Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

SHClustering SSLv3 Errors

ekenne06
Path Finder
‎08-14-2019 11:58 AM

Hey guys,

Been troubleshooting my distributed searching for the last two days. My environment:

Primary facility:
Cluster Master
deployment server
2 Search Heads
2 indexers

Secondary:
2 Search Heads ( captain is here for testing)
2 indexers

the 2 search headers in Primary can't reach the captain and splunkd.log is showing the following:

WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSL negotiation finished successfully', alert_description='bad record mac'.
08-14-2019 18:04:48.986 +0000 ERROR HttpClientRequest - HTTP client error=error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac while accessing server=https://:8089 for request=https://:8089/services/shcluster/captain/members.

On the cluster master i'm seeing the following:
(obfuscating the IPs)
Bundle Replication: Problem replicating config (bundle) to search peer ' secondary indexer 1 ', Unknown write error
Bundle Replication: Problem replicating config (bundle) to search peer ' secondary indexer 2 ', Unknown write error

so it seems to me that what ever Master ( search or clustermaster) in either site, can't talk to devices in the other site.

few thoughts:
There is a F5 in between
other is it's going over a WAN and latency is effecting it.

Anyone have ideas?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎08-14-2019 02:22 PM

This alert is returned if a record is received with an incorrect MAC. This alert also MUST be returned if an alert is sent because a TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length, or its padding values, when checked, weren't correct.

Possible causes:
SNAT isn't enabled
F5 is unloading ssl and rebaking with F5's cert
Wrong ciphers in use on both ends

Check server.conf [ssl] & [shclustering] stanzas on each search head.

Also you mentioned one search head is captain. Are you running static captain? If so that's only supported for when you're recovering a failed cluster.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-14-2019 12:13 PM

You have an F5 between sites? Why?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekenne06
Path Finder
‎08-14-2019 12:16 PM

this is because this is two separate subnets. We use the F5 as a gateway to route the traffic

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...