跳转到主内容

由于防火墙发送的 RST,SSL/TLS 握手失败

  1. 最后更新
  2. 另存为PDF
Views:
101
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

适用于

  • ONTAP 9
  • SSL/TLS 握手
  • OpsRamp
  • Palo Alto Firewall

问题描述

  • 客户端无法与 ONTAP 执行 SSL/TLS 握手
  • OpsRamp 监控工具由于错误无法执行 NetApp 发现并关闭 SSL 连接
    • No peer certificate available: The client did not receive a certificate from the server, which is required for SSL/TLS handshake
  • ONTAP 数据包跟踪显示 ONTAP 发送 Server Hello 到客户端 IP/防火墙 MAC,然后客户端 IP/防火墙 MAC 发送 RST
  • 客户端数据包跟踪显示客户端未收到 Server Hello,而是从 ONTAP IP/防火墙 MAC 接收 RST
  • 如果 LIF 的相同子网中的客户端尝试 TLS 握手,则成功,因为防火墙不在客户端和 LIF 之间
    • [fchen@localhost ~]$ openssl s_client -connect 10.216.29.203:443 CONNECTED(00000004) depth=0 CN = nas-cm913, C = US verify error:num=18:self signed certificate verify return:1 depth=0 CN = nas-cm913, C = US verify error:num=10:certificate has expired notAfter=Sep 28 20:08:03 2024 GMT verify return:1 depth=0 CN = nas-cm913, C = US notAfter=Sep 28 20:08:03 2024 GMT verify return:1 --- Certificate chain 0 s:CN = nas-cm913, C = US i:CN = nas-cm913, C = US --- Server certificate -----BEGIN CERTIFICATE-----

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.