cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4476
Views
0
Helpful
5
Replies

CNA 6.3(1) https connection failure: SSL handshake process failed

Hello,

I am attempting to use CNA 6.3(1) to manage a number of 3850 and 2960-X switches, however I'm unable to connect to them over https. I have enabled "ip http secure-server". If I enable "ip http server", I am able to make an http connection.

IOS versions:

3850: IOS-XE 3.6.4.E

2960-X: IOS 15.2(2)E6

I have enabled the following debugging options:

debug ip http ssl error

debug ssl openssl errors

When attempting to make a connection, I receive the following output on the console:

CRYPTO_OPSSL: SSL3.0 is no longer supported. Enabling only TLSv1.

opssl_SetPKIInfo entry

CRYPTO_OPSSL: Got router SIGNATURE private key

opssl SetPKIInfo done.

And I receive the following message from CNA:

Unable to connect. SSL handshake process failed. The secure connection through HTTPS could not be established.

By running the above debugs, I've confirmed that CNA first tries https, and then falls back to http if that fails. It appears to be a cipher suite issue, where the switch and CNA can't agree on a cipher set. Has anyone else experienced this problem, and is there a workaround other than using http?

Thanks in advance,

Matt

5 Replies 5

rpr
Level 1
Level 1

I have the same issue with 2960C and 3560CG switches.

I see this question has been asked in several posts on this forum but without a solution so far.

It seems Cisco does not care much about CNA users.

-- rpr.

motorkirdey
Level 1
Level 1

Experimenting with different versions of SNA and IOS received such results of connection to СNA by https:
СNA 6.3.1 any IOS - does not connect
СNA 6.3 and IOS 15.0.2 - do not connect
СNA 6.3 and IOS 15.0.1 or 12.x.x - connects
Would you like to hear comments from Cisco.

I can confirm that the issue has been fixed in CNA v. 6.3(2) -- see at https://software.cisco.com/download/navigator.html

 

I can confirm after installing CNA v. 6.3 (2) nothing has changed. Error persist - "SSL handshake process failed".

A couple of clues from my own experience. ymmv

 

When upgrading software, from really old software, you will have to regenerate RSA info otherwise you will get SSL errors.  If you do not have a lot of preexisting setup, this can be cleaned up by doing erase startup-config and subsequently running express setup at switch: prompt (rumor has it that VLAN setup stays intact when startup-config is erased).

When upgrading from 3.6.6 to 3.6.8 on a two stack, I found that the connection reverts back to default admin cisco on first connection to the new software version in CNA.

 

Please note that at the same time that the CNA connection is at Cisco default, the http/https web logon is what was set to prior to the upgrade.  I had to reenter the password in the web GUI then when I relaunched CNA I was able to update CNA to the "new" password.

 

Review Cisco Networking for a $25 gift card