sftunnel SSL handshake failed

Cory Brown — Sun, 10 Mar 2019 13:42:46 GMT

We recently began receiving the following sftunnel SSL errors on several FirePower devices. Devices have lost their connection to the FireSight and cannot be registered. Thanks in advance, for any helpful information you can provide.

Excerpt from /var/log/messages provided below:

/var/log/messages on FirePower:
Nov 8 00:09:06 <FirePower_hostname>SF-IMS[7636]: [7936] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed 
Nov 8 00:09:06 <FirePower_hostname>SF-IMS[7636]: [7936] sftunneld:sf_ssl [WARN] SSL Verification status: ok 
Nov 8 00:09:13 <FirePower_hostname>SF-IMS[7636]: [7948] sftunneld:sf_ssl [INFO] Processing connection from <FireSight_IP>:55444/tcp (socket 10)
Nov 8 00:09:13 <FirePower_hostname>SF-IMS[7636]: [7948] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed 
Nov 8 00:09:13 <FirePower_hostname>SF-IMS[7636]: [7948] sftunneld:sf_ssl [WARN] SSL Verification status: ok 
Nov 8 00:09:35 <FirePower_hostname>SF-IMS[7636]: [7646] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Connection timed out 
Nov 8 00:09:36 <FirePower_hostname>SF-IMS[7636]: [7985] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <FireSight_IP> 
Nov 8 00:09:36 <FirePower_hostname>SF-IMS[7636]: [7985] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FireSight_IP>:8305/tcp 
Nov 8 00:12:45 <FirePower_hostname>SF-IMS[7636]: [7985] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Connection timed out 
Nov 8 00:12:54 <FirePower_hostname>SF-IMS[7636]: [8268] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <FireSight_IP> 
Nov 8 00:12:54 <FirePower_hostname>SF-IMS[7636]: [8268] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FireSight_IP>:8305/tcp

/var/log/messages on FireSight:
Nov 8 00:09:21 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11439] sftunneld:sf_ssl [INFO] Connected to <sensor_IP>:8305 (IPv4) 
Nov 8 00:09:22 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11439] sftunneld:sf_peers [INFO] Delete:Free SSL_CONTEXT for peer <sensor_IP> 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <sensor_IP> 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <sensor_IP>:8305/tcp 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Connected to port 8305 (IPv4): <sensor_IP> 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Connected to <sensor_IP>:8305 (IPv4) 
Nov 8 00:09:29 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_peers [INFO] Delete:Free SSL_CONTEXT for peer <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1855]: [1855] sfmgr:sfmanager [INFO] set peer PEER_REMOVED pending <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1855]: [1855] sfmgr:sfmanager [INFO] free_peer <sensor_IP>.
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <sensor_IP>:8305/tcp 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [1854] sftunneld:sftunnel [INFO] set peer PEER_REMOVED <sensor_IP> pending 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Connected to port 8305 (IPv4): <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Connected to <sensor_IP>:8305 (IPv4) 
Nov 8 00:09:36 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_peers [INFO] Delete:Free SSL_CONTEXT for peer <sensor_IP>

Has anything changed in your

Oliver Kaiser — Thu, 10 Nov 2016 22:39:50 GMT

Has anything changed in your environment recently (fmc / sensor upgrade?). You said that device could not be registered - so have they not been added to the fmc yet or are they just not able to reconnect?

In any case check your manager configuration on sensor side (fqdn used? -> maybe dns issues) and try to restart the sftunnel process on both sensor and fmc... Normally FMC should connect in < 5min to the sensor again successfully.

Restart sftunnel via pmtool: pmtool restartById sftunnel

Re: sftunnel SSL handshake failed

A.Foerby — Mon, 04 Sep 2023 20:05:18 GMT

Experiences the same issue on FMC and FTD on version 7.2.4.

After I issued the "pmtool restartById sftunnel" on both sides, the registration went through with success.

topic sftunnel SSL handshake failed in Network Security

sftunnel SSL handshake failed

Has anything changed in your

Re: sftunnel SSL handshake failed