9 Replies Latest reply on Apr 24, 2012 4:29 AM by PhilM

    Failed to connect to SSL server error

      Hi Guys,

                     I have a problem with my MFE version 8. I have a freshly installed firewall and I am trying to connect using the Admin Console but it has an error "Failed to connect  SSL server"Firewall SSL error.jpg

       

       

       

      2.) Is there any site or software that I would generate attacks on my firewall to test it?.

       

      3.) If my firewall's license expires would the features like Antvirus, IPS, etc. will still function?.

       

      4.) How can i change the IP address of my firewall using CLI? because I was trying to change it using CLI but it always fail, I am following the format on the "man" command of cf interface.

        • 1. Re: Failed to connect to SSL server error

          Hello,

           

          Unfortunately that message is very generic (failed to connect to SSL server) and will not help us figure out what the problem is.

           

          Can you tell me if the error shows up immediately or is it more of a "time out"?

           

          Can you ping the firewall's address?

           

          If the firewall is not licensed, you will still be able to connect to the GUI.

           

          Changing the ip address of the interface via command line is different depending on the version of the firewall.

           

          What I recommend is that you run the following command while you try and connect:

           

          showaudit -k

           

          When you want to stop the audit, hit ctrl-c. Are there any relevant messages?

           

          -Matt

          • 2. Re: Failed to connect to SSL server error

            Hi,

                 I cannot ping the firewalls. When I am trying to connect it waits for several seconds before it shows the timeout error. I run the showaudit on two different firewalls that I am trying to login and the two firewall shows different errors;

             

            1.)

             

            "2012-04-15 22:28:35 -0400 f_kernel a_nil_area t_netprobe p_minor

            hostname: mfetest1.ttc.local event: TCP netprobe srcip: 192.168.27.x

            srcport: 50179 srczone: external dstip: 192.168.27.x dstport: 9003

            protocol: 6 interface: em0

            reason: Received a TCP connection attempt destined for a service that the curren

            t policy does not support"

             

             

             

            2.)

             

             

            2012-04-15 22:28:35 -0400 f_auditbotd a_server t_alert p_major

            pid: 1465 logid: 0 cmd: 'auditbotd' hostname: fw.ralzaga.local

            event: alert dropped alert_name: IPS alert_type: Attach num_events: 1

            start_time: 2012-04-15 22:32:17 -0400 end_time: 2012-04-15 22:32:17 -0400

            sacap_filter: (type AUDIT_T_ATTACK) && (priority AUDIT_P_EMERGENCY || priority A

            UDIT_P_ALERT || priority AUDIT_P_CRIT || priority AUDIT_P_FATAL || priority AUDI

            T_P_MAJOR)

            alert_actioins: None dropped_count: 66 reason: alert within alarm interval

             

             

            Is the error no. 2 is more related in IPS feature?. How can I disable it using CLI?. How can I change the inet interface on version 8.2?. Because I cannot use the console to change it and to stop IPS feature. Thank you.

            • 3. Re: Failed to connect to SSL server error
              PhilM

              Based on the first audit record, the Firewall doesn't appear to be recognising the connection attempt on port 9003 and this would suggest that the Admin Console rule has either been disabled, removed, or placed below "Deny All".

               

              There is a recovery process which is explained in Appendix A of the Product Guide (page 594 of the v8.2 Guide) which allows the system to re-create the necessary rule to allow admin console access again.

               

              It boils down to the following steps:-

               

              • Re-boot the appliance in to Emergency Maintenance Mode.
              • Run the command cf policy restore_console_access

               

              Hopefully this will get you back up and running.

               

              -Phil.

              • 4. Re: Failed to connect to SSL server error

                Hi,

                    Thank you guys for the reply.

                1.)

                a.)The admin Console rule was not disabled because it is a freshly installed MFE. I haven't configured anything yet. The error came after the installation of OS and rebooting after putting the license.

                 

                b.) I am also trying to install MFE in VMware and for the n'th time (n=number) of installation, the MFE trial license key is not working anymore.

                 

                3.) Here's is another problem on a new firewall. The scenario is below.

                 

                Firewall Hardware: S4016

                MFE OS: McAfee Sidewinder version 7.0.1.02 HW04 (support for S4016)

                There are 2 firewall's configured in a HA cluster mode.

                 

                a.) They have an old sidewinder firewall version but the hardware is an F-series.

                b.) I successfully installed version 7.0.1.02 HW 04 on a S4016 hardware.

                c.) I backup their old Sidewinder on an F-Series hardware

                d.) Import it on the firewall S4016 hardware.

                e.) After import the firewall was rebooted . After the reboot an error was displayed. Please see below the image of the error.

                 

                 

                IMG00093-20120418-1617.jpg

                 

                a.) We cant ping the firewall login from admin console, SSH or even logging on the device itself.

                b.) Is there a compatibility issue with F-series and a S-series hardware?

                c.) I dont know how to return to a fully operational mode.

                d.) I dont know how to use the management port, I tried connecting a console cable but i cannot connect using hyperterminal.

                • 5. Re: Failed to connect to SSL server error
                  sliedl

                  You should file a ticket with Support.

                   

                  1-800-700-8328, options 1, 1

                  1-651-628-1500, options 3, 1

                  https://mysupport.mcafee.com/Eservice/Default.aspx

                   

                  There is no compatibility issue with F and S series hardware, no.

                  The 'management port' is not on and enabled by default.  One of the other ports should be enabled and set as the internal zone though.

                   

                  If you take a configuration from one machine and restore it onto a different machine it will become unlicensed (as you see).  You need to change the Serial Number to the number that goes with this new hardware and then get a new license from our server via the License screen in the GUI (or generate a new license file at our website).

                  • 6. Re: Failed to connect to SSL server error

                    Hi,

                     

                    I really cannot access the MFE even connecting a laptop on the ethernet ports on the device. I think the IP address settings for the ethernet ports are disabled.

                     

                     

                    a.) After the failure mode error has been displayed, the login for the console will come next. Will the problem be solved if I login in the console and disable failure mode using the command cf daemond set failure_mode=off  and put the license again?. If so,

                     

                    a.a) How to put the license via command line?

                     

                    b.) do we need to enable the management console port? will it be necessary for the troubleshooting?.

                     

                    Message was edited by: ralzaga on 4/19/12 1:02:36 AM CDT
                    • 7. Re: Failed to connect to SSL server error
                      PhilM
                      I really cannot access the MFE even connecting a laptop on the ethernet ports on the device. I think the IP address settings for the ethernet ports are disabled.

                       

                      I'd suggest the reason for this may be linked to the fact that you are dealing with two different hardware appliances. The different hardware platforms (the xxxxD/E/F models are Dell boxes, but the new Sxxxx appliances are all made by Intel) are most likely using different network adapters. These adapters are recognised differently by the operating system. The configuration you are trying to restore may well be referencing the network interfaces as fxp0, bg1, em2 (and so on), but the Sxxxx appliances use a different mechanism 1-0, 1-1, 1-2, etc... This can also vary slightly depending on which version of the Firewall software you are running. If you run the command "ifconfig -a" you will be able to see the interfaces, as the operating system recognises them at the moment.

                       

                      So having restored the configuration it is likely that you will need to re-configure the interfaces by hand from the CLI because the F-series appliance may have "em" interfaces, but the S-series won't necessarily use the same references. The "man cf_interface" command will tell you all you need to know, but here is an example:-

                       

                      cf interface add entrytype=interface name=external_network hwdevice=ibg0 enabled=yes burb=external addresses=x.x.x.x/yy qos_profile='' mtu=1500 description='Default external network interface'

                       

                      Change "ibg0" to whatever interface reference your new appliance is trying to use and substitute x.x.x.x/yy with your chosen IP address and mask. Once you have a correctly-configured interface you will be able to make a physical connection and you will then be able to re-license it.

                       

                      If you repeat this exercise for the internal interface, you should then be able to connect to the GUI once again. However, as sliedl pointed out to you, when you restore a configuration from one appliance to another appliance one of the main reasons behind the license failing is because the restored configuration contains the serial number of the old appliance not the new one. So the first thing you have to do is to re-enter the serial number that belongs to the new appliance (the old serial number and the Firewall ID of the new appliance will not match).

