Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1951
Views
0
Helpful
7
Replies

VCS TLS Errors

Justin Ferello
Level 5
Level 5

‎04-08-2014 07:39 AM - edited ‎03-18-2019 02:51 AM

Hey all, got some questions about TLS.  I have a two peer cluster of VCS-Cs and a two peer cluster of VCS-Es.

I am trying to enable TLS verify on the traversal zone, however I keep getting "Peer's TLS certificate identity was unacceptable" in the event logs.  What does this mean?  All four VCS'es have the same SAN cert loaded on them with all the proper names in the Subject Alternative field.

The second question I have is when you turn on "TLS verify subject name" on the VCS-E you must enter an FQDN here, what would I put in here since I have two VCS-Cs that will be talking to this cluster?

 

Thanks,

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
2 people had this problem
Labels:
0 Helpful
7 Replies 7

Chris Swinney
Level 5
Level 5

‎04-08-2014 04:04 PM

Question 1 - Have you uploaded the relevant CA certs - assuming that that are no public certificates. Just because they have the same type of server cert installed, do they know how to authenticate that cert when it is presented from the other side?

Question 2 - not sure here as I have no access to our VCS-Es at the moment. Where is this option in the VCS menu? However, I would think that it is the FQDN of the specific peer.

0 Helpful

Chris Swinney
Level 5
Level 5
In response to Chris Swinney

‎04-08-2014 04:21 PM

Hey Justin,

I might take back what I said in Q2. I assume this is on the Zone setup when you enable TLS verify mode? I just VPN'ed in to check our VCS-Es and whilst we don't have TLS with mutual verify mode on, I suspect that because you have multiple Traversal Clients in a cluster that could connect to multiple Traversal Servers in a cluster, you would have to specify the cluster name and this name should appear on the certificates that are presented.

Have you checked out the Certificate admin guide for the VCS which I think might show you how Certificate should be installed and configured for the VCSs including a cluster.

 

Cheers

Chris

0 Helpful

Martin Koch
VIP Alumni
VIP Alumni
In response to Chris Swinney

‎04-09-2014 08:05 AM

Yes, fully agree with Chris.

 

First thing might be to check with

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/config_guide/X8-1/Cisco-VCS-Certificate-Creation-and-Use-Deployment-Guide-X8-1.pdf

 

Then check that the CA is present and that the names are correct.

Also check that not the ip but the specific hostnames are used as the peer address.

Please remember to rate helpful responses and identify

0 Helpful

Justin Ferello
Level 5
Level 5
In response to Martin Koch

‎04-09-2014 08:56 AM

Martin,

 

This I did not think about, we are currently using IPs in the peer addresses, I will change then to hostnames tonight and see what that does.

 

Thanks,

Justin

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
0 Helpful

Chris Swinney
Level 5
Level 5
In response to Justin Ferello

‎04-09-2014 03:49 PM

Hi Justin,

As an aside, I am currently undergoing some Microsoft training WRT to Lync and we were reviewing the use of wildcard or SAN certificates - for you, the news might not be good. It would seem to NOT be a recommended process when applying certificates to use a wildcard or SAN certificate as you cannot uniquely identify the specific device when you create TLS channels for encrypted communication between those devices. This is NOT a expert area of mine (in fact I'm not entirely sure what is, but I digress) however, I would suspect that this to be a similar thing for the VCSs. The way I understand it is that mutual TLS channels are device specific as as such a generic domain certs would not be suitable, however, I'm not entirely sure if this is 100% correct.

Still, you would only need to issue internal cert of the VCS-C and (if required) public certs for the VCS-Es.

0 Helpful

Justin Ferello
Level 5
Level 5
In response to Chris Swinney

‎04-09-2014 08:54 AM

I was just reviewing the certificate creation & use guide and it mentioned that each VCS needs to generate a CSR for its cert, so I would need to have at least 4 different certs???  That is crazy, what is the point of having the SAN then?

 

Right now we have a SAN cert with 100 hosts on it that we use for all our equipment, I don't want to have to maintain tons of certs....

 

I will do some more testing.

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
0 Helpful

Justin Ferello
Level 5
Level 5
In response to Chris Swinney

‎04-09-2014 08:38 AM

1) Yes I did, these are public certs.  I ran the client validation test tool within the VCS on the cert and it passes.

 

2) I tried the cluster FQDN, still did not work.

Thank you,
Justin Ferello
Technical Support Specialist, ScanSource KBZ
0 Helpful
Customers Also Viewed These Support Documents