Ad Widget

Collapse

no shared cipher: TLS write fatal alert "handshake failure"

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • salai
    Junior Member
    • Nov 2020
    • 27
    #1

    no shared cipher: TLS write fatal alert "handshake failure"

    Hi People,

    We have an active proxy at a customer site, this was running unencrypted for quite some time and we attempted to configure PSK encryption without success.


    Enabled the proxy encryption at the Zabbix Server UI
    And configured the below 4 parameters at the zabbix_proxy.conf


    TLSConnect = psk
    TLSAccept = psk

    TLSPSKIdentity=xyx
    TLSPSKFile= /etc/zabbix/sec.psk

    restarted the proxy.

    Getting this error on Server log

    27833:20210129:154052.781 failed to accept an incoming connection: from X.X.X.X: TLS handshake set result code to 1: file s3_srvr.c line 1435: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher: TLS write fatal alert "handshake failure"

    Getting this error on Proxy log
    16595:20210129:160904.586 Unable to connect to the server [xyz]:10051 [TCP successful, cannot establish TLS to [[xyz]:10051]: connection closed by peer]

    Any piece of advice would be appreciated.

    Cheers
    Salai
    Last edited by salai; 03-02-2021, 01:51.
    Tags: None
    • NilsA
      Senior Member
      • Sep 2020
      • 102
      #2
      I'm not an expert on TLS but I got it working for 5 proxies myself. Why is the TLSPSKFile pointing towards what looks like a Windows file path? That doesn't seem right at all.

        Comment

        • salai
          Junior Member
          • Nov 2020
          • 27
          #3
          Hi NilsA, Firstly, thank you for taking the time to respond back to the thread. The path that you see was misleading. I didn't pick up the path from Linux box, I just keyed in myself to explain the problem.

          Cheers
          Salai

            Comment

            • NilsA
              Senior Member
              • Sep 2020
              • 102
              #4
              Ok. Have you checked if the PSK and identity are identical on both ends? If that is so, which OS are you working with?

                Comment

                • tim.mooney
                  Senior Member
                  • Dec 2012
                  • 1427
                  #5
                  Originally posted by salai
                  Getting this error on Server log

                  27833:20210129:154052.781 failed to accept an incoming connection: from X.X.X.X: TLS handshake set result code to 1: file s3_srvr.c line 1435: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher: TLS write fatal alert "handshake failure"
                  If I were you, I would probably focus first on the "no shared cipher" part of the log message. This typically happens when you have different major versions of software on each end of the connection, so that there's a large-enough difference between the underlying encryption routines (probably based upon the OpenSSL library) that they can't negotiate a protocol version and cipher.

                  To understand why that negotiation can fail, it's helpful to answer the following 4 questions:

                  What OS and version is in use on the proxy?
                  What is the exact version of the Zabbix proxy software on the proxy?

                  What OS and version is in use on the Zabbix server?
                  What is the exact version of the Zabbix server software?

                  When an SSL or now TLS connection starts up, there is a protocol negotiation that needs to happen. This happens after the (lower level) TCP network connection is established, but before any application-level communication could happen.

                  As part of the TLS or SSL protocol negotiation, the client end of the connection and the server end of the connection need to agree on what version of the protocol they're going to speak. Most stuff these days no longer even allows SSLv3, and even TLS1.0 and TLS1.1 are being phased out. As of this date, the latest security recommendations are to prefer TLS1.2 and especially TLS1.3 wherever possible, and to avoid TLS1.1 and earlier when possible. Note: even though you see places where SSL is mentioned in the error message, that can be misleading: some of the underlying code has names and log messages that date from when SSL was still dominant, but the routines in some cases also are used by even modern TLS connections.

                  In addition to negotiating and then agreeing on a particular protocol version (like TLS1.2), the client and the server also have to agree to use particular encryption algorithms for parts of the process. Which algorithms (and ciphers) are available are often tied to the protocol versions (TLS1.0, TLS1.1, etc.), but they can also be selected individually.

