Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3207
Views
1
Helpful
2
Replies

sftunnel SSL handshake failed

Cory Brown
Level 1
Level 1

‎11-09-2016 01:28 PM - edited ‎03-10-2019 06:42 AM

We recently began receiving the following sftunnel SSL errors on several FirePower devices.  Devices have lost their connection to the FireSight and cannot be registered.  Thanks in advance, for any helpful information you can provide.

Excerpt from /var/log/messages provided below:

/var/log/messages on FirePower:
Nov 8 00:09:06 <FirePower_hostname>SF-IMS[7636]: [7936] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed 
Nov 8 00:09:06 <FirePower_hostname>SF-IMS[7636]: [7936] sftunneld:sf_ssl [WARN] SSL Verification status: ok 
Nov 8 00:09:13 <FirePower_hostname>SF-IMS[7636]: [7948] sftunneld:sf_ssl [INFO] Processing connection from <FireSight_IP>:55444/tcp (socket 10)
Nov 8 00:09:13 <FirePower_hostname>SF-IMS[7636]: [7948] sftunneld:sf_ssl [ERROR] Accept:SSL handshake failed 
Nov 8 00:09:13 <FirePower_hostname>SF-IMS[7636]: [7948] sftunneld:sf_ssl [WARN] SSL Verification status: ok 
Nov 8 00:09:35 <FirePower_hostname>SF-IMS[7636]: [7646] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Connection timed out 
Nov 8 00:09:36 <FirePower_hostname>SF-IMS[7636]: [7985] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <FireSight_IP> 
Nov 8 00:09:36 <FirePower_hostname>SF-IMS[7636]: [7985] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FireSight_IP>:8305/tcp 
Nov 8 00:12:45 <FirePower_hostname>SF-IMS[7636]: [7985] sftunneld:sf_ssl [ERROR] Unable to connect to port 8305 (IPv4): Connection timed out 
Nov 8 00:12:54 <FirePower_hostname>SF-IMS[7636]: [8268] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <FireSight_IP> 
Nov 8 00:12:54 <FirePower_hostname>SF-IMS[7636]: [8268] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <FireSight_IP>:8305/tcp
/var/log/messages on FireSight:
Nov 8 00:09:21 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11439] sftunneld:sf_ssl [INFO] Connected to <sensor_IP>:8305 (IPv4) 
Nov 8 00:09:22 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11439] sftunneld:sf_peers [INFO] Delete:Free SSL_CONTEXT for peer <sensor_IP> 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <sensor_IP> 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <sensor_IP>:8305/tcp 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Connected to port 8305 (IPv4): <sensor_IP> 
Nov 8 00:09:28 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_ssl [INFO] Connected to <sensor_IP>:8305 (IPv4) 
Nov 8 00:09:29 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11446] sftunneld:sf_peers [INFO] Delete:Free SSL_CONTEXT for peer <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1855]: [1855] sfmgr:sfmanager [INFO] set peer PEER_REMOVED pending <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1855]: [1855] sfmgr:sfmanager [INFO] free_peer <sensor_IP>.
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Initiate IPv4 connection to <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Initiating IPv4 connection to <sensor_IP>:8305/tcp 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [1854] sftunneld:sftunnel [INFO] set peer PEER_REMOVED <sensor_IP> pending 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Connected to port 8305 (IPv4): <sensor_IP> 
Nov 8 00:09:35 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_ssl [INFO] Connected to <sensor_IP>:8305 (IPv4) 
Nov 8 00:09:36 <FIRESIGHT_HOSTNAME> SF-IMS[1854]: [11531] sftunneld:sf_peers [INFO] Delete:Free SSL_CONTEXT for peer <sensor_IP>
2 people had this problem
Labels:
0 Helpful
2 Replies 2

Oliver Kaiser
Level 7
Level 7

‎11-10-2016 02:39 PM

Has anything changed in your environment recently (fmc / sensor upgrade?). You said that device could not be registered - so have they not been added to the fmc yet or are they just not able to reconnect?

In any case check your manager configuration on sensor side (fqdn used? -> maybe dns issues) and try to restart the sftunnel process on both sensor and fmc... Normally FMC should connect in < 5min to the sensor  again successfully.

Restart sftunnel via pmtool: pmtool restartById sftunnel

Andreas Foerby
Level 1
Level 1

‎09-04-2023 01:05 PM

Experiences the same issue on FMC and FTD on version 7.2.4.

After I issued the "pmtool restartById sftunnel" on both sides, the registration went through with success.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card