Error: “1015: The secure connection could not be established (2)”

  • Expand SSL, click Certificates to view the certificates.

    In this example, TestCertificate is bound to the Access Gateway virtual server and the certificate is Expired.

    User-added image

    The Secure Access Client is able to connect successfully with a valid SSL server Certificate. In this example, TestCertificate is bound to the Access Gateway virtual server and the certificate is Valid.

    User-added image

    Note: If your certificate is Valid and the same error message is displayed, check if there are any intermediates linked to the server certificate. It is recommended to have proper Intermediate Certificate linked to the server certificate.

  • Related:

    • No Related Posts

    VPLEX: Health-check –full reports Call Home “Error” state post NDU[1]

    Article Number: 523118 Article Version: 3 Article Type: Break Fix



    VPLEX GeoSynchrony,VPLEX Local,VPLEX Metro,VPLEX Series,VPLEX VS2,VPLEX VS6

    An Error is reporting in the commandhealth-check –full post upgrade but the Call Home functions properly.

    • Pre NDU Health-check –full doesn’t report an error.

    • Post NDUHealth-check –full reports “Checking Call Home Status” as Error.

    • ConnectEMC_config.xml file looks the same as pre NDU as post NDU.

    • No issues seen in connectemc related logs.

    • The SMTP service is reachable and non-blocked.

    • Call-Home works right, for every triggered call-home test.

    • SYR / CLM system determine call home alerts have being correctly received. Hence, confirming Connecthome is received.

    Comparing PRE & POST Non-Disruptive Upgrade (NDU)

    PRE NDU

    VPlexcli:/> health-check –full

    Configuration (CONF):

    Checking VPlexCli connectivity to directors……………….. OK

    Checking Directors Commission……………………………. OK

    Checking Directors Communication Status…………………… OK

    Checking Directors Operation Status………………………. OK

    Checking Inter-director management connectivity……………. OK

    Checking ports status…………………………………… OK

    Checking Call Home……………………………………… OK

    Checking Connectivity…………………………………… OK

    POST NDU

    VPlexcli:/> health-check –full

    Configuration (CONF):

    Checking VPlexCli connectivity to directors……………….. OK

    Checking Directors Commission……………………………. OK

    Checking Directors Communication Status…………………… OK

    Checking Directors Operation Status………………………. OK

    Checking Inter-director management connectivity……………. OK

    Checking ports status…………………………………… OK

    Checking Call Home Status……………………………….. Error

    service@vplexMM:/var/log/VPlex/cli> more health_check_full_scan.log

    Configuration (CONF):

    Checking VPlexCli connectivity to directors……………….. OK

    Checking Directors Commission……………………………. OK

    Checking Directors Communication Status…………………… OK

    Checking Directors Operation Status………………………. OK

    Checking Inter-director management connectivity……………. OK

    Checking ports status…………………………………… OK

    Checking Call Home Status……………………………….. Error

    Email Server under Notification type: ‘onSuccess/onFailure’ is either

    Not reachable or invalid.

    Check if Email Server IP address: ‘10.1.111.100’ is reachable and valid.

    Email Server under Notification type: ‘Primary’ and ‘Failover’ are either

    Not reachable or invalid.

    Check if Email Server IP address: ‘10.1.111.100’ and ‘10.1.111.100’ are

    Reachable and valid.

