I'm working on the issue with my Nagios server. Nagios monitoring was working fine, but for few days already I see these errors:
"CHECK_NRPE: Error - Could not complete SSL handshake. " But theses error not consistent. So, first it gives this error, but after 5 minutes check became OK.
So, I check my configuration, but as no changes was made in last time, find no issues as well.
So I try to analyse Nagios traffic with Wireshark. Mostly it look ok for me, but I find strange thing - when Nagios try to establish SSL handshake it sends packet with protocol shows in Wireshark as "SSL". It receive no answer. Then after a minute it sends the same packet for SSL handshake, but with TLSv1 ptotocol. And then it works fine. http://piccy.info/view3/4921610/583ca764bdb98d778b0f605c3e0b3a22/orig/
So, question is - what is the difference between this SSL and TLSv1 protocols? As they look the same for me.
asked 30 Jul '13, 08:51
The Client Hello is a TLS 1.0 handshake in both - tcp.stream eq 10 or tcp.stream eq 11 - connections.
The difference in the Protocol interpretation (SSL vs. TLSv1) is due to the fact that in stream 11 the negotiation does not complete and wireshark sets SSL in this case.
I extracted only the first 5 packets of tcp stream 10 and the Protocol field then changed to SSL also, when it was TLSv1 before with the full handshake.
So the real question is, why does the "server" send a FIN in the middle of the SSL handshake. Looking at the RTT and TTL it is probably NOT the real server but maybe the riverbed appliance, but this is just a guess.
answered 31 Jul '13, 00:05
As @mrEEde2 points out, the SSL version of the client hello is actually the same, it is the interpretation of Wireshark based on the rest of the session that makes it show SSL or TLSv1. So that is not the issue.
What I do see in your trace is that all traffic is sent to a TyanComp system with the mac address 00:e0:81:45:5c:a8 and that the return traffic either comes from a Cisco device with mac address 64:00:f1:c1:da:01 or from a Riverbed device with mac address 00:0e:b6:99:9e:e4. There is only one session that fails in the trace file. It is after a couple of sessions over the Cisco and before a couple of sessions over the Riverbed. As the Riverbed device is most likely a WAN optimizer, could it be that the tunnel to the remote location is flapping and that when Nagios polls while the tunnel is being rebuilt, the SSL session to the server 10.49.32.186 fails?
What is the LAN setup at the nagios side of the connection?
answered 31 Jul '13, 01:38