加密更改后集群对等方出现故障
适用场景
- ONTAP 9.11.1P8.
- 加密
- 集群对等
问题描述
- 在集群对等方中的一个集群上更新加密密码套件后、集群对等失败。
cluster peer health show -bypass-cache true运行时、我们会看到与节点的连接为:
cluster1::> cluster peer health show -bypass-cache true Node Cluster-Name Node-Name Ping-Status RDB-Health Cluster-Health Availability ---------- --------------------------- --------- --------------- ------------ c1node-01 cluster2 c2node-01 Data: unreachable ICMP: interface_reachable true true false c2node-02 Data: unreachable ICMP: interface_reachable true true false c1node-02 cluster2 c2node-01 Data: unreachable ICMP: interface_reachable true true false c2node-02 Data: unreachable ICMP: interface_reachable true true false 4 entries were displayed.
- 在向两个集群添加所需的密码套件后、此故障仍然存在
- 可以看到KTLS握手警报
ktls.cnxnHandshakeLimit: ONTAP reached the maximum limit of 170 concurrent TLS connection handshakes
[cluster: ktlsd: ktls.failed:notice]: "The TLS connections have failed several times with remote host 'xx.xx.xx.xxx' in IPspace 'xxxxxxx', for which the latest reason given is: OpenSSL: error:0A000102:SSL routines::unsupported protocol."