Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2605
Views
0
Helpful
2
Replies

stunnel exited 5 time(s)

Alexander Proskurnin
Level 1
Level 1

‎12-30-2019 06:33 AM - edited ‎02-21-2020 09:48 AM

Hi there!

After upgrade from 6.5.0 to 6.5.2 we've got an issue on one of the FTD in a HA pair.

We are getting "stunnel exited 5 time(s)" warning.

In the logs I see attempts:

 

stunnel[15463]: Generating stunnel config file at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/AMPProxy.pm line 777.
stunnel[15463]: PRECMD generated configuration at /ngfw/usr/local/sf/lib/perl/5.10.1/SF/AMPProxy.pm line 672.
stunnel[15463]: [ ] Clients allowed=500
stunnel[15463]: [.] stunnel 5.06 on x86_64-unknown-linux-gnu platform
stunnel[15463]: [.] Compiled/running with CiscoSSL 1.0.2n.6.2.194-fips
stunnel[15463]: [.] Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
stunnel[15463]: [ ] errno: (*__errno_location ())
stunnel[15463]: [.] Reading configuration from file /ngfw/etc/sf/amp-stunnel.conf
stunnel[15463]: [.] FIPS mode enabled
stunnel[15463]: [ ] Compression disabled
stunnel[15463]: [ ] Snagged 64 random bytes from /dev/urandom
stunnel[15463]: [ ] PRNG seeded successfully
stunnel[15463]: [ ] Initializing inetd mode configuration
stunnel[15463]: [!] Service [stunnel]: Inetd mode must define one endpoint

cat /ngfw/etc/sf/amp-stunnel.conf show me this:

client = yes
pid = /var/sf/run/stunnel.pid
debug = 3
foreground = yes
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
fips = yes
delay = yes

however on the active and working FTD I see another additional section:

 

[ NetworkAMP ]
verify = 2
CAPath = /etc/sf/CA
accept = 32137
connect = cloud-sa.amp.cisco.com:443

It seems like stunnel is constantly exiting because config file misses NetworkAMP section. But why AMPProxy.pm is generating such a trimmed file.

 

 

 

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-30-2019 08:05 PM

There aren't any currently published bugs describing this behavior.

6.5.0.2 is pretty new so I would recommend opening a TAC case - you may be hitting a new bug.

0 Helpful

Alexander Proskurnin
Level 1
Level 1

‎12-31-2019 02:37 AM - edited ‎12-31-2019 02:39 AM

Hi Marvin!

Thanks for reply!

If I had service contract I would definitely open TAC case...

 

It is interesting to note that if I add missing section to config file stunnel still does not come up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card