    service@vplexMM:/opt/emc/connectemc> cat ConnectEMC_config.xml

    <?xml version=”1.0″ encoding=”UTF-8″ standalone=”no” ?>

    <ConnectEMCConfig SchemaVersion=”1.1.0″>

    <ConnectConfig Type=”Email”>

    <Retries>7</Retries>

    <Notification>Primary</Notification>

    <Timeout>700</Timeout>

    <Description></Description>

    <BsafeEncrypt>no</BsafeEncrypt>

    <IPProtocol>IPV4</IPProtocol>

    <EmailServer>10.1.111.100</EmailServer>

    <EmailAddress>emailalert@EMC.com</EmailAddress>

    <EmailSender>VPlex_CKM00000000999@EMC.com</EmailSender>

    <EmailFormat>ASCII</EmailFormat>

    <EmailSubject>Call Home</EmailSubject>

    <STARTTLS>no</STARTTLS>

    <IncludeCallHomeData>no</IncludeCallHomeData>

    <InsertBefore></InsertBefore>

    <PreProcess></PreProcess>

    <PostProcess></PostProcess>

    <HeloParameter></HeloParameter>

    </ConnectConfig>

    <ConnectConfig Type=”Email”>

    <Retries>7</Retries>

    <Notification>Failover</Notification>

    <Timeout>700</Timeout>

    <Description></Description>

    <BsafeEncrypt>no</BsafeEncrypt>

    <IPProtocol>IPV4</IPProtocol>

    <EmailServer>10.1.111.100</EmailServer>

    <EmailAddress>emailalert@EMC.com</EmailAddress>

    <EmailSender> VPlex_CKM00000000999@EMC.com</EmailSender>

    <EmailFormat>ASCII</EmailFormat>

    <EmailSubject>Call Home</EmailSubject>

    <STARTTLS>no</STARTTLS>

    <IncludeCallHomeData>no</IncludeCallHomeData>

    <InsertBefore></InsertBefore>

    <PreProcess></PreProcess>

    <PostProcess></PostProcess>

    <HeloParameter></HeloParameter>

    </ConnectConfig>

    <ConnectConfig Type=”Email”>

    <Retries>7</Retries>

    <Notification>onSuccess/onFailure</Notification>

    <Timeout>700</Timeout>

    <Description></Description>

    <BsafeEncrypt>no</BsafeEncrypt>

    <IPProtocol>IPV4</IPProtocol>

    <EmailServer>10.1.111.100</EmailServer>

    <EmailAddress>customer@genericemailaddress.com</EmailAddress>

    <EmailSender>VPlex_CKM00000000999@EMC.com</EmailSender>

    <EmailFormat>ASCII</EmailFormat>

    <EmailSubject>Call Home</EmailSubject>

    <STARTTLS>no</STARTTLS>

    <IncludeCallHomeData>yes</IncludeCallHomeData>

    <InsertBefore></InsertBefore>

    <PreProcess></PreProcess>

    <PostProcess></PostProcess>

    <HeloParameter></HeloParameter>

    </ConnectConfig>

    </ConnectEMCConfig>

    service@vplexMM:/var/log/ConnectEMC/logs> ping 10.1.111.100

    PING 10.1.111.100 (10.1.111.100) 56(84) bytes of data.

    — 10.1.111.100 ping statistics —

    6 packets transmitted, 0 received, 100% packet loss, time 5010ms

    service@vplexMM:~> telnet 10.1.111.100 25

    Trying 10.1.111.100…

    Connected to 10.1.111.100

    Escape character is ‘^]’.

    220 emc.com

    helo localhost

    250 emc.com

    mail from: VPlex_CKM00000000999@EMC.com

    250 2.1.0 Ok

    rcpt to:customer@genericemailaddress.com

    250 2.1.0 Ok

    VPlexcli:/notifications/call-home> test

    call-home test was successful.


    As per the above information, this means that the customer is allowing the SMTP service on port “25” only and not the ICMP “ping”.

    This error is expected and can be ignored once you verify that the test call home is working and appearing under /opt/emc/connectemc/archive

    service@vplexMM:/opt/emc/connectemc/archive> ll

    -rw-r—– 1 service users 2814 Jun 25 13:17 RSC_CKM00000000999_062518_011656000.xml

    -rw-r—– 1 service users 2814 Jun 25 10:54 RSC_CKM00000000999_062518_105401000.xml

    -rw-r—– 1 service users 2814 Jun 25 11:11 RSC_CKM00000000999_062518_111102000.xml

    -rw-r—– 1 service users 2814 Jun 25 11:48 RSC_CKM00000000999_062518_114834000.xml

    Checking call home status is part of the health-check — full script which does the following:

    1- Check the email server for each notification type in /opt/emc/connectemc/ConnectEMC_config.xml

    2- Ping the server. If the server is not pingable for any reason (not reachable via network, server is shutdown, ICMP service is blocked via firewall, the <EmailServer> is a DNS name instead of the name in the ConnectEMC_config.xml file).

