Forum Discussion

Martin_Barringe's avatar
Martin_Barringe
Level 3
13 years ago

SSL Handshakes fails

I am having problems with Backup Exec 2010 R3 SP1 with all updated as of (18th December) being able to view Enterprise Vault v9 SP2.

If I remove and reinstall backupexec the SSL hand shake works for a week and then fails again and no backups.

This is the only server affected from 2 Media Servers both running Windows 2008 R2 SP1.  If I use a 2003 SP2 X86 I can see the data partitions and all is working correctly.

Here is a extract from the BE Debug Logs

BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 692(0x2b4) retval = 0
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - Accepted new connection.
BENETNS:  [12/18/11 14:09:12] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: SSL was requested
BENETNS:  [12/18/11 14:09:13] [0000]     12/18/11 14:09:12 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
BENETNS:  [12/18/11 14:09:13] [0000]     12/18/11 14:09:12 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 692(0x2b4) retval = 0
 

I have confirmed the trusted certificate is on the vault server and name resolution is working correctly.

Any suggestions would be helpful

2010
Agent for Enterprise Vault
Backup and Recovery
Backup Exec
Remote Agent for Windows Servers
  • Colin_Weaver's avatar
    Colin_Weaver
    13 years ago

    These certificates were introduced in Backup Exec 2010 R3 after 3rd party specialists in IT security analysis notifed Symantec of a potential for a type of security breach between a media server and a remote agent that is known as a "Man in the Middle" attack.

    You can disable this functionality with a registry change, however if you do this you will open up a potential security flaw so will need to take other steps to ensure that your security is not compromised. As such it becomes a "use at your own risk" option and should really only be used as a short term workaround for an issue that Symantec are already investigating. If you use it for an issue we are unaware of then obviously we will never fix the issue. We are aware of current problems with the TLS Handshaking that is affecting publishing and other functionality with Backup Exec, as part of

    http://www.symantec.com/docs/TECH168154

    As such if any customer uses the details provided below as a workaround,  the changes should be undone once notification of a full solution of the issue has been made public. EDIT:  In fact we have received some feedback that using this registry change for one backup and then removing it again allows the systems to contuinue working correctly with the security enabled.

     

    Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes

     

    Create a DWORD value in

    HKLM\SOFTWARE\Symantec\Backup Exec For Windows\Backup Exec\Engine\Agents

    called

    Security Disabled

    Set the value to 1

     

    This must be done on media server and remote server and the Backup Exec services on the servers will need restarting after the change.

     

    Final Update....

    Just for info the Security Handshaking issues should now be resolved by Hotfix 180429 As such you should not need to disable security as a workaround if this Hotfix is installed to the Media Server and the remote agents have been updated since the Hotfix was installed.

    Also if you are using the Security Disabled workaround you should be able to re-enable it after applying the Hotfix.

12 Replies

Sort By
  • Kiran_Bandi's avatar
    Kiran_Bandi
    Level 6
    13 years ago

    Refer http://www.symantec.com/docs/TECH163676

    You can also try readding the certificate to remote agent. Refer http://www.symantec.com/docs/TECH154951

    Regards....

  • Martin_Barringe's avatar
    Martin_Barringe
    Level 3
    13 years ago

    This fix is already installed..

    I have added the service definition in services and tried to create the trust again..  It does appear to create the trust as the certificate is viewable on the remote agent.

    The following is the debug logs.

    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - Successfully resolved the "ndmp" service to port: 10000 (host order)
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - ndmpConnectEx: Querying the neighbour advertisement cache to discover information on 'Vault.domain.com' ...
    BENETNS:  [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 NRDS API - client connected.
    BENETNS:  [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 NRDS API - client disconnected.
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - ndmpConnectEx : Control Connection information: A connection was established between end-points 172.16.1.79:63188 and 172.16.1.96:10000.
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpclient]    - NDMP version 3 connection CONNECTED
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpcomm]      - ERROR: 4 Error: Connection has not been authorized
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:12 [ndmp\ndmpclient]    - *** getLastNDMPError Calling to get last NDMP Error.
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13 [ndmp\ndmpclient]    - Got SignedCertificate ok. size:937.
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13                      - SSL connection using version TLSv1
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13                      - SSL connection using cipher AES256-SHA
    BEREMOTE: [12/18/11 14:50:13] [0000]     12/18/11 14:50:13 [ndmp\ndmpclient]    - secureNDMPConnection: SECURITY ENABLED!!
    BEREMOTE: [12/18/11 14:50:14] [0000]     BECryptoInit: BECrypto non-FIPS mode successfully enabled.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - Accepted new connection.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: SSL was requested
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 672(0x2a0) retval = 0
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - Accepted new connection.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: SSL was requested
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 672(0x2a0) retval = 0
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - Accepted new connection.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: SSL was requested
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
    BENETNS:  [12/18/11 14:50:28] [0000]     12/18/11 14:50:28 [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 672(0x2a0) retval = 0
     

  • Martin_Barringe's avatar
    Martin_Barringe
    Level 3
    13 years ago

    I have confirmed the permissions are set correctly and have also used the Backup Exec Diag tool to check the status.  However this is still erroring.  I have also tried to add the media server from the remote agent.  The server appears for a few seconds in the list and then disappears.

    I have another backup exec media server which uses the same account, which can access and backup vault correctly. 

    I cannot use that server as the tape drive is to small. (We use an autoloader on the main server).

    Regards

  • Colin_Weaver's avatar
    Colin_Weaver
    Moderator
    13 years ago

    It's probably the issue under investigatiomn as part of

    http://www.symantec.com/docs/TECH168154

     

    You can try this:

    1) Go to an affected remote agent server
    2) Run the Backup Exec Remote Agent Utility on the server (vxmon.exe)
    3) Click the Security Tab
    4) Click the Change Settings button
    5) Click the Security tab again
    6) Select the certicate for the media server
    7) Click Remove
    8) Click OK
    9) Go back to media server and open Backup Exec console
    10) Start to create a new backup job browse to the remote server (used in Steps 1-8)
    11) When you get the "Remote Agent not Trusted" dialog box - click Yes
    12) Cancel out of creating the backup job
    13) Go back to remote server and use the Remote Agent utility to check that a new certficiate has been added to the security tab
    14) Test a backup job
    15) Repeat steps 1-14 for all affected remote agent servers

  • Martin_Barringe's avatar
    Martin_Barringe
    Level 3
    13 years ago

    I have performed this as above but it is still failing.

    The only server affected appears to be the enterprise vault server and only from Windows 2008 R2 media Servers.

    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\adc]           - ADC_ResolveDeviceName: pid = 9044, checking \\Vault.domain.com
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - ApplyRegExp(): Invalid input (\\Vault.domain.com). Parsing Failed.
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - GoodEvName(): Invalid EV device (\\Vault.domain.com).
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - ApplyRegExp(): Invalid input (\\Vault.domain.com). Parsing Failed.
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - GoodEvName(): Invalid EV device (\\Vault.domain.com).
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - Input Error (e000fe23) for Type: (43)
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ev]            - EVM_ResolveDeviceName: Function Enter
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [beutil]             - ApplyRegExp(): Invalid input (\\Vault.domain.com). Parsing Failed.
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ev]            - EVM_ResolveDeviceName: Invalid device name (\\Vault.domain.com). Parsing Failed.
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ev]            - EVM_ResolveDeviceName: Function Exit
    BEREMOTE: [12/19/11 09:15:37] [0000]     [10220] 12/19/11 09:15:36 [fsys\ntfs]          - Not valid device name : \\Vault.domain.com

  • Sieber's avatar
    Sieber
    Level 2
    13 years ago

    Hi, i just found this thread.

    I have exact the same problems as Martin with BE 2010 R3 latest updates and Enterprise Vault 8.0.4.

    I tried also all of the mentioned steps above. Any suggestions would be helpful.

    With debugger i see also the following messages:

    BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - Accepted new connection.
    BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: SSL was requested
    BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
    BENETNS:  [12/20/11 15:55:53] [3360]     [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 700(0x2bc) retval = 0
    BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - Accepted new connection.
    BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: SSL was requested
    BENETNS:  [12/20/11 15:55:53] [3360]     [nrds]               - AcceptConnection: Failed Server Side SSL handshake.
    BENETNS:  [12/20/11 15:55:53] [3360]     [BESocket]           - @@@@@@@MyCloseSocket called with sockfd = 700(0x2bc) retval = 0

    Many Thanks

    Best regards Stephan
     

  • marco_lelli-123's avatar
    marco_lelli-123
    Level 3
    13 years ago

    Same issue here, the only way I've found to workaround the problem is roll back the agent to R2 version.

    This may help someone.

    Is it there some Symantec guy who knows how to disable certificate usage in BE 2010 R3 agent?

    It's very unuseful!!!

  • Colin_Weaver's avatar
    Colin_Weaver
    Moderator
    13 years ago

    These certificates were introduced in Backup Exec 2010 R3 after 3rd party specialists in IT security analysis notifed Symantec of a potential for a type of security breach between a media server and a remote agent that is known as a "Man in the Middle" attack.

    You can disable this functionality with a registry change, however if you do this you will open up a potential security flaw so will need to take other steps to ensure that your security is not compromised. As such it becomes a "use at your own risk" option and should really only be used as a short term workaround for an issue that Symantec are already investigating. If you use it for an issue we are unaware of then obviously we will never fix the issue. We are aware of current problems with the TLS Handshaking that is affecting publishing and other functionality with Backup Exec, as part of

    http://www.symantec.com/docs/TECH168154

    As such if any customer uses the details provided below as a workaround,  the changes should be undone once notification of a full solution of the issue has been made public. EDIT:  In fact we have received some feedback that using this registry change for one backup and then removing it again allows the systems to contuinue working correctly with the security enabled.

     

    Warning: Incorrect use of the Windows registry editor may prevent the operating system from functioning properly. Great care should be taken when making changes to a Windows registry. Registry modifications should only be carried-out by persons experienced in the use of the registry editor application. It is recommended that a complete backup of the registry and workstation be made prior to making any registry changes

     

    Create a DWORD value in

    HKLM\SOFTWARE\Symantec\Backup Exec For Windows\Backup Exec\Engine\Agents

    called

    Security Disabled

    Set the value to 1

     

    This must be done on media server and remote server and the Backup Exec services on the servers will need restarting after the change.

     

    Final Update....

    Just for info the Security Handshaking issues should now be resolved by Hotfix 180429 As such you should not need to disable security as a workaround if this Hotfix is installed to the Media Server and the remote agents have been updated since the Hotfix was installed.

    Also if you are using the Security Disabled workaround you should be able to re-enable it after applying the Hotfix.

  • Sieber's avatar
    Sieber
    Level 2
    13 years ago

    Many Thanks, the workaround is working properly. Hope you'll find a solution soon.

    Best regards