Re: SSL NSX Controller

huchord · ‎02-12-2018

Trying to have an ovsdb server actively connect to an NSX Controller.

The only logs I have are from the ovsdb server, which seem to indicate that NSX doesn't want to talk SSL.

Is there any way to have the NSX Controller accept SSL connections instead of TLS?

The ovsdb server happens to be a HPE 5930 acting as a HW VTEP.

Error from 5930 in red below.

NSX version is 6.3.3.

Comware code is the latest.

<HP-5930-32QSFP+-R45>*Feb 12 09:27:20:264 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00032|poll_loop|DBG|wakeup due to 3775-ms timeout at :620 (0% CPU usage)

%Feb 12 09:27:20:265 2018 HP-5930-32QSFP+-R45 OVSDB-SE/5/NULL: ovs|00033|reconnect|INFO|ssl:10.100.28.35:6640: connecting...

*Feb 12 09:27:20:265 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00034|reconnect|DBG|ssl:10.100.28.35:6640: entering CONNECTING

*Feb 12 09:27:20:266 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00035|poll_loop|DBG|wakeup due to [POLLOUT] on fd 21 (10.100.36.168:20014<->10.100.28.35:6640) at :716 (0% CPU usage)

*Feb 12 09:27:20:266 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00036|stream_ssl|DBG|client5-->ssl:10.100.28.35:6640 type 256 (5 bytes)

*Feb 12 09:27:20:267 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00037|stream_ssl|DBG|client5-->ssl:10.100.28.35:6640 handshake: client_hello (194 bytes)

*Feb 12 09:27:20:269 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00038|poll_loop|DBG|wakeup due to [POLLIN] on fd 21 (10.100.36.168:20014<->10.100.28.35:6640) at :723 (0% CPU usage)

*Feb 12 09:27:20:269 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00039|stream_ssl|DBG|client5<--ssl:10.100.28.35:6640 type 256 (5 bytes)

%Feb 12 09:27:20:269 2018 HP-5930-32QSFP+-R45 OVSDB-SE/4/NULL: ovs|00040|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

%Feb 12 09:27:20:270 2018 HP-5930-32QSFP+-R45 OVSDB-SE/4/NULL: ovs|00041|reconnect|WARN|ssl:10.100.28.35:6640: connection attempt failed (Protocol error)

%Feb 12 09:27:20:270 2018 HP-5930-32QSFP+-R45 OVSDB-SE/5/NULL: ovs|00042|reconnect|INFO|ssl:10.100.28.35:6640: waiting 8 seconds before reconnect

*Feb 12 09:27:20:270 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00043|reconnect|DBG|ssl:10.100.28.35:6640: entering BACKOFF

bayupw · ‎02-12-2018

Hi Scott,

VMware NSX 6.3 supports only TLS 1.2 in the control plane.

Hardware VTEP Gateway’s that do not support TLS 1.2 cannot connect to NSX Controllers and cannot use VMware NSX 6.3.

If you have existing Hardware VTEP Gateways installed with NSX 6.2, the upgrade will be blocked to avoid disconnecting the Hardware VTEP Gateways and you must contact VMware Support to continue with the upgrade.

For more information, see VMware KB 2148511 (https://kb.vmware.com/kb/2148511).

As per KB, it says HPE does not support TLS 1.2

Thanks,

Bayu

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

huchord · ‎02-16-2018

I've been told that the HPE code I'm running does in fact support TLS 1.1 and TLS 1.2.

I am not so far successful in capturing the Client Hello from the HPE device to the NSX Controller.

I'm still seeing the same messages on the 5940:

*Feb 12 09:27:20:269 2018 HP-5930-32QSFP+-R45 OVSDB-SE/7/NULL: ovs|00039|stream_ssl|DBG|client5<--ssl:10.100.28.35:6640 type 256 (5 bytes)

%Feb 12 09:27:20:269 2018 HP-5930-32QSFP+-R45 OVSDB-SE/4/NULL: ovs|00040|stream_ssl|WARN|SSL_connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

%Feb 12 09:27:20:270 2018 HP-5930-32QSFP+-R45 OVSDB-SE/4/NULL: ovs|00041|reconnect|WARN|ssl:10.100.28.35:6640: connection attempt failed (Protocol error)

Packet 562 is the first attempt of the 5940 to connect to the NSX Controller.

It looks like it's not even trying SSL perhaps?

Any logs/logging I can do on the NSX Controller?

bayupw · ‎02-20-2018

Hi Scott,

As far as I know, NSX-v controller listen to IANA TCP port 6640 for OVSDB connection and (port 6632 in NSX-MH) as mentioned in below docs:

Hardware Layer 2 Gateways Integration with NSX

Connect the Hardware Gateway to the NSX Controllers

I don't know which logs that would be relevant, I would say anything related to VXLAN OVSDB log.

I know some vendors like dell can do a debug on that as per this KB Dell Networking VXLAN Hardware Gateway with NSX (2146056)

Not sure on the NSX controller side, I'll let you know if I've got some info.

You probably want to open a case to VMware GSS for faster resolution

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

bayupw · ‎02-20-2018

I've just double checked that HP 5930 is listed in the HCL

https://www.vmware.com/resources/compatibility/pdf/vi_hvxg_guide.pdf

VMware Compatibility Guide - Hardware VXLAN Gateway

So based on this HCL it should be supported, the previous KB I mentioned is probably has not been updated.

Make sure the switch/firmware version matches the version listed on the HCL

I just found the KB for HP 5390 here: Support for HPE FlexFabric 5930 Series with NSX (2146574)

For the configuration, did you use this VXLAN installation guide document http://h20566.www2.hpe.com/hpsc/doc/public/display?sp4ts.oid=6604154&docLocale=en_US&docId=emr_na-c0... ?

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw

All

SSL NSX Controller