    As a result, the commandhealth-check –full script will fail and will show the following error:

    Checking Call Home Status……………………………….. Error

    The current healthcheck script checks if call home is enabled and generates a “Warning” state if it’s disabled.

    The healthcheck script also checks if call home has been functioning properly with several verifications such as: checking call homes have been generated; the call home emails have been sent successfully sent; or if SMTP server ping is alive.

    If any of these verifications fail, the script’s result will be flagged with an error as shown:

    Checking Call Home Status……………………………….. Error

    After enabling the ICMP protocol on the firewall level between the VPLEX management server and their selected email server used (ESRS, customer’s email server), the Call Home “Error” status is now clean:

    VPlexcli:/> health-check –full

    Configuration (CONF):

    Checking VPlexCli connectivity to directors……………….. OK

    Checking Directors Commission……………………………. OK

    Checking Directors Communication Status…………………… OK

    Checking Directors Operation Status………………………. OK

    Checking Inter-director management connectivity……………. OK

    Checking ports status…………………………………… OK

    Checking Call Home Status……………………………….. OK

    Checking Connectivity…………………………………… OK

    Checking COM Port Power Level……………………………. OK

    Checking Meta Data Backup……………………………….. OK

    Checking Meta Data Slot Usage……………………………. OK

    Related:

    • No Related Posts

    Can ProxySG ‘uplevel’ a TLS connection to an internet website?

    I need a solution

    I have a legacy client on my network that needs to connect to an internet website that is disabling support for TLS 1.0 and 1.1.  This client is not capable of making connections higher than TLS 1.0, though.  It uses the ProxySG explicitly with a CONNECT, but I can route the traffic to get it there transparently as well if needed.  Is there a way in the ProxySG to cause the Proxy -> OCS connection to be TLS 1.2 even though the Client -> Proxy connection is TLS 1.0?

    I found one knowledge entry that looks like it’s specific to making the reverse happen, but I think this is more of a source/dst/action rule (https://support.symantec.com/en_US/article.TECH248…).  I tried it anyway with the client.negotiated.ssl.version set to TLSV1 and it resulted in a ‘n/a’ in a policy trace.

    Anyone know if there’s a way to do this?

    0

    Related:

    • No Related Posts

    “Cannot complete request” when logging on via NetScaler using dual factor authentication and SSON to StoreFront Server 3.14

    The certificate hash shown did not match the one binding to the SSL port 443 in IIS (correct cert hash starts with 89BA19BD4…)

    Delete the legacy certificate causing errors via CLI command

    Netsh http delete sslcert ipport=0.0.0.0:443

    Note: The legacy certificate was associated with another set of StoreFront servers (3 SF servers) instead of the new certificate created for this new set of 2 SF servers.

    Validation

    When issuing the CLI command:

    “netsh http show sslcert” – we now see that the certificate is gone

    When testing logging on to the NetScaler, we were able to SSON to SF server using the 2 factor authentication in place and keeping the setting “Enable Loopback Communication” set to ON (Under SF – Edit Receiver for Web Site – Advanced Settings)

    Related:

    • No Related Posts

    TLS support on secondary MX server

    I need a solution

    We have a third party who is using the website www.checktls.com to verify that emails sent to our domain covermycab.com use TLS, I have setup an encryption partnership in the messagelabs portal but the website check is still failing. The primary MX record is using TLS but the secondary MX record isn’t, is there anyway to correct this?

