TLSv1.2 Unknown Certificate error on Cisco UCSM

nikhil93 · ‎06-08-2019

Hello Guys,

We have deployed Cisco UCS Blade and Rack Mount Servers at couple of locations. We now have to register them to the Cisco Intersight for the ease of management.

To do this as the document says, we need a claim code and device code of the ucs manager for the registration.

but when the Intersight management is enabled on the Cisco UCSM, We are getting a Intersight Network Error.

We have opened the 443 port on firewall for bidirectional traffic. Now we are getting a certificate error.

The live ethanalyzer output clearly indicated that the packets are leaving the UCSM to communicate with the svc.ucs-connect.com, but not receiving it back

Below is the Live Ethanalyzer Output.

2019-06-07 16:35:22.960215 10.10.113.61 -> 3.210.118.122 TCP 60849 > https [SYN] Seq=0 Len=0 MS

The UCS is trying to contact this and facing issues in the network.
The UCSM device connector logs very clearly indicates :

13431: 2019-06-03T16:01:03.177+0530 info  base/types.go:560 DNS start: {svc.ucs-connect.com}      {"traceId": "DC4d29797521d08496fa4788459e8a7010"}

13511: 2019-06-03T16:03:04.791+0530      error base/connector.go:1349  Registration failed      {"traceId": "DC4d29797521d08496fa4788459e8a7010", "error": "Post  https://svc.ucs-connect.com/api/v1/asset/DeviceRegistrations: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"}

13512: 2019-06-03T16:03:04.791+0530      error base/connector.go:490   Cannot connect to 'svc.ucs-connect.com'      {"error": "Intersight Network Error: Unable to initiate TLS handshake"}

13702: 2019-06-03T16:07:02.773+0530      error base/connector.go:1349  Registration failed      {"traceId": "DC2fc36438bc33a49564571b417945b84a", "error": "Post  https://svc.ucs-connect.com/api/v1/asset/DeviceRegistrations: Proxy Authentication Required"}

13703: 2019-06-03T16:07:02.773+0530      error base/connector.go:490   Cannot connect to 'svc.ucs-connect.com'      {"error": "Intersight Network Error: Unable to initiate TLS handshake"}

13843: 2019-06-03T16:08:48.530+0530      error base/connector.go:1349  Registration failed      {"traceId": "DC2fc36438bc33a49564571b417945b84a", "error": "Post  https://svc.ucs-connect.com/api/v1/asset/DeviceRegistrations: Proxy Authentication Required"}

13844: 2019-06-03T16:08:48.530+0530      error base/connector.go:490   Cannot connect to 'svc.ucs-connect.com'      {"error": "Intersight Network Error: Unable to initiate TLS handshake"}

TLS handshake is facing issues through the network.

The packet capture taken on the UCSM management port clearly indicates that there is a TLS certificate unknown error indicating that there is a TLS communication failure through the network. ( I HAVE ATTACHED THE WIRE-SHARK ANALYSIS AS THE IMAGE. PLEASE CHECK.)

The traceroute output indicates that the packet which is leaving the UCSM is not reaching the svc.ucs-connect.com, i.e. being drooped in the network :

A(local-mgmt)# traceroute svc.ucs-connect.com source 10.10.113.63traceroute to svc.ucs-connect.com (52.73.102.233), 30 hops max, 40 byte packets 1 10.10.113.3 (10.10.113.3) 0.359 ms 0.313 ms 0.339 ms 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 *^C

Now I AM Struck with where the issue is. I have contacted the Cisco TAC and they say everything is fine on the CISCO UCSM end but there is some problem with the network, as it is dropping the packets on the way somewhere to the cisco intersight servers.

Please Suggest some troubleshooting options so to go ahead with the deployment.