Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
4
Replies

Un-Blocking SSL Between networks?

K-Grev
Level 1
Level 1

‎07-06-2020 10:44 AM

Hi,

The UCS environment is very new to me so bare with me if I struggle to understand replies and advice.

 

We have a Netapp storage center hosted in out UCS network. We also have a VM environment there as well.

After one of our team members did in depth troubleshooting with a Netapp support specialist, it was determined that the Netapp is working fine and somewhere between the network the Netapp lives on and the network the infrastructure VM's are on, SSL is either being blocked or filtered out.

 

Is there a way I can see if this is happening?

 

Thanks for any help and please let me know if I need to supply you with more information.

Labels:
0 Helpful
4 Replies 4

Kirk J
Cisco Employee
Cisco Employee

‎07-06-2020 10:59 AM - edited ‎07-06-2020 11:38 AM

Greetings.

UCSM/FIs is a layer 2 only device, so it has no ACL/L3 filtering abilities.

If you have filtering going on, then it is either upstream on a L3 device, or some sort of L3 virtual device/appliance.

Would be helpful if you could post a very basic picture of the topology...  

So the netapp is directly connected to the FIs as 'appliance' ports?

I know some of them can have a specific QOS/COS value requirement, so you may need to confirm that your various ESXi host VNICs have the correct QOS policy.

Can you be more specific about the traffic you are talking about (i.e. ESXi VMK NFS port <> Netapp appliance,,, or guestVMs trying to hit management web interface)?  Is this traffic in the same subnet, or in different subnets, where it has to go through L3 device?  Does traffic on any port work between the two entities in question (i.e. ping, ssh, etc)?

 

Also, might want to fire up wireshark on your guestVMs in question and capture a snippet of your attempts to hit the netapp URLs requiring SSL negotiation.

 

Kirk...

0 Helpful

K-Grev
Level 1
Level 1
In response to Kirk J

‎07-06-2020 11:55 AM

Uploaded a basic diagram.

 

So the netapp is directly connected to the FIs as 'appliance' ports?

Yes, "Appliance Storage" when I look at Fabric interconnect A physical port.

 

I believe the traffic is only having problems with SSL connections, all other traffic is working fine.

 

 

Preview file
298 KB
0 Helpful

Kirk J
Cisco Employee
Cisco Employee
In response to K-Grev

‎07-07-2020 04:54 AM - edited ‎07-08-2020 04:46 AM

Without subnet mask details, it's hard to confirm if your netapp, and your VMs are in different subnets.

I am assuming you are using /24 SM, which means VMs have to go through an upstream router/L3 device to talk to the other subnet.  That is where your focus should start.

Assuming your guestVMs don't have any unusual webbrowser SSL restrictions, or local OS firewalls causing the blocks.

Any chance you could use a testVM, and drop it in the same vlan as the netapp appliance, and do a test while the they are in the same subnet (this will remove the layer 3/router from the equation)?

 

Kirk...

0 Helpful

K-Grev
Level 1
Level 1
In response to Kirk J

‎07-08-2020 05:28 AM

Thanks for all your help. Ended up being an ACL on our Management switch.

 

Thanks for your time.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card