    Thanks

    Trying TLS on cluster9a.eu.messagelabs.com[52.59.102.191:25] (20):

    seconds   test stage and result
    [000.089]   Connected to server
    [000.180] <–  220 mail555.messagelabs.com ESMTP Fri, 28 Dec 2018 11:51:32 +0000
    [000.180]   We are allowed to connect
    [000.180]  –> EHLO www6.CheckTLS.com
    [000.268] <–  250-mail555.messagelabs.com Hello ip-100-113-13-142.eu-central-1.aws.symcld.net [100.113.13.142]
    250-SIZE 52428800
    250-8BITMIME
    250-PIPELINING
    250-CHUNKING
    250-PRDR
    250 HELP
    [000.269]   We can use this server
    [000.269]   TLS is not an option on this server
    [000.269]  –> MAIL FROM:<test@checktls.com>
    [000.357] <–  250 OK
    [000.358]   Sender is OK
    [000.358]  –> QUIT
    [000.446] <–  221 mail555.messagelabs.com closing connection
    0

    1546430025

    Related:

    • No Related Posts

    Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016

    On September 22, 2016, the OpenSSL Software Foundation released an advisory that describes 14 vulnerabilities. Of these 14 vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and the other 12 as “Low Severity.”

    Subsequently, on September 26, the OpenSSL Software Foundation released an additional advisory that describes two new vulnerabilities. These vulnerabilities affect the OpenSSL versions that were released to address the vulnerabilities disclosed in the previous advisory. One of the new vulnerabilities was rated as “High Severity” and the other as “Moderate Severity.”

    Of the 16 released vulnerabilities:

    • Fourteen track issues that could result in a denial of service (DoS) condition
    • One (CVE-2016-2183, aka SWEET32) tracks an implementation of a Birthday attack against Transport Layer Security (TLS) block ciphers that use a 64-bit block size that could result in loss of confidentiality
    • One (CVE-2016-2178) is a timing side-channel attack that, in specific circumstances, could allow an attacker to derive the private DSA key that belongs to another user or service running on the same system

    Five of the 16 vulnerabilities exclusively affect the recently released OpenSSL versions that are part of the 1.1.0 release series, which has not yet been integrated into any Cisco product.

    This advisory is available at the following link:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160927-openssl

    Security Impact Rating: Medium

    CVE: CVE-2016-2177,CVE-2016-2178,CVE-2016-2179,CVE-2016-2180,CVE-2016-2181,CVE-2016-2182,CVE-2016-2183,CVE-2016-6302,CVE-2016-6303,CVE-2016-6304,CVE-2016-6305,CVE-2016-6306,CVE-2016-6307,CVE-2016-6308,CVE-2016-6309,CVE-2016-7052

    Related:

    • No Related Posts

    How do I install a CA for SSL decryption with its intermediate cert?

    I need a solution

    Hi;

    I have a CA signed by an Intermediate certificate, which is in turn signed by a Root CA. So the trust chain is 

    Root CA signed Intermediate Certificate CA, which signed the associated with the Keyring on the ASG.

    How can I install the CA used to resign server certificates on the Proxy SG with its intermediate Certificate linked to it?

    Kindly

    Wasfi

    0

    Related:

    • No Related Posts

    7016002: Filr and broken trust chains when installing certificates with an intermediate CA.

    Several Certificate Authorities (CA) vendors provide their customers with a Signed Certificate along with an additional certificate file for an intermediate CA.

    After installing the CSR reply and the CA vendor’s intermediate CA file, the signed self-generated certificate of Filr is still not trusted by all browsers or clients.

    Installing the Intermediate CA on the workstation addresses the issue, however, this does not address the broken trust chain for those that do not have access to that file, and should also not be a requirement.

    In Novell Filr 1.2 in the Appliance configuration, under Digital Certificates, when managing the Web Application Certificates, the option Update Certificate Chain was introduced. However, with the release version (Filr 1.2.0.846) this still requires some additional steps to be performed, before the Appliance also offers the Intermediate CA.

    Related:

    • No Related Posts