Re: VMware View Upgrade SSL error

jsipes · ‎02-23-2009

Hi to all, We recently tried to upgrade VDI

from 2.1.0 to 3.0.1 and ran into a problem with SSL. The upgrade went

fine. First we upgraded our 2 Security

servers then the primary VDM broker and last the replica VDM broker. Next we upgraded the agent on a XP desktop VM

and then upgraded the client on a desktop inside our network so we could first

test a strait connection to the primary VDM broker. The log on page lets you authenticate but when

it tries to establish a connection to the VMD broker it fails with the following

error. "The SSL initiation has

failed" And the loges show the following:

4:33:34,774 WARN

<pool-1-thread-13> Problem processing HTTP connection:

javax.net.ssl.SSLException: Received close_notify during handshake 14:33:34,774

DEBUG <pool-1-thread-13> Problem processing HTTP connection

from /10.30.x.x:4426: javax.net.ssl.SSLException: Received close_notify during

handshake simple.http.connect.pool.PooledProcessor.ru

n(PooledProcessor.java:133) javax.net.ssl.SSLException: Received close_notify

during handshake at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown

Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at

com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at

com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown

Source) at

com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown

Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown

Source) at

simple.http.connect.pool.PooledProcessor.handshake(PooledProcessor.java:198) at

simple.http.connect.pool.PooledProcessor.run(PooledProcessor.java:126) at

java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at

java.util.concurrent.FutureTask$Sync.inn

The client is on a different VLAN

than the VDM brokers and the only thing separating then is a Cisco router(no

firewall). When we test from a client on

the same VLAN it works and we connect to the VDM broker. I have a SR open with support, but have not

nailed down the problem yet.

Here is a comment from one of the engineers “In a nutshell, what's happening is that, it looks like the connection was not established, but the null (if connection is established then it isn't null) check let the test pass, and hence that's why the SSL exception.”

The reason for the upgrade was to address our primary VDM broker running hot (100% CPU cycling every 15 sec.). This was a recommendation from tech support to upgrade. We may have to upgrade to 2.1.1 and forgo the upgrade to 3.0.1 until this is resolved.

Has anyone seen this or have any comments on what this might be?

TristanT · ‎02-25-2009

We have just installed 3.01 (latest and greatest version) and are having the exact same problem with our environment. We simply can't make an SSL connection, the 2nd connect seems to fail with the same error messages that you detail in your post.

I am going to open a case with VM support. I'll post my case number to this thread.

jsipes · ‎02-26-2009

TristanT

Here is our case number, I hope it helps (1157557751). Our plan, at this point, is to go to 2.1.1, we could not wait for VMware. We have a major rollout that needs to be finished. If 2.1.1 does not fix the hot processor or encounters the same SSL problem we will try 3.0.1 again with VMware on the phone (we have scheduled one of their developers to be available during the upgrade). I will keep you posted on the outcome. Please let me know what you find.

Make sure VMware gets debug logs on all your VDM servers and your virtual center server logs as well. They will eventually ask for them all.

TristanT · ‎03-02-2009

Thanks JSipes. My support case is #1159533391. We've provided all of our debug logs (security servers, connection server, VC, client) and network captures.

Frustrating thing is that the system worked just fine until we deployed an external CA cert.

Still waiting for the next troubleshooting steps...

jsipes · ‎03-02-2009

Let me now what you find. We pulled back from 3.0.1 and are now running 2.1.1. If it will help, here is some more info. We run Cisco routers and are using a wild card cert.

Jsipes

TreyJ · ‎03-04-2009

We're experiencing the same issue. We're running a wildcard cert and getting the SSL error when trying to connect using a VMware NAT connection (NAT from Workstation or Fusion).

Testing this morning with an XP guest was unable to establish a connection via NAT but was via a bridged connection. When the wildcard cert was removed we were able to connect via Bridged or VMware NAT'd connection.

Next step is to test a designated, non-wildcard cert and see if we get the same SSL errors.

All

VMware View Upgrade SSL error