or 1.3. Can you check the settings on this server?

[mejokj]

Hello,

Below is the details of the SSL from the server.

root@ [ ~ ]# openssl version
OpenSSL 1.0.2s-fips 28 May 2019



root@7[ ~ ]# openssl ciphers -v | awk '{print $2}' | sort | uniq
SSLv3
TLSv1.2

[cdienger]

Which server exactly? The invddsdsawe machine? You may also need to look at the vm settings for this machine and not just the openssl version.

What does a working example look like? Can we get a command of a working example as well as a tcpdump to compare to the non-working?

[mejokj]

Yes the invddsdsawe machine I have send you the tcpdump. kindly check it

[cdienger]

You will want to look more into the servers since the working tcpdump shows the exact same 'client hello' as the non-working one. And despite openssl not showing support for TLS on the working machine, it is clearly negotiating a TLS connection with TLS ciphers.

Going back to the wget example you can try testing the protocols:

Code: Select all

wget --no-check-certificate https://servernameorip:443/sdk/vimService.wsdl --secure-protocol=SSLv2
wget --no-check-certificate https://servernameorip:443/sdk/vimService.wsdl --secure-protocol=SSLv3
wget --no-check-certificate https://servernameorip:443/sdk/vimService.wsdl --secure-protocol=TLSv1
wget --no-check-certificate https://servernameorip:443/sdk/vimService.wsdl --secure-protocol=TLSv1_1
wget --no-check-certificate https://servernameorip:443/sdk/vimService.wsdl --secure-protocol=TLSv1_2

[mejokj]

Hello,

I have tried the wget command from the vma and all the wget result shows the same error.
++++++++++++++++++++++++++++
Unable to establish SSL connection.
++++++++++++++++++++++++++++