utm_medium=referral&utm_source=cc-ribbon&utm_campaign=ST-RMA-4-21 " target="_blank">
Would you like to learn more about how to determine if you need an RMA? - REGISTER TODAY!
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
169
Views
0
Helpful
1
Replies
_|brt.drml|_
Beginner

RESTCONF - SSL handshake fails - nginx not running

Hi, 

After I upgraded the router ISR 4451-X/K9 to AMSTERDAM 17.3.2, I had issues with the RESTCONF 'testing'.

I found the issue with POSTMEN and did the RESTCONF via CURL.

In POSTMEN = error 80

in Curl/Windows terminal:

C:\WINDOWS\system32>curl -k -v https://10.242.1.92/restconf/data/Cisco-IOS-XE-native:native/router/router-eigrp -u "***:***"
*   Trying 10.242.1.92...
* TCP_NODELAY set
* Connected to 10.242.1.92 (10.242.1.92) port 443 (#0)
* schannel: SSL/TLS connection with 10.242.1.92 port 443 (step 1/3)
* schannel: disabled server certificate revocation checks
* schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.
* schannel: using IP address, SNI is not supported by OS.
* schannel: sending initial handshake data: sending 147 bytes...
* schannel: sent initial handshake data: sent 147 bytes
* schannel: SSL/TLS connection with 10.242.1.92 port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with 10.242.1.92 port 443 (step 2/3)
* schannel: encrypted data got 7
* schannel: encrypted data buffer: offset 7 length 4096
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with 10.242.1.92 port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

LAB-ISR-092-01#show platform software yang-management process
confd : Running
nesd : Running
syncfd : Running
ncsshd : Running
dmiauthd : Running
nginx : Not Running
ndbmand : Running
pubd : Running

 

nginx is not running... and it should be to be able to respond to the GET? 

 

-- removing all configuration lines and start over again solved the nginx issue.

-- TLS still fails

1 REPLY 1
alexstev
Cisco Employee

Hello,

 

Please allow me to make three points / suggestions regarding this:

 

  1. I've used the Cisco Bug Search tool and have found no documented bugs regarding ISR 4451-X/K9, AMSTERDAM 17.3.2 and TLS.
  2. Here are some great points made in this area found within this presentation from Cisco live!:Open Device Programmability: A hands-on introduction to RESTCONF (and a bit of NETCONF) (the section you need begins on slide 56)
  3. Unable to authenticate to access restconf API - a somewhat similar discussion to yours, here on the Cisco Community Forums

 

Hope this help!

Content for Community-Ad

This widget could not be displayed.