Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
4
Replies

CLUSTER TLS ALARM RAISED ISSUE

Chet Cronin
Level 4
Level 4

‎06-08-2020 09:56 PM

I just upgraded three VCSc systems and clustered them.  Getting TLS verification alarms. 

Not using TLS. 

Peer one is an old appliance running X8.8.2

Peer two is a new VM running X8.8.2

Peer three is a new VM running X8.8.2 

The Peer one is the master.

Verified clustering is Active on each peer. 

the Master one suggesting to change TLS mode to Enforcing. 

When I did that the cluster link failed and turned it back off. 

Cluster peers went green but still getting the TLS alarm raised. 

 

 

Chet Cronin
Labels:
0 Helpful
4 Replies 4

Roger Kallberg
VIP
VIP

‎06-08-2020 11:01 PM - edited ‎06-09-2020 01:09 AM

Please take a screenshot of your cluster configuration and share it. Do you have CA signed server certificates on all the cluster nodes and does all nodes have the CA root and if applicable intermediate certificate(s) in its CA trust store (Trusted CA certificate page)?



Response Signature


0 Helpful

Aman Soi
VIP Alumni
VIP Alumni
In response to Roger Kallberg

‎06-09-2020 12:10 AM

Hi,

 

Came across this bug 

 

Clustering error when in TLS permissive mode
CSCvd06521
 
Description
Symptom:
Expressway shows red error "Certificate: Invalid (No Subject Alternate Names matched)" even when the TLS Verify mode is set to Permissive. Just below the error there is then the green text about Active cluster connections.
Red error is misleading to customer as it is perceived as something wrong, not working, where in fact cluster may work fine and this is only a warning relevant to Enforced TLS Verify mode.
This is an enhancement request to change the red error message to different color, or rephrase it in a way that if in Permissive mode, failed SAN check is only informative and alone does not indicate cluster failure.

Conditions:
TLS Verify mode set to permissive and peers defined with IP addresses/hostnames that are not present in the SSL certificates.
 
Workaround:
nonee

Further Problem Description:
None
0 Helpful

Chet Cronin
Level 4
Level 4
In response to Aman Soi

‎06-09-2020 02:31 AM

NOTE: The cluster is set in the permissive mode .. Not running TLS at the moment. 

Looks like it's the bug that was identified earlier ... 

We plan to enable TLS later in the year 

So it appears the cluster is in fact working just getting the raised alarm looking for TLS Verification. 

 

 

Chet Cronin
0 Helpful

Roger Kallberg
VIP
VIP
In response to Chet Cronin

‎06-09-2020 04:23 AM

Please note that if you want to run TLS verification mode Enforce you need to have CA signed certificates for each node in the cluster and you need to use resolvable FQDN names in cluster configuration.



Response Signature


0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents