Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

SSL Handshakes fails

Created: 18 Dec 2011 • Updated: 21 Mar 2012 | 12 comments
Martin Barringer's picture
This issue has been solved. See solution.

I am having problems with Backup Exec 2010 R3 SP1 with all updated as of (18th December) being able to view Enterprise Vault v9 SP2.

If I remove and reinstall backupexec the SSL hand shake works for a week and then fails again and no backups.

This is the only server affected from 2 Media Servers both running Windows 2008 R2 SP1.  If I use a 2003 SP2 X86 I can see the data partitions and all is working correctly.

Here is a extract from the BE Debug Logs

BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 692(0x2b4) retval = 0
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:09:13] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:09:13] [0000]     12/18/11 14:09:12 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 692(0x2b4) retval = 0
 

I have confirmed the trusted certificate is on the vault server and name resolution is working correctly.

Any suggestions would be helpful

Comments 12 CommentsJump to latest comment

Kiran Bandi's picture

Refer http://www.symantec.com/docs/TECH163676

You can also try readding the certificate to remote agent. Refer http://www.symantec.com/docs/TECH154951

Regards....

Martin Barringer's picture

This fix is already installed..

I have added the service definition in services and tried to create the trust again..  It does appear to create the trust as the certificate is viewable on the remote agent.

The following is the debug logs.

BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - Successfully resolved the "ndmp" service to port: 10000 (host order)
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - ndmpConnectEx: Querying the neighbour advertisement cache to discover information on 'Vault.domain.com' ...
BENETNS:  [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 NRDS API - client connected.
BENETNS:  [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 NRDS API - client disconnected.
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - ndmpConnectEx : Control Connection information: A connection was established between end-points 172.16.1.79:63188 and 172.16.1.96:10000.
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpclient]    - NDMP version 3 connection CONNECTED
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - ERROR: 4 Error: Connection has not been authorized
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpclient]    - *** getLastNDMPError Calling to get last NDMP Error.
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13 [ndmp\ndmpclient]    - Got SignedCertificate ok. size:937.
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13                      - SSL connection using version TLSv1
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13                      - SSL connection using cipher AES256-SHA
BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13 [ndmp\ndmpclient]    - secureNDMPConnection: SECURITY ENABLED!!
BEREMOTE: [12/18/11 14:50:14] [0000]     BECryptoInit: BECrypto non-FIPS mode successfully enabled.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 672(0x2a0) retval = 0
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 672(0x2a0) retval = 0
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 672(0x2a0) retval = 0
 

Martin Barringer's picture

I have confirmed the permissions are set correctly and have also used the Backup Exec Diag tool to check the status.  However this is still erroring.  I have also tried to add the media server from the remote agent.  The server appears for a few seconds in the list and then disappears.

I have another backup exec media server which uses the same account, which can access and backup vault correctly. 

I cannot use that server as the tape drive is to small. (We use an autoloader on the main server).

Regards

Colin Weaver's picture

It's probably the issue under investigatiomn as part of

http://www.symantec.com/docs/TECH168154

 

You can try this:

1) Go to an affected remote agent server
2) Run the Backup Exec Remote Agent Utility on the server (vxmon.exe)
3) Click the Security Tab
4) Click the Change Settings button
5) Click the Security tab again
6) Select the certicate for the media server
7) Click Remove
8) Click OK
9) Go back to media server and open Backup Exec console
10) Start to create a new backup job browse to the remote server (used in Steps 1-8)
11) When you get the "Remote Agent not Trusted" dialog box - click Yes
12) Cancel out of creating the backup job
13) Go back to remote server and use the Remote Agent utility to check that a new certficiate has been added to the security tab
14) Test a backup job
15) Repeat steps 1-14 for all affected remote agent servers

Martin Barringer's picture

I have performed this as above but it is still failing.

The only server affected appears to be the enterprise vault server and only from Windows 2008 R2 media Servers.

BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\adc]           - ADC_ResolveDeviceName: pid = 9044, checking \\Vault.domain.com
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - ApplyRegExp(): Invalid input (\\Vault.domain.com). Parsing Failed.
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - GoodEvName(): Invalid EV device (\\Vault.domain.com).
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - ApplyRegExp(): Invalid input (\\Vault.domain.com). Parsing Failed.
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - GoodEvName(): Invalid EV device (\\Vault.domain.com).
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - Input Error (e000fe23) for Type: (43)
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ev]            - EVM_ResolveDeviceName: Function Enter
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - ApplyRegExp(): Invalid input (\\Vault.domain.com). Parsing Failed.
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ev]            - EVM_ResolveDeviceName: Invalid device name (\\Vault.domain.com). Parsing Failed.
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ev]            - EVM_ResolveDeviceName: Function Exit
BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ntfs]          - Not valid device name : \\Vault.domain.com

Sieber's picture

Hi, i just found this thread.

I have exact the same problems as Martin with BE 2010 R3 latest updates and Enterprise Vault 8.0.4.

I tried also all of the mentioned steps above. Any suggestions would be helpful.

With debugger i see also the following messages:

BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - Accepted new connection.
BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/20/11 15:55:53] [3360]     [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 700(0x2bc) retval = 0
BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - Accepted new connection.
BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/20/11 15:55:53] [3360]     [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 700(0x2bc) retval = 0

Many Thanks

Best regards Stephan
 

marco.lelli-123's picture

Same issue here, the only way I've found to workaround the problem is roll back the agent to R2 version.

This may help someone.

Is it there some Symantec guy who knows how to disable certificate usage in BE 2010 R3 agent?

It's very unuseful!!!

Colin Weaver's picture

These certificates were introduced in Backup Exec 2010 R3 after 3rd party specialists in IT security analysis notifed Symantec of a potential for a type of security breach between a media server and a remote agent that is known as a "Man in the Middle" attack.

You can disable this functionality with a registry change, however if you do this you will open up a potential security flaw so will need to take other steps to ensure that your security is not compromised. As such it becomes a "use at your own risk" option and should really only be used as a short term workaround for an issue that Symantec are already investigating. If you use it for an issue we are unaware of then obviously we will never fix the issue. We are aware of current problems with the TLS Handshaking that is affecting publishing and other functionality with Backup Exec, as part of

http://www.symantec.com/docs/TECH168154

As such if any customer uses the details provided below as a workaround,  the changes should be undone once notification of a full solution of the issue has been made public. EDIT:  In fact we have received some feedback that using this registry change for one backup and then removing it again allows the systems to contuinue working correctly with the security enabled.

 

Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes

 

Create a DWORD value in

HKLM\SOFTWARE\Symantec\Backup Exec For Windows\Backup Exec\Engine\Agents

called

Security Disabled

Set the value to 1

 

This must be done on media server and remote server and the Backup Exec services on the servers will need restarting after the change.

 

Final Update....

Just for info the Security Handshaking issues should now be resolved by Hotfix 180429 As such you should not need to disable security as a workaround if this Hotfix is installed to the Media Server and the remote agents have been updated since the Hotfix was installed.

Also if you are using the Security Disabled workaround you should be able to re-enable it after applying the Hotfix.

SOLUTION
Sieber's picture

Many Thanks, the workaround is working properly. Hope you'll find a solution soon.

Best regards

Martin Barringer's picture

I have modified all the remote agents and media server and now the selections work and backups are operating normally...

Thanks for the help with this and hope the fix is issued soon.....

Regards to all..  Merry Christmas...