Hi to all, We recently tried to upgrade VDI
from 2.1.0 to 3.0.1 and ran into a problem with SSL. The upgrade went
fine. First we upgraded our 2 Security
servers then the primary VDM broker and last the replica VDM broker. Next we upgraded the agent on a XP desktop VM
and then upgraded the client on a desktop inside our network so we could first
test a strait connection to the primary VDM broker. The log on page lets you authenticate but when
it tries to establish a connection to the VMD broker it fails with the following
error. "The SSL initiation has
failed" And the loges show the following:
4:33:34,774 WARN
<pool-1-thread-13> Problem processing HTTP connection:
javax.net.ssl.SSLException: Received close_notify during handshake 14:33:34,774
DEBUG <pool-1-thread-13> Problem processing HTTP connection
from /10.30.x.x:4426: javax.net.ssl.SSLException: Received close_notify during
handshake simple.http.connect.pool.PooledProcessor.ru
n(PooledProcessor.java:133) javax.net.ssl.SSLException: Received close_notify
during handshake at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown
Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown
Source) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown
Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown
Source) at
simple.http.connect.pool.PooledProcessor.handshake(PooledProcessor.java:198) at
simple.http.connect.pool.PooledProcessor.run(PooledProcessor.java:126) at
java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at
java.util.concurrent.FutureTask$Sync.inn
The client is on a different VLAN
than the VDM brokers and the only thing separating then is a Cisco router(no
firewall). When we test from a client on
the same VLAN it works and we connect to the VDM broker. I have a SR open with support, but have not
nailed down the problem yet.
Here is a comment from one of the engineers “In a nutshell, what's happening is that, it looks like the connection was not established, but the null (if connection is established then it isn't null) check let the test pass, and hence that's why the SSL exception.”
The reason for the upgrade was to address our primary VDM broker running hot (100% CPU cycling every 15 sec.). This was a recommendation from tech support to upgrade. We may have to upgrade to 2.1.1 and forgo the upgrade to 3.0.1 until this is resolved.
Has anyone seen this or have any comments on what this might be?
We have just installed 3.01 (latest and greatest version) and are having the exact same problem with our environment. We simply can't make an SSL connection, the 2nd connect seems to fail with the same error messages that you detail in your post.
I am going to open a case with VM support. I'll post my case number to this thread.
TristanT
Here is our case number, I hope it helps (1157557751). Our plan, at this point, is to go to 2.1.1, we could not wait for VMware. We have a major rollout that needs to be finished. If 2.1.1 does not fix the hot processor or encounters the same SSL problem we will try 3.0.1 again with VMware on the phone (we have scheduled one of their developers to be available during the upgrade). I will keep you posted on the outcome. Please let me know what you find.
Make sure VMware gets debug logs on all your VDM servers and your virtual center server logs as well. They will eventually ask for them all.
Thanks JSipes. My support case is #1159533391. We've provided all of our debug logs (security servers, connection server, VC, client) and network captures.
Frustrating thing is that the system worked just fine until we deployed an external CA cert.
Still waiting for the next troubleshooting steps...
Let me now what you find. We pulled back from 3.0.1 and are now running 2.1.1. If it will help, here is some more info. We run Cisco routers and are using a wild card cert.
Jsipes
We're experiencing the same issue. We're running a wildcard cert and getting the SSL error when trying to connect using a VMware NAT connection (NAT from Workstation or Fusion).
Testing this morning with an XP guest was unable to establish a connection via NAT but was via a bridged connection. When the wildcard cert was removed we were able to connect via Bridged or VMware NAT'd connection.
Next step is to test a designated, non-wildcard cert and see if we get the same SSL errors.