SSL/TLS error since VEEAM upgrade to version 9.0

Availability for the Always-On Enterprise

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby modenet » Mon Sep 19, 2016 5:52 pm 2 people like this post

RESOLVED removing last windows update:
KB3177186
KB3175024
KB3172605
KB3184122
KB3185911
modenet
Lurker
 
Posts: 1
Liked: 2 times
Joined: Mon Sep 19, 2016 5:36 pm

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby sam.lowry » Wed Sep 21, 2016 1:20 pm 2 people like this post

Same error with new windows update KB3185278 : SSL/TLS error
Uninstall resolves the problem.
Those KB must not be installed :
KB3175024
KB3172605
KB3185278

Just installed B&R 9 updt 2 and it's ok
sam.lowry
Lurker
 
Posts: 1
Liked: 2 times
Joined: Tue Dec 01, 2015 4:59 am
Full Name: Guillaume REMBRY

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby Seve CH » Tue Sep 27, 2016 12:42 pm

Hi.

Some info:
Since I installed KB3174644 in W2012R2, Veeam 9U2 was unable to connect to vCenter 5.5 and old servers. This patch has a different KB number for other versions of Windows.

Fired by event: VeeamNoHostConnectionEvent
Event description: Unable to connect to XXXXXXXX. Failed to download clients.xml file from https://XXXXXXXX:443/client/clients.xml. The request was aborted: Could not create SSL/TLS secure channel.
Initiated by: Veeam ONE Monitor (ZZZZZZZ)

And there were a lot of schannel errors in System event log. Source: Schannel, Event ID 36888:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 813.

It seems that the new Diffie-Hellman patch from Microsoft changed the minimum bits supported by Windows to a higher value which blocks connecting to old servers (we still have some ESX 4.1 and 5.1). I've uninstalled the patch and everything is now working fine. It will last until weak certificates get blocked again (SHA-1 anyone?).

Regards.
Seve CH
Influencer
 
Posts: 10
Liked: 6 times
Joined: Mon May 09, 2016 2:34 pm
Location: Switzerland
Full Name: JM Severino

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby alanbolte » Wed Sep 28, 2016 2:47 pm

alanbolte
Expert
 
Posts: 635
Liked: 170 times
Joined: Mon Jun 18, 2012 8:58 pm
Full Name: Alan Bolte

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby joechay » Sun Oct 02, 2016 9:23 pm

Not helping as I do not have the Microsoft KB update on my Veeam Server running WIndow 2008R2.

I did however look at me vCenter to regenerate certificate and so far no TLS error.
joechay
Novice
 
Posts: 3
Liked: 1 time
Joined: Thu Sep 15, 2016 1:09 am
Full Name: Joe Chay

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby Frosty » Wed Mar 15, 2017 10:40 pm

I'm getting this problem as well.
Our environment has to be PCI DSS compliant, so I'm not really in a position to be uninstalling security patches.
Presents in the Windows event logs as Event ID 36888 in SCHANNEL in the System log, every time a backup is run.
Can confirm we have internal PKI and server's certificate is 2048 bits, but with SHA-1.
Backup server is Windows Server 2008 R2 running VBR v9.0 U2 (build 1715).
Our ESXi hosts are v5.1 ... although I plan to upgrade them to v5.5 shortly.
Any suggestions? Can it easily be fixed, or do I just live with it?
Frosty
Expert
 
Posts: 138
Liked: 24 times
Joined: Tue Dec 22, 2009 9:00 pm
Full Name: Stephen Frost

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby Frosty » Tue Mar 21, 2017 10:13 pm 3 people like this post

Completed an upgrade to vCenter from v5.1 to v5.5 Update 3e yesterday and the SCHANNEL Event ID 36888 errors are gone. Am assuming that the vCenter self-signed certificate was updated in the process (though not sure of this) and this fixed the issue.
Frosty
Expert
 
Posts: 138
Liked: 24 times
Joined: Tue Dec 22, 2009 9:00 pm
Full Name: Stephen Frost

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby jim3cantos » Mon Apr 17, 2017 7:50 am

In our case, upgrading from vcenter v.5.5 update 3b to v5.5 update 3e didn't seem to regenerate the certificate so we forced regeneration from vcenter appliance console. After that, we got "The remote certificate is invalid" error in backup jobs. Resolved following steps from this thread but still getting SSL/TSL errors in replication jobs. Support case 02129771 opened.
jim3cantos
Enthusiast
 
Posts: 43
Liked: 5 times
Joined: Tue Jan 08, 2013 6:14 pm
Location: Madrid, Spain
Full Name: José Ignacio Martín Jiménez

Re: SSL/TLS error since VEEAM upgrade to version 9.0

Veeam Logoby jim3cantos » Fri Apr 21, 2017 6:38 am

jim3cantos wrote:In our case, upgrading from vcenter v.5.5 update 3b to v5.5 update 3e didn't seem to regenerate the certificate so we forced regeneration from vcenter appliance console. After that, we got "The remote certificate is invalid" error in backup jobs. Resolved following steps from this thread but still getting SSL/TSL errors in replication jobs. Support case 02129771 opened.


Update: Problem solved with this last step from Veeam Support:

If your Veeam Server is on Windows 2008R2, apply the following registry value and reboot

Registry path: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Parameter: ClientCacheTime
Type: REG_DWORD
Value: 0

Ensure no jobs are running, restart the Veeam Backup server, and try the jobs again.

This is an old issue with Microsoft where the secure connection caching has unexpected consequences.
jim3cantos
Enthusiast
 
Posts: 43
Liked: 5 times
Joined: Tue Jan 08, 2013 6:14 pm
Location: Madrid, Spain
Full Name: José Ignacio Martín Jiménez

Previous

Return to Veeam Backup & Replication



Who is online

Users browsing this forum: DGrinev, dydf, kubimike, svallance and 41 guests