                  When you see software that is using OpenSSL as the encryption library log a message saying "no shared cipher", it means that the client and the server could not agree on a cipher algorithm, so the connection could not proceed. This can sometimes happen as a side-effect of not being able to even negotiate a protocol version (e.g. the client only support TLS1.0 and TLS1.1, but the server requires TLS1.2 or TLS1.3 -- there is no intersection between the two sets of available protocol versions), but typically if the negotiation fails at the protocol level, the log message would be a little different. Not always, but usually.

                  Whether it's the protocol version or the cipher selection that's failing, though, it's usually happening because one end of the connection is using much newer software versions than the other end of the connection.

                    Comment

                    • salai
                      Junior Member
                      • Nov 2020
                      • 27
                      #6
                      Hi Tim, FYI

                      Proxy OS version: Red Hat Enterprise Linux Server release 7.8 (Maipo)
                      Proxy software version: zabbix_proxy (Zabbix) 5.0.0

                      Zabbix server Os version: Red Hat Enterprise Linux Server release 7.5 (Maipo)
                      Zabbix server software version: zabbix_server (Zabbix) 5.0.0

                        Comment

                        • tim.mooney
                          #6.1
                          tim.mooney commented
                          05-02-2021, 20:47
                          Editing a comment
                          Ok, then my guess that it relates to very different versions of OpenSSL on the two ends of the connection is not correct. The "no shared ciphers" isn't being caused by version differences, and the problem has to be somewhere else. Thanks for providing that background information.
                        • salai
                          Junior Member
                          • Nov 2020
                          • 27
                          #7
                          Hi Tim, The other thing that, I need to mention here is, there is a firewall in between proxy and server where the internal IP transitioned into NATed IP and then connects the Zabbix server. Do you think that could cause any trouble?

                            Comment

                            • tim.mooney
                              #7.1
                              tim.mooney commented
                              05-02-2021, 21:06
                              Editing a comment
                              It's certainly possible that the firewall or NAT could be causing problems, but I'm not sure how you could test to try narrow it down to the firewall/NAT. I would expect NAT as a more likely issue if you were using certificates, but by using pre-shared keys that shouldn't be as much of an issue.

                              I had a vague recollection that there was something weird about pre-shared keys, based on some older posts on these forums, and using your server error message and web search, I turned up one of the old forum threads related to pre-shared keys.

                              If you review this thread and the documentation and thread it links to, do any of the steps in there resolve the issue:

                              We’ll be back soon!
                              https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/390970-agents-offline-after-setting-psk-settings


                              Those are direct server<->agent connections, but the issue is with the PSK, so I would expect the same to be true for a proxy.
                              Last edited by tim.mooney; 05-02-2021, 21:12.
                            • salai
                              Junior Member
                              • Nov 2020
                              • 27
                              #8
                              14222:20210205:113003.287 OpenSSL library (version OpenSSL 1.0.1e-fips 11 Feb 2013) initialized
                              14222:20210205:113003.288 zbx_tls_init_child() loaded PSK identity "PSK005"
                              14222:20210205:113003.288 zbx_tls_init_child() loaded PSK from file "/home/zabbix/zabbix_proxy.psk"
                              14222:20210205:113003.288 zbx_tls_init_child() PSK ciphersuites: PSK-AES128-CBC-SHA
                              14222:20210205:113003.289 End of zbx_tls_init_child()
                              14222:20210205:113003.289 zbx_setproctitle() title:'configuration syncer [connecting to the database]'
                              14222:20210205:113003.289 In DBconnect() flag:0
                              14222:20210205:113003.290 End of DBconnect():0
                              14222:20210205:113003.290 zbx_setproctitle() title:'configuration syncer [syncing configuration]'
                              14222:20210205:113003.290 In DCsync_configuration()
                              14222:20210205:113003.290 query [txnlev:0] [select refresh_unsupported,discovery_groupid,snmptrap_log ging,severity_name_0,severity_name_1,severity_name _2,severity_name_3,severity_name_4,severity_name_5 ,hk_events_mode,hk_events_trigger,hk_events_intern al,hk_events_discovery,hk_events_autoreg,hk_servic es_mode,hk_services,hk_audit_mode,hk_audit,hk_sess ions_mode,hk_sessions,hk_history_mode,hk_history_g lobal,hk_history,hk_trends_mode,hk_trends_global,h k_trends,default_inventory_mode,db_extension,autor eg_tls_accept,compression_status,compression_avail ability,compress_older,instanceid from config order by configid]
                              14222:20210205:113003.290 query [txnlev:0] [select tls_psk_identity,tls_psk from config_autoreg_tls order by autoreg_tlsid]
                              14222:20210205:113003.290 In DCsync_config()
                              14222:20210205:113003.290 End of DCsync_config()
                              14222:20210205:113003.290 In DCsync_autoreg_config()
                              14222:20210205:113003.290 End of DCsync_autoreg_config()
                              14222:20210205:113003.290 query [txnlev:0] [select hostid,templateid from hosts_templates order by hostid]
                              14222:20210205:113003.291 query [txnlev:0] [select globalmacroid,macro,value,type from globalmacro]
                              14222:20210205:113003.291 query [txnlev:0] [select m.hostmacroid,m.hostid,m.macro,m.value,m.type from hostmacro m inner join hosts h on m.hostid=h.hostid where h.flags<>2]
                              14222:20210205:113003.291 query [txnlev:0] [select * from host_tag]
                              14222:20210205:113003.292 In DCsync_htmpls()
                              14222:20210205:113003.292 End of DCsync_htmpls()
                              14222:20210205:113003.292 In DCsync_gmacros()
                              14222:20210205:113003.292 End of DCsync_gmacros()
                              14222:20210205:113003.292 In DCsync_hmacros()
                              14222:20210205:113003.292 End of DCsync_hmacros()
                              14222:20210205:113003.292 In DCsync_host_tags()
                              14222:20210205:113003.292 End of DCsync_host_tags()
                              14222:20210205:113003.292 query [txnlev:0] [select hostid,proxy_hostid,host,ipmi_authtype,ipmi_privil ege,ipmi_username,ipmi_password,maintenance_status ,maintenance_type,maintenance_from,errors_from,ava ilable,disable_until,snmp_errors_from,snmp_availab le,snmp_disable_until,ipmi_errors_from,ipmi_availa ble,ipmi_disable_until,jmx_errors_from,jmx_availab le,jmx_disable_until,status,name,lastaccess,error, snmp_error,ipmi_error,jmx_error,tls_connect,tls_ac cept,tls_issuer,tls_subject,tls_psk_identity,tls_p sk,proxy_address,auto_compress,maintenanceid from hosts where status in (0,1,5,6) and flags<>2]
                              14222:20210205:113003.293 query [txnlev:0] [select hostid,inventory_mode,type,type_full,name,alias,os ,os_full,os_short,serialno_a,serialno_b,tag,asset_ tag,macaddress_a,macaddress_b,hardware,hardware_fu ll,software,software_full,software_app_a,software_ app_b,software_app_c,software_app_d,software_app_e ,contact,location,location_lat,location_lon,notes, chassis,model,hw_arch,vendor,contract_number,insta ller_name,deployment_status,url_a,url_b,url_c,host _networks,host_netmask,host_router,oob_ip,oob_netm ask,oob_router,date_hw_purchase,date_hw_install,da te_hw_expiry,date_hw_decomm,site_address_a,site_ad dress_b,site_address_c,site_city,site_state,site_c ountry,site_zip,site_rack,site_notes,poc_1_name,po c_1_email,poc_1_phone_a,poc_1_phone_b,poc_1_cell,p oc_1_screen,poc_1_notes,poc_2_name,poc_2_email,poc _2_phone_a,poc_2_phone_b,poc_2_cell,poc_2_screen,p oc_2_notes from host_inventory]
                              14222:20210205:113003.293 query [txnlev:0] [select groupid,name from hstgrp]
                              14222:20210205:113003.293 query [txnlev:0] [select hg.groupid,hg.hostid from hosts_groups hg,hosts h where hg.hostid=h.hostid and h.status in (0,1) and h.flags<>2 order by hg.groupid]
                              14222:20210205:113003.293 query [txnlev:0] [select maintenanceid,maintenance_type,active_since,active _till,tags_evaltype from maintenances]
                              14222:20210205:113003.294 query [txnlev:0] [select maintenancetagid,maintenanceid,operator,tag,value from maintenance_tag]
                              14222:20210205:113003.294 query [txnlev:0] [select t.timeperiodid,t.timeperiod_type,t.every,t.month,t .dayofweek,t.day,t.start_time,t.period,t.start_dat e,m.maintenanceid from maintenances_windows m,timeperiods t where t.timeperiodid=m.timeperiodid]
                              14222:20210205:113003.294 query [txnlev:0] [select maintenanceid,groupid from maintenances_groups order by maintenanceid]
                              14222:20210205:113003.294 query [txnlev:0] [select maintenanceid,hostid from maintenances_hosts order by maintenanceid]
                              14222:20210205:113003.294 In DCsync_hosts()
                              14222:20210205:113003.294 End of DCsync_hosts()
                              14222:20210205:113003.295 In DCsync_host_inventory()
                              14222:20210205:113003.295 End of DCsync_host_inventory()
                              14222:20210205:113003.295 In DCsync_hostgroups()
                              14222:20210205:113003.295 End of DCsync_hostgroups()
                              14222:20210205:113003.295 In DCsync_hostgroup_hosts()
                              14222:20210205:113003.295 End of DCsync_hostgroup_hosts()
                              14222:20210205:113003.295 In DCsync_maintenances()
                              14222:20210205:113003.295 End of DCsync_maintenances()
                              14222:20210205:113003.295 In DCsync_maintenance_tags()
                              14222:20210205:113003.295 End of DCsync_maintenance_tags()
                              14222:20210205:113003.295 In DCsync_maintenance_groups()
                              14222:20210205:113003.295 End of DCsync_maintenance_groups()
                              14222:20210205:113003.295 In DCsync_maintenance_hosts()
                              14222:20210205:113003.295 End of DCsync_maintenance_hosts()
                              14222:20210205:113003.295 In DCsync_maintenance_periods()
                              14222:20210205:113003.295 End of DCsync_maintenance_periods()
                              14222:20210205:113003.295 query [txnlev:0] [select i.interfaceid,i.hostid,i.type,i.main,i.useip,i.ip, i.dns,i.port,s.version,s.bulk,s.community,s.securi tyname,s.securitylevel,s.authpassphrase,s.privpass phrase,s.authprotocol,s.privprotocol,s.contextname from interface i left join interface_snmp s on i.interfaceid=s.interfaceid]
                              14222:20210205:113003.295 query [txnlev:0] [select i.itemid,i.hostid,i.status,i.type,i.value_type,i.k ey_,i.snmp_oid,i.ipmi_sensor,i.delay,i.trapper_hos ts,i.logtimefmt,i.params,ir.state,i.authtype,i.use rname,i.password,i.publickey,i.privatekey,i.flags, i.interfaceid,ir.lastlogsize,ir.mtime,i.history,i. trends,i.inventory_link,i.valuemapid,i.units,ir.er ror,i.jmx_endpoint,i.master_itemid,i.timeout,i.url ,i.query_fields,i.posts,i.status_codes,i.follow_re directs,i.post_type,i.http_proxy,i.headers,i.retri eve_mode,i.request_method,i.output_format,i.ssl_ce rt_file,i.ssl_key_file,i.ssl_key_password,i.verify _peer,i.verify_host,i.allow_traps,i.templateid,id. parent_itemid from items i inner join hosts h on i.hostid=h.hostid left join item_discovery id on i.itemid=id.itemid join item_rtdata ir on i.itemid=ir.itemid where h.status in (0,1) and i.flags<>2]
                              14222:20210205:113003.339 query [txnlev:0] [select i.itemid,i.hostid,i.templateid from items i inner join hosts h on i.hostid=h.hostid where h.status=3]
                              14222:20210205:113003.339 query [txnlev:0] [select i.itemid,i.hostid,i.templateid from items i where i.flags=2]
                              14222:20210205:113003.342 query [txnlev:0] [select pp.item_preprocid,pp.itemid,pp.type,pp.params,pp.s tep,i.hostid,pp.error_handler,pp.error_handler_par ams,i.type,i.key_,h.proxy_hostid from item_preproc pp,items i,hosts h where pp.itemid=i.itemid and i.hostid=h.hostid and (h.proxy_hostid is null or i.type in (5,8,15)) and h.status in (0,1) and i.flags<>2 order by pp.itemid]
                              14222:20210205:113003.362 In DCsync_interfaces()
                              14222:20210205:113003.363 End of DCsync_interfaces()
                              14222:20210205:113003.363 In DCsync_items()
                              14222:20210205:113003.388 End of DCsync_items()
                              14222:20210205:113003.388 In DCsync_template_items()
                              14222:20210205:113003.389 End of DCsync_template_items()
                              14222:20210205:113003.389 In DCsync_prototype_items()
                              14222:20210205:113003.389 End of DCsync_prototype_items()
                              14222:20210205:113003.389 In DCsync_item_preproc()
                              14222:20210205:113003.404 End of DCsync_item_preproc()
                              14222:20210205:113003.404 query [txnlev:0] [select i.itemid,f.functionid,f.name,f.parameter,t.trigger id from hosts h,items i,functions f,triggers t where h.hostid=i.hostid and i.itemid=f.itemid and f.triggerid=t.triggerid and h.status in (0,1) and t.flags<>2]
                              14222:20210205:113003.405 In DCsync_functions()
                              14222:20210205:113003.405 End of DCsync_functions()
                              14222:20210205:113003.405 query [txnlev:0] [select distinct t.triggerid,t.description,t.expression,t.error,t.p riority,t.type,t.value,t.state,t.lastchange,t.stat us,t.recovery_mode,t.recovery_expression,t.correla tion_mode,t.correlation_tag,opdata from hosts h,items i,functions f,triggers t where h.hostid=i.hostid and i.itemid=f.itemid and f.triggerid=t.triggerid and h.status in (0,1) and t.flags<>2]
                              14222:20210205:113003.406 query [txnlev:0] [select distinct d.triggerid_down,d.triggerid_up from trigger_depends d,triggers t,hosts h,items i,functions f where t.triggerid=d.triggerid_down and t.flags<>2 and h.hostid=i.hostid and i.itemid=f.itemid and f.triggerid=d.triggerid_down and h.status in (0,1)]
                              14222:20210205:113003.406 query [txnlev:0] [select r.name,e.expressionid,e.expression,e.expression_ty pe,e.exp_delimiter,e.case_sensitive from regexps r,expressions e where r.regexpid=e.regexpid]
                              14222:20210205:113003.406 query [txnlev:0] [select actionid,eventsource,evaltype,formula from actions where status=0]
                              14222:20210205:113003.407 query [txnlev:0] [select a.actionid,o.recovery from actions a left join operations o on a.actionid=o.actionid where a.status=0 group by a.actionid,o.recovery order by a.actionid]
                              14222:20210205:113003.407 query [txnlev:0] [select c.conditionid,c.actionid,c.conditiontype,c.operato r,c.value,c.value2 from conditions c,actions a where c.actionid=a.actionid and a.status=0]
                              14222:20210205:113003.407 query [txnlev:0] [select distinct tt.triggertagid,tt.triggerid,tt.tag,tt.value from trigger_tag tt,triggers t,hosts h,items i,functions f where t.triggerid=tt.triggerid and t.flags<>2 and h.hostid=i.hostid and i.itemid=f.itemid and f.triggerid=tt.triggerid and h.status in (0,1)]
                              14222:20210205:113003.407 query [txnlev:0] [select correlationid,name,evaltype,formula from correlation where status=0]
                              14222:20210205:113003.407 query [txnlev:0] [select cc.corr_conditionid,cc.correlationid,cc.type,cct.t ag,cctv.tag,cctv.value,cctv.operator, ccg.groupid,ccg.operator,cctp.oldtag,cctp.newtag from correlation c,corr_condition cc left join corr_condition_tag cct on cct.corr_conditionid=cc.corr_conditionid left join corr_condition_tagvalue cctv on cctv.corr_conditionid=cc.corr_conditionid left join corr_condition_group ccg on ccg.corr_conditionid=cc.corr_conditionid left join corr_condition_tagpair cctp on cctp.corr_conditionid=cc.corr_conditionid where c.correlationid=cc.correlationid and c.status=0]
                              14222:20210205:113003.408 query [txnlev:0] [select co.corr_operationid,co.correlationid,co.type from correlation c,corr_operation co where c.correlationid=co.correlationid and c.status=0]
                              14222:20210205:113003.408 In DCsync_triggers()
                              14222:20210205:113003.408 End of DCsync_triggers()
                              14222:20210205:113003.408 In DCsync_trigdeps()
                              14222:20210205:113003.408 End of DCsync_trigdeps()
                              14222:20210205:113003.408 In DCsync_expressions()
                              14222:20210205:113003.408 End of DCsync_expressions()
                              14222:20210205:113003.408 In DCsync_actions()
                              14222:20210205:113003.408 End of DCsync_actions()
                              14222:20210205:113003.408 In DCsync_action_ops()
                              14222:20210205:113003.408 End of DCsync_action_ops()
                              14222:20210205:113003.408 In DCsync_action_conditions()
                              14222:20210205:113003.408 End of DCsync_action_conditions()
                              14222:20210205:113003.409 In DCsync_trigger_tags()
                              14222:20210205:113003.409 End of DCsync_trigger_tags()
                              14222:20210205:113003.409 In DCsync_correlations()
                              14222:20210205:113003.409 End of DCsync_correlations()
                              14222:20210205:113003.409 In DCsync_corr_conditions()
                              14222:20210205:113003.409 End of DCsync_corr_conditions()
                              14222:20210205:113003.409 In DCsync_corr_operations()
                              14222:20210205:113003.409 End of DCsync_corr_operations()
                              14222:20210205:113003.409 DCsync_configuration() config : sql:0.000394 sync:0.000149 sec (1/0/0).
                              14222:20210205:113003.409 DCsync_configuration() autoreg : sql:0.000173 sync:0.000053 sec (1/0/0).
                              14222:20210205:113003.409 DCsync_configuration() hosts : sql:0.000587 sync:0.000221 sec (31/0/0).
                              14222:20210205:113003.409 DCsync_configuration() host_invent: sql:0.000338 sync:0.000052 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() templates : sql:0.000317 sync:0.000195 sec (55/0/0).
                              14222:20210205:113003.409 DCsync_configuration() globmacros : sql:0.000174 sync:0.000068 sec (2/0/0).
                              14222:20210205:113003.409 DCsync_configuration() hostmacros : sql:0.000384 sync:0.000173 sec (35/0/0).
                              14222:20210205:113003.409 DCsync_configuration() interfaces : sql:0.000333 sync:0.000276 sec (33/0/0).
                              14222:20210205:113003.409 DCsync_configuration() items : sql:0.046528 sync:0.025978 sec (5334/0/0).
                              14222:20210205:113003.409 DCsync_configuration() template_items : sql:0.046528 sync:0.025978 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() prototype_items : sql:0.046528 sync:0.025978 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() triggers : sql:0.000402 sync:0.000067 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() trigdeps : sql:0.000389 sync:0.000202 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() trig. tags : sql:0.000299 sync:0.000052 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() host tags : sql:0.000189 sync:0.000061 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() functions : sql:0.000614 sync:0.000178 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() expressions: sql:0.000247 sync:0.000111 sec (10/0/0).
                              14222:20210205:113003.409 DCsync_configuration() actions : sql:0.000327 sync:0.000059 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() operations : sql:0.000274 sync:0.000062 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() conditions : sql:0.000200 sync:0.000052 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() corr : sql:0.000198 sync:0.000051 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() corr_cond : sql:0.000293 sync:0.000051 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() corr_op : sql:0.000198 sync:0.000053 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() hgroups : sql:0.000462 sync:0.000117 sec (1/0/0).
                              14222:20210205:113003.409 DCsync_configuration() item pproc : sql:0.020526 sync:0.015746 sec (4315/0/0).
                              14222:20210205:113003.409 DCsync_configuration() maintenance: sql:0.000860 sync:0.000264 sec (0/0/0).
                              14222:20210205:113003.409 DCsync_configuration() reindex : 0.000017 sec.
                              14222:20210205:113003.410 DCsync_configuration() total sql : 0.074516 sec.
                              14222:20210205:113003.410 DCsync_configuration() total sync : 0.044248 sec.
                              14222:20210205:113003.410 DCsync_configuration() proxies : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() hosts : 31 (43 slots)
                              14222:20210205:113003.410 DCsync_configuration() hosts_h : 31 (43 slots)
                              14222:20210205:113003.410 DCsync_configuration() hosts_p : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() psks : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() ipmihosts : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() host_invent: 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() htmpls : 30 (43 slots)
                              14222:20210205:113003.410 DCsync_configuration() gmacros : 2 (11 slots)
                              14222:20210205:113003.410 DCsync_configuration() gmacros_m : 2 (11 slots)
                              14222:20210205:113003.410 DCsync_configuration() hmacros : 35 (67 slots)
                              14222:20210205:113003.410 DCsync_configuration() hmacros_hm : 35 (67 slots)
                              14222:20210205:113003.410 DCsync_configuration() interfaces : 33 (43 slots)
                              14222:20210205:113003.410 DCsync_configuration() interfaces_snmp : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() interfac_ht: 31 (43 slots)
                              14222:20210205:113003.410 DCsync_configuration() if_snmpitms: 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() if_snmpaddr: 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() items : 5334 (9029 slots)
                              14222:20210205:113003.410 DCsync_configuration() items_hk : 5334 (9029 slots)
                              14222:20210205:113003.410 DCsync_configuration() numitems : 5144 (9029 slots)
                              14222:20210205:113003.410 DCsync_configuration() preprocitems: 2738 (4007 slots)
                              14222:20210205:113003.410 DCsync_configuration() preprocops : 4315 (6011 slots)
                              14222:20210205:113003.410 DCsync_configuration() snmpitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() ipmiitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() trapitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() dependentitems : 1869 (2671 slots)
                              14222:20210205:113003.410 DCsync_configuration() logitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() dbitems : 8 (17 slots)
                              14222:20210205:113003.410 DCsync_configuration() sshitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() telnetitems: 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() simpleitems: 40 (67 slots)
                              14222:20210205:113003.410 DCsync_configuration() jmxitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() calcitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() httpitems : 0 (0 slots)
                              14222:20210205:113003.410 DCsync_configuration() functions : 0 (101 slots)
                              14222:20210205:113003.410 DCsync_configuration() triggers : 0 (101 slots)
                              14222:20210205:113003.411 DCsync_configuration() trigdeps : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() trig. tags : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() expressions: 10 (17 slots)
                              14222:20210205:113003.411 DCsync_configuration() actions : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() conditions : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() corr. : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() corr. conds: 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() corr. ops : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() hgroups : 1 (11 slots)
                              14222:20210205:113003.411 DCsync_configuration() item procs : 4315 (6011 slots)
                              14222:20210205:113003.411 DCsync_configuration() maintenance: 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() maint tags : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() maint time : 0 (0 slots)
                              14222:20210205:113003.411 DCsync_configuration() queue[0] : 478 (546 allocated)
                              14222:20210205:113003.411 DCsync_configuration() queue[1] : 0 (0 allocated)
                              14222:20210205:113003.411 DCsync_configuration() queue[2] : 0 (0 allocated)
                              14222:20210205:113003.411 DCsync_configuration() queue[3] : 36 (48 allocated)
                              14222:20210205:113003.411 DCsync_configuration() queue[4] : 0 (0 allocated)
                              14222:20210205:113003.411 DCsync_configuration() pqueue : 0 (0 allocated)
                              14222:20210205:113003.411 DCsync_configuration() timer queue: 0 (0 allocated)
                              14222:20210205:113003.411 DCsync_configuration() configfree : 87.710452%
                              14222:20210205:113003.411 DCsync_configuration() strings : 4976 (9029 slots)
                              14222:20210205:113003.411 === memory statistics for configuration cache ===
                              14222:20210205:113003.411 free chunks of size 24 bytes: 4
                              14222:20210205:113003.411 free chunks of size 40 bytes: 2
                              14222:20210205:113003.411 free chunks of size >= 256 bytes: 6
                              14222:20210205:113003.411 min chunk size: 24 bytes
                              14222:20210205:113003.411 max chunk size: 29393328 bytes
                              14222:20210205:113003.411 memory of total size 33554056 bytes fragmented into 33248 chunks
                              14222:20210205:113003.411 of those, 29430744 bytes are in 12 free chunks
                              14222:20210205:113003.411 of those, 3591360 bytes are in 33236 used chunks
                              14222:20210205:113003.411 ================================
                              14222:20210205:113003.412 End of DCsync_configuration()
                              14222:20210205:113003.412 zbx_setproctitle() title:'configuration syncer [loading configuration]'
                              14222:20210205:113003.412 In process_configuration_sync()
                              14222:20210205:113003.412 In connect_to_server() [xyz.com]:10051 [timeout:600]
                              14222:20210205:113003.417 In zbx_tls_connect(): psk_identity:"PSK005"
                              14222:20210205:113003.433 End of zbx_tls_connect():FAIL error:'connection closed by peer'
                              14222:20210205:113003.433 Unable to connect to the server [xyz.com]:10051 [TCP successful, cannot establish TLS to [[xyz.com]:10051]: connection closed by peer]. Will retry every 120 second(s)
                              14222:20210205:113003.437 In zbx_tls_connect(): psk_identity:"PSK005"
                              14222:20210205:113003.442 End of zbx_tls_connect():FAIL error:'connection closed by peer'
                              Last edited by salai; 05-02-2021, 02:47.

                                Comment

                                • salai
                                  Junior Member
                                  • Nov 2020
                                  • 27
                                  #9
                                  Hi Tim, Thanks for your response. The root cause for the issue was due to firewall block. The issue was resolved once the traffic opened in the firewall.


                                  Cheers
                                  Salai

                                    Comment

                                    • salai
                                      Junior Member
                                      • Nov 2020
                                      • 27
                                      #10
                                      sharing the command for the people who troubleshoot similar issues.

                                      openssl s_client -connect zabbixserver:10051 -psk_identity 'PSK 005' -psk '71867b83aeae6c25ddb48b867d59b71fdf06026acadfd467f baef318caaa535a'

                                      This command can be used to test the connection from Proxy. The response should look like

                                      ---
                                      no peer certificate available
                                      ---
                                      No client certificate CA names sent
                                      ---
                                      SSL handshake has read 143 bytes and written 390 bytes
                                      ---
                                      New, TLSv1/SSLv3, Cipher is PSK-AES128-CBC-SHA
                                      Secure Renegotiation IS supported
                                      Compression: NONE
                                      Expansion: NONE
                                      No ALPN negotiated
                                      SSL-Session:
                                      Protocol : TLSv1.2
                                      Cipher : PSK-AES128-CBC-SHA
                                      Session-ID:
                                      Session-ID-ctx:
                                      Master-Key: XYZ
                                      Key-Arg : None
                                      Krb5 Principal: None
                                      PSK identity: PSK 005
                                      PSK identity hint: None
                                      Start Time: 1612662781
                                      Timeout : 300 (sec)
                                      Verify return code: 0 (ok)


                                        Comment

                                        Previous template Next
                                        Working...