Weird TLS error

[MBATech173]

Customer with IP500 V2 on 8.1.95 is showing a alarm in SSA that reads "TLS Certificate not in certificate store". I've googled around and even looked in Avaya's knowledge base site but can't find anything addressing this specific error. This customer isn't using any SIP or H.323 phones. The system is functioning fine as well. I tried deleting the certificate in the Security settings and did a security default but didn't do anything. Any ideas ?


mbatech

 

[MBATech173]

So no one's every seen this error before ?


mbatech

 

[janni78]

Someone has to be first.

It could be from a SIP trunk using TLS as well, or if 5061 is open and someone tries to connect.
Or if you try to connect with Manager/SSA with secure connection, or you need to create a TLS certificate for IPO if it doesn't exist.
Error doesn't say much more than the cert i missing, either IPO is missing it or the party trying connect is using a cert that isn't trusted.

"Trying is the first step to failure..." - Homer

 

[MBATech173]

How would I create a certificate for the IPO ? I just looked in the Security settings and there isn't a certificate in there currently. I read that the IPO was supposed to generate one on it's own. It that true ?



mbatech

 

[janni78]

Hit the Regenerate button under Security Settings -> System -> Certificates

"Trying is the first step to failure..." - Homer

 

[MBATech173]

Thanks for replying again. Maybe it's different for the version I'm working with but I'm not seeing a Regenerate button under that Security setting. I can add, delete or view what's currently in there. I can also import one but not regenerate. This system is using 8.1.95.


mbatech

 

[critchey]

8.1.95 is a bad release especially if you have SIP trunks. I use 8.1.85 for any R8.1 systems I encounter.

 

[kyle555]

I believe in the security settings that there's a parameter to either use the same certificate for system access as for SIP or to use separate ones. If I had to guess, there might just be something on the network discovering SIP services, possibly via TLS, offering a certificate IPO doesn't know about, and causing that error.

Just a guess. Either way, it would appear that a TLS handshake for something failed. Voicemail to email on secure SMTP maybe? Anything else the IPO might talk to securely?

 

[MBATech173]

That's just it. This customer has a standard PRI for service, not a SIP trunk. No SIP extensions or H.323 extesnosn being used at all. Here's what the Monitor is showing:

511265838mS SSL VPN [AVAYA_SUPPORT]: Session state change [ResolveDomainName] -> [WaitingToStart]
511265839mS SSL VPN [AVAYA_SUPPORT]: Start session
511265839mS SSL VPN [AVAYA_SUPPORT]: Session