cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
259
Views
0
Helpful
4
Replies
Highlighted
Participant

CLUSTER TLS ALARM RAISED ISSUE

I just upgraded three VCSc systems and clustered them.  Getting TLS verification alarms. 

Not using TLS. 

Peer one is an old appliance running X8.8.2

Peer two is a new VM running X8.8.2

Peer three is a new VM running X8.8.2 

The Peer one is the master.

Verified clustering is Active on each peer. 

the Master one suggesting to change TLS mode to Enforcing. 

When I did that the cluster link failed and turned it back off. 

Cluster peers went green but still getting the TLS alarm raised. 

 

 

Chet Cronin
801-815-3539(USA)
801-815-3539 (AFG)
4 REPLIES 4
Highlighted
VIP Advocate

Please take a screenshot of your cluster configuration and share it. Do you have CA signed server certificates on all the cluster nodes and does all nodes have the CA root and if applicable intermediate certificate(s) in its CA trust store (Trusted CA certificate page)?

Please rate all useful posts
Highlighted

Hi,

 

Came across this bug 

 

Clustering error when in TLS permissive mode
CSCvd06521
 
Description
Symptom:
Expressway shows red error "Certificate: Invalid (No Subject Alternate Names matched)" even when the TLS Verify mode is set to Permissive. Just below the error there is then the green text about Active cluster connections.
Red error is misleading to customer as it is perceived as something wrong, not working, where in fact cluster may work fine and this is only a warning relevant to Enforced TLS Verify mode.
This is an enhancement request to change the red error message to different color, or rephrase it in a way that if in Permissive mode, failed SAN check is only informative and alone does not indicate cluster failure.

Conditions:
TLS Verify mode set to permissive and peers defined with IP addresses/hostnames that are not present in the SSL certificates.
 
Workaround:
nonee

Further Problem Description:
None
Highlighted

NOTE: The cluster is set in the permissive mode .. Not running TLS at the moment. 

Looks like it's the bug that was identified earlier ... 

We plan to enable TLS later in the year 

So it appears the cluster is in fact working just getting the raised alarm looking for TLS Verification. 

 

 

Chet Cronin
801-815-3539(USA)
801-815-3539 (AFG)
Highlighted

Please note that if you want to run TLS verification mode Enforce you need to have CA signed certificates for each node in the cluster and you need to use resolvable FQDN names in cluster configuration.

Please rate all useful posts
Content for Community-Ad