                       

                      You can do this from the command line using the command "cf license set serial number=XXXX-XXXX-XXXX-XXXX"

                       

                      a.) After the failure mode error has been displayed, the login for the console will come next. Will the problem be solved if I login in the console and disable failure mode using the command cf daemond set failure_mode=off  and put the license again?.

                       

                      Yes - once you have fixed the cause of the problem (in this case the fact that it cannot license itself).

                       

                      a.a) How to put the license via command line?

                       

                      The command is "cf license get". This assumes that the appliance is able to connect to the outside world. If it is, it will simply "phone home" and will pick up a new activation key.

                       

                      You do have another option. From another machine (which is able to access the Internet) go to the following web site https://ssl.securecomputing.com/activation.cfm?product=Sidewinder and manually activate the license. This will produce a file which you save and then upload to the Firewall using the GUI. So if you have managed to re-establish a connection to the internal side of the Firewall, but not the external, you can at least re-apply the license in order to take it out of failure mode. Details, such as the Firewall ID can all be found by running the command "cf license query".

                       

                      b.) do we need to enable the management console port? will it be necessary for the troubleshooting?.

                       

                      I've personally never needed to enable the managment port on these newer appliances - and, as sliedl recommended, given the nature of your problem you are probably better off raising this as an official ticket so that McAfee suport can guide you through this whole situation personally.

                       

                      -Phil.

                       

                      Message was edited by: PhilM on 19/04/12 08:56:49 IST
                      • 8. Re: Failed to connect to SSL server error

                        Hi Phil,

                                     I successfully change the license key but cannot connect it to the internet because of the NIC's are changed since it is a new machine(from F-series to the new machine which is the S-series). I successfully reassign the Interfaces to the new NIC's but I cannot connect to the admin console because of SSL error. Below are the logs generated using showaudit -k and a screenshot. The SSL error shows up without waiting or trying to connect.

                         

                        Apr 23 16:24:22 2012 PHT    f_admin_console a_proxy t_attack p_major

                        pid:10931 ruid: 0 euid:0 pgid:10931 logid:0 cmd:'scobrap'

                        domain GSSL edomain: GSSL hostname:fw.manulife.com.ph

                        category: policy_violation event: ACL deny attackip:10.252.192.37

                        attackburb: internal srcip:10.252.192.37 srcport:49250 srcburb:internal

                        dstip:10.252.192.36 dstport:9003 dstburb:internal protocol:6

                        service_name: BPO Avaya TCP UDP Service user_name: (null) auth_method:(null)

                        rule_name: Deny All cache_hit: 0 reason: Traffic denied by policy.

                         

                         

                        Apr 23 16:24:22 2012 PHT    f_auditbotd a_server t_alert p_major

                        pid:3135 ruid: 0 euid: 0 pgid:3135 logid: 0 cmd: 'auditbotd'

                        domain: Abot edomain: Abot hostname: fw1.manulife.com.ph event: alert dropped

                        alert_name: IPS aleart_type: Attack num_events: 1

                        start_time: Mon Apr 24 16:24:22 2012 end_time: Mon Apr 23 16:24:22 2012

                        sacap_filter: (type AUDIT_T_ATTACK) && (priority AUDIT_P_EMERGENCY || priority AUDIT_P_ALERT || priority AUDIT_P_CRIT || priority AUDIT_P_FATAL || priority AUDIT_P_MAJOR)

                        alert_actions: None dropped_count: 1 reason: alert within alarm interval

                         

                        SSL error.png

                        • 9. Re: Failed to connect to SSL server error
                          PhilM

                          As per my earlier response (Apr 16, 2012 10:38 AM) the first audit record indicates that your attempt to connect to the Firewall using the console is hitting a Deny rule on the Firewall.

                           

                          So, either the Admin Console rule has been disabled or it has been moved below a rule which is denying access.

                           

                          You have previously said that you do not believe this is the case. If so, as per sleidl's recommendation on April 18th, you should raise a ticket with support and they will be able to work through this with you personally.

                           

                          Sorry I can't be of any more help.

                           

                          -Phil.