2017-06-01 05:26 AM
We are experiencing an issue with our SnapCenter 2.0 which is proving very difficult to isolate and resolve. When we attempt to add an SVM to SnapCenter we recieve the following errors
"The client and server cannot communicate, because they do not possess a common algorithm " & "Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host" depending on which TLS & Cipher configuration we have on the Windows Server - We have tried multiple configurations.
The Storage device is running ONTAP9.1P1 with only TLS.1.2 enabled and Low and Medium Security Ciphers disabled. Both host and client do have common ciphers in place. We receive the errors above regardless of whether or not we use http or https as the transport protocol. If we attempt to connect to the SVM using Snapdrive 7.1.4 t we can make a successful connection demonstating that http traffic to the SVM is possible over HTTPs from the Server with the credentials being used.
We have used Wireshark and PKTT to view network activity. Ping show IMCP packets exchange at both source and destination whereas any atttempt to add the Storage device shows zero packets either end. This implies that the issue we are seeing is not due to a Failed Handshake. if we attempt to connect to alternative devices from SnapCenter we again see no packets being sent at source of destination.
When we use an SSL Checker utility against Port 8146 (Snapcenter default) we see the following output - "No SSL/TLS server at "Server Name":8146"
When we use the same Checker utility against the RDP port we see the following C:\TEMP>testsslserver "Server Name" 3389
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
..and a list of available Ciphers
The Snapcenter documentation shows the following at https://library.netapp.com/ecmdocs/ECMLP2522556/html/GUID-470A0EEF-EBB7-410A-A295-3A7A2C156278.html
"SnapCenter supports Transport Layer Security (TLS) 1.2 communication with ONTAP. You can also use TLS 1.2 communication between clients and servers"
We have a case open with support but I would like to ask the commununity about this as it is a rather obscure issue that is preventing us moving forward. Has anyone seen this or does anyone have that piece of knowledge that we lack to resolve this?
Many thanks, D
2017-06-05 02:59 AM
SnapCenter has dependency on TLS v1.0 because of SnapCenter server's .NET 4.0 dependency. Disabling TLS 1.0 can cause communication failure between the server and the host.
The fix for removing the dependency on TLS 1.0 is going to be included in the next release of Snap Center
2017-06-07 05:10 AM
Thanks for your reply.
There is a reference to this in the release notes for SnapCenter 2.0P1 ie https://mysupport.netapp.com/NOW/download/software/snapcenter/2.0P1/
1087151 [3B] - "Document SSL/TLS requirements for SnapCenter"
Occurance: SnapCenter has dependency on TLS v1.0 because of SnapCenter server's .NET 4.0 dependency. Disabling TLS 1.0 can cause communication failure between the server and the host.
Solution: The fix for removing the dependency on TLS 1.0 is going to be included in the next release of Snap Center.
We have tested connectivity with TLS1.0 enabled on the Server but we cannot alter the TLS1.2 only configuration on the NETAPP. Regarding of what TLS\ SSL\ Cipher configuration we use on the Server the issue persists. In all instances packet tracing shows no attempt at communication whatsoever. There is simply no data transfer out of the server from SnapCenter when we attempt to connect any Storage Device. There is also no traffic when HTTP is used.
Best regards, D