Ad Widget

Collapse

Zabbix Agent 2 v6.4.0 - TLS write fatal alert "decode error"

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • stavros-k
    Junior Member
    • Mar 2023
    • 3
    #1

    Zabbix Agent 2 v6.4.0 - TLS write fatal alert "decode error"

    Hello,

    After upgrading both server and agents to 6.4.0 today, my server logs are spammed with:

    ``
    Code:
    failed to accept an incoming connection: from AGENT IP: unspecified certificate verification error: TLS handshake set result code to 1: file ../ssl/record/rec_layer_s3.c line 308 func ssl3_read_n: error:0A000126:SSL routines::unexpected eof while reading: TLS write fatal alert "decode error"
    All agents are in active mode and use PSK.

    Reverting only agents back to 6.2.7, log spam stops.
    Agent logs show:

    Code:
    2023-03-12 16:08:55 1678630135 "2023/03/12 15:08:53.857772 [101] active check configuration update from [ZABBIX_SERVER:10052] is working again"
2023-03-12 16:08:38 1678630118 "2023/03/12 15:08:37.812843 [101] sending of heartbeat message for [AGENT NAME] started to fail"
2023-03-12 16:08:38 1678630118 "2023/03/12 15:08:37.812333 [101] cannot connect to [ZABBIX_SERVER:10052]: read tcp 192.168.11.150:63308->ZABBIX_SERVER_IP:10052: i/o timeout"
2023-03-12 16:07:34 1678630054 "2023/03/12 15:07:33.804836 [101] sending of heartbeat message for [AGENT NAME] started to fail"ā€‹
    I'm fairly new to Zabbix world and not sure where to start troubleshooting this.

    Thanks
    Tags: None
    • JeffNL
      Junior Member
      • Mar 2020
      • 17
      #2
      Iā€™m following this topic, because I have possibly the same issue.
      Zabbix Agents are intermittent not connected. 15 minutes connected, then 15 minutes not connected, etc.
      Also using PSK.
      Only the servers containing Zabbix Agent and using PSK are having this problem.
      The problem appeared since those servers have been updated, linux updates.
      These servers are running Debian and Ubuntu.
      The Zabbix Agent is used in passive mode (default).
      ā€‹

      UPDATE:

      In the last days an extra Zabbix Agent was reconfigured to use PSK.

      In the Agent log file this was seen:
      failed to accept an incoming connection: from x.x.x.x: TLS handshake set result code to 1: file ../ssl/statem/extensions.c line 1618: error:141FA0FD:SSL routines:tls_psk_do_binder:binder does not verify: TLS write fatal alert "illegal parameter"

      Then I also read this topic:
      https://www.zabbix.com/forum/zabbix-...egal-parameter

      Long story short:
      We now will use a unique TLSPSKIdentity value for every connection that needs encryption.
      The problem we were having is solved now.
      ā€‹
      Last edited by JeffNL; 30-03-2023, 13:09.

        Comment

        • stavros-k
          Junior Member
          • Mar 2023
          • 3
          #3
          That's not possible for me. It's more than 600 hosts that are auto registered with the same identity/PSK

            Comment

            • rhvitfeldt
              Junior Member
              • May 2024
              • 4
              #4
              I have the same problem. Do TLSPSKIdentity really have to be unique on all hosts?

                Comment

                • tim.mooney
                  Senior Member
                  • Dec 2012
                  • 1427
                  #5
                  Originally posted by rhvitfeldt
                  I have the same problem. Do TLSPSKIdentity really have to be unique on all hosts?
                  2 Using pre-shared keys
                  https://www.zabbix.com/documentation/6.0/en/manual/encryption/using_pre_shared_keys


                  Check out the second "Attention" box.

                    Comment

                    • rhvitfeldt
                      Junior Member
                      • May 2024
                      • 4
                      #6
                      Originally posted by tim.mooney

                      2 Using pre-shared keys
                      https://www.zabbix.com/documentation/6.0/en/manual/encryption/using_pre_shared_keys


                      Check out the second "Attention" box.
                      I've read it and it's not very clear I think.
                      Do I understand it correctly that Identity and PSK value can be identical on all hosts. As long as there's not hosts with same PSK identity and different values?

                        Comment

                        • cyber
                          Senior Member
                          Zabbix Certified SpecialistZabbix Certified Professional
                          • Dec 2006
                          • 4807
                          #7
                          Yes. it can be identical on all hosts. Do not use same identity with different value.

                            Comment

                            • rhvitfeldt
                              Junior Member
                              • May 2024
                              • 4
                              #8
                              Originally posted by cyber
                              Yes. it can be identical on all hosts. Do not use same identity with different value.
                              Ok I have the same issue as OP and changing PSK Identity to another that's not used doesn't make a difference. Really strange problem...

                                Comment

                                • z0nk
                                  Member
                                  • Oct 2024
                                  • 45
                                  #9
                                  I have same problem, any working solution? I have everywhere same PSK (TLSPSKIdentity and TLSPSKFile content) for autoregistration and after some time each host cant comunicate with error
                                  Code:
                                  unspecified certificate verification error: TLS handshake set result code to 1: file ../ssl/record/rec_layer_s3.c line 316 func ssl3_read_n: error:0A000126:SSL routines::unexpected eof while reading: TLS write fatal alert "decode error"
                                  it is not possible to generate each PSK for zabbix agent in zabbix gui.
                                  How fix this problem?
                                  All agents are active.

                                  Originally posted by JeffNL
                                  We now will use a unique TLSPSKIdentity value for every connection that needs encryption.
                                  The problem we were having is solved now.
                                  Is this correct solution, to have unique TLSPSKIdentity? and same TLSPSKFile file content?

                                  EDIT: When I changed it I have error anyway:
                                  Code:
                                  cannot find requested PSK identity "XYZ"
                                  It is not possible to declare more PSK identity in Zabbix Server, especially in auto configuration. How solve this issue? All agents are active.
                                  Last edited by z0nk; 31-10-2024, 21:24.

                                    Comment

                                    Previous template Next
                                    Working...