Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2678
Views
0
Helpful
2
Replies

RESTCONF - SSL handshake fails - nginx not running

_|brt.drml|_
Level 1
Level 1

‎03-31-2021 01:47 AM - edited ‎04-06-2021 05:42 AM

Hi, 

After I upgraded the router ISR 4451-X/K9 to AMSTERDAM 17.3.2, I had issues with the RESTCONF 'testing'.

I found the issue with POSTMEN and did the RESTCONF via CURL.

In POSTMEN = error 80

in Curl/Windows terminal:

C:\WINDOWS\system32>curl -k -v https://10.242.1.92/restconf/data/Cisco-IOS-XE-native:native/router/router-eigrp -u "***:***"
*   Trying 10.242.1.92...
* TCP_NODELAY set
* Connected to 10.242.1.92 (10.242.1.92) port 443 (#0)
* schannel: SSL/TLS connection with 10.242.1.92 port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: using IP address, SNI is not supported by OS.
* schannel: sending initial handshake data: sending 147 bytes...
* schannel: sent initial handshake data: sent 147 bytes
* schannel: SSL/TLS connection with 10.242.1.92 port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with 10.242.1.92 port 443 (step 2/3)
* schannel: encrypted data got 7
* schannel: encrypted data buffer: offset 7 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with 10.242.1.92 port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

LAB-ISR-092-01#show platform software yang-management process
confd : Running
nesd : Running
syncfd : Running
ncsshd : Running
dmiauthd : Running
nginx : Not Running
ndbmand : Running
pubd : Running

 

nginx is not running... and it should be to be able to respond to the GET? 

 

-- removing all configuration lines and start over again solved the nginx issue.

-- TLS still fails

Labels:
0 Helpful
2 Replies 2

Alexander Stevenson
Cisco Employee
Cisco Employee

‎04-15-2021 07:53 AM

Hello,

 

Please allow me to make three points / suggestions regarding this:

 

  1. I've used the Cisco Bug Search tool and have found no documented bugs regarding ISR 4451-X/K9, AMSTERDAM 17.3.2 and TLS.
  2. Here are some great points made in this area found within this presentation from Cisco live!:Open Device Programmability: A hands-on introduction to RESTCONF (and a bit of NETCONF) (the section you need begins on slide 56)
  3. Unable to authenticate to access restconf API - a somewhat similar discussion to yours, here on the Cisco Community Forums

 

Hope this help!

0 Helpful

_|brt.drml|_
Level 1
Level 1
In response to Alexander Stevenson

‎06-29-2021 04:24 AM

Changed IOS and the problem was solved. Indeed a temporary bug/issue.

discovering where the magic is, will be more difficult :-). Sorry for the late reply

0 Helpful
Top