Re: Expressway Outbound TLS Negotiation Error

CTModule1 · ‎11-05-2020

Cannot get Expressway-C & E X12.5.7 to form a TLS connection traversal zone. I have generated a Certificate on a Windows Server CA, with client and server auth. included in template. I have uploaded this certificates to the Expressway-C and the Expressway-E. I have uploaded Certificate of Expressway-C to the Expressway-E and vice versa, but the TraversalClient zone fails to form the TLS connection. The Event Log shows 'Certificate expe.contoso.com Error\=[('x509 certificate routines', 'X509_STORE_add_crl', 'cert already in hash table')]'. CRL's are valid and automatically updated. In the Secure traversal test I got success as a result. In Client certificate testing I got also response Valid certificate OK. Does anyone know why the TLS connection won't form?

Thanks.

Jaime Valencia · ‎11-05-2020

OK, so, you're exchanging certificates between the servers, instead of uploading the necessary certificates to the trust store so the full chain of trust is there?

Did you review Cisco Expressway Certificate Creation And Use Deployment Guide (X12.5) before performing the procedure?

HTH

java

if this helps, please rate

CTModule1 · ‎11-05-2020

In Trusted CA certificate I have uploaded those. I guess chain of trust is there, there is CA certificate and server certificate.

I did review, couple of times but still failing to notice am I missing something.

Roger Kallberg · ‎11-05-2020

You would not need to upload the server certificate for C in Es or E in Cs trust store. You should upload the CA certificate(s) for the CA(s) in either of the C or E trust store.

For example let’s say that you use a public CA to sign the certificate of your E, then you would upload the CA root and if needed intermediate certificates to the trust store on both E and C. Continuing the example, let’s say that you use an internal CA to sign the certificate for your C, then you would upload its CA root and if applicable intermediate certificates to the trust store on both C and E.

CTModule1 · ‎11-06-2020

Ok so I have deleted server certificate for C in Es or E in Cs trust store. So when I check Zone status on C, for Traversal zone, I have SIP status : Failed. On E I have : ON (no active connections). I have CA root certificates installed on both. Also valid certificates on both.

Don't get what's wrong.

Roger Kallberg · ‎11-06-2020

Can both E and C do lookup for the name you have in the traversal zone configuration? They have to be able to do cross lookup.

Also the name used in C and E need to be in the SAN of the certificate on the far end. Otherwise the response will not be okay for TLS to form.

If all else fails and your configuration is accurate a simple restart of both C and E is known to work wonders for a few different things. And an upgrade to the latest release would not do you any harm either.

CTModule1 · ‎11-12-2020

Yes, both can do cross lookup. Names used in C and E are in SAN of the certificates.

Restarted dozen of times, but yet anyway, result is still the same.

I didn't tried the update but I guess as I cannot find any similar post for this error, I will have to.

I did use Cisco TAC Tool, Collaboration Solutions Analyzer, and only error I'm seeing is this Traversal Zone, TraversalClient Status Warning.

In Peer H323 status is Active, but for SIP, status is Failed (TLS Negotiation Failure)

Roger Kallberg · ‎11-12-2020

This is getting interesting. Would you be able hop on a short Webex with me so that we could have a look at this together? If so please let me know and I’ll PM you the details.

CTModule1 · ‎11-12-2020

Webex would be great! You can PM me the details

Thanks!

Roger Kallberg · ‎11-12-2020

Or post screenshot of your configuration so that we can verify your setup.