the problem was two agents same psk identity but diferent values.

Hello guys, I have the same problem but I don't understand the solution.

I received the following error message:

*****************
13249:20200115:202133.747 active check configuration update from [10.100.0.45:10051] started to fail (TCP successful, cannot establish TLS to [[10.100.0.45]:10051]: SSL_connect() set result code to SSL_ERROR_SSL: file s3_pkt.c line 1493: error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac: SSL alert number 20: TLS read fatal alert "bad record mac")
13247:20200115:202140.804 failed to accept an incoming connection: from 10.100.0.45: unencrypted connections are not allowed
13249:20200115:202233.765 active check configuration update from [10.100.0.45:10051] is working again
13248:20200115:202240.990 failed to accept an incoming connection: from 10.100.0.45: unencrypted connections are not allowed
13247:20200115:202340.187 failed to accept an incoming connection: from 10.100.0.45: unencrypted connections are not allowed
******************

Can anybody help me ???

Thanks in advance.

Regards.

First, try to fix "unencrypted connections are not allowed". Look into zabbix agentd.conf - what are values for TLSConnect and TLSAccept parameters. Are they set to "psk" or "cert"?

Helllo Andris,

Yes, the TLSConnect and TLSAccept have "psk" option.

Regards.

Ok, agent is configured to use only PSK-based encryption. Next - you can check encryption settings for that host in Zabbix frontend.

Andris,

I only have 1 node with psk working witout problem. Is the Zabbix Server agent on my Zabbix infraestruture. On the Zabbix console I have the following info updated:

**********************
Encryption

Connections to host ----> No encryption

Connections from host ---> PSK

PSK identity ----> PSK001

PSK ------> e818c547a3484ba0fde008f23db1d76bfc281a7ea8326ac421 793e87e1151e48


**********************

The problem that I have is if I add the same configuration, the second agent has the error connection that I described.

Thanks for your help.

Regards.

"Connections to host ----> No encryption" in Zabbix frontend can cause
"failed to accept an incoming connection: from 10.100.0.45: unencrypted connections are not allowed" on Zabbix agent.
Do you need asymmetric setup ? Why not use "Connections to host ----> PSK" ?

I made the following change:

1) In the Zabbix UI configuration:

*************************************************
Connections to host ----> psk

Connections from host --->psk

PSK identity ------> PSK001

PSK ----> 4316e4f9edf6702650dab3564ceac6648d37fefd7715a67fde 7025ff0d635235
*************************************************

After that I received on the zabbix_agentd.log the following error messaga:

***************
28196:20200117:170144.310 failed to accept an incoming connection: from 10.100.0.45: TLS handshake set result code to 1: file s3_pkt.c line 535: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac: TLS write fatal alert "bad record mac"
***************

This is the error message on the Zabbix UI:

***************
Get value from agent failed: TCP successful, cannot establish TLS to [[10.100.0.163]:10050]: SSL_connect() set result code to SSL_ERROR_SSL: file s3_pkt.c line 1493: error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac: SSL alert number 20: TLS read fatal alert "bad record mac"
***************

Thanks in advance.

Regads.

Hello Andris,

I made the following change:
**********************
1) We found that the Linux Zabbix Server firewall was enable so we stopped it. After that the agent reach the server with the PSK encryption.
**********************
Question:

Could you please tell me with protocol should I add on the firewall list to enable the connection?

Thanks in advance.

Regards.

Hi!
Protocol..... Not sure. Zabbix uses TLS version 1.2 or 1.3 (if possible).