08-19-2015 06:30 AM - edited 03-01-2019 04:51 AM
Hello All,
UCS Director 5.3 is not compatible with APIC 1.1.x versions. This is also mentioned in the APIC release notes.
But, when we were running version 1.1.1o it did work fine no issues at all. This is a LAB environment so no production. Since we upgraded to version 1.1.2h the communiction has been broken, and I see a handshake failure in the UCSD logging
2015-08-19 09:55:53,575 [pool-1-thread-34] INFO newAccountAdded(PhysicalAccountManager.java:55) - Processing new account addition: APIC
2015-08-19 09:55:53,576 [pool-1-thread-34] INFO handleAddAccount(AbstractAccountHandler.java:38) - adding account to system
2015-08-19 09:55:53,592 [pool-1-thread-34] ERROR execute(HttpConnector.java:269) - Received fatal alert: handshake_failure
2015-08-19 09:55:53,592 [pool-1-thread-34] INFO checkReachabilityAndLogin(ApicUtils.java:376) - checkReachabilityAndLogin start..!
2015-08-19 09:55:53,597 [pool-1-thread-34] ERROR execute(HttpConnector.java:269) - Received fatal alert: handshake_failure
2015-08-19 09:55:53,601 [pool-1-thread-34] INFO setEmbeddedLOVs(Page.java:722) - set embedded lov 2 for APICspecific.props.id.pod
I know it is not a supported setup, but has anyone have the same issue and was able to solve it?
Thanks
Michel van Kessel
Solved! Go to Solution.
08-20-2015 08:29 AM
In 1.1(2h) the supported cipher list for SSL has been greatly reduced. UCSD is greatly behind the times when it comes to https security but the integration with ACI and the APIC is forcing it forward and later versions will need to support TLSv1.1/TLSv1.2 with more secure ciphers.
Mike
08-19-2015 06:44 AM
Hey Michel,
The "Received fatal alert: handshake_failure" could be a few things but more than likely due to incompatible SSL versions in use. You need TLS 1.0 for UCSD integration.
A good check would be to go to Fabric>Fabric Policies>Pod Policies>Policies>Communication>PolicyName then see if under HTTPS that TLSv1 is unchecked.
I would wait until UCSD is fully supported in 1.1(xx) to make sure you avoid running into any issues and also so we can offer you full support.
Thanks,
Mike Ripley
08-19-2015 06:53 AM
Hello Mike,
Indeed I had to enable TLSv1.0 for 1.1.1o, and worked fine. I guess something else changed in version 1.1.2h. tried all three TLS subversion to see if something changes. But no luck
This is a Lab environment for testing only, so it is not a big issues. I was wondering if this was a known issue.
Michel
08-20-2015 08:29 AM
In 1.1(2h) the supported cipher list for SSL has been greatly reduced. UCSD is greatly behind the times when it comes to https security but the integration with ACI and the APIC is forcing it forward and later versions will need to support TLSv1.1/TLSv1.2 with more secure ciphers.
Mike
08-24-2015 08:21 AM
thanks Mike! I will ask the UCSD folks if and when there will be an update scheduled.
Regards
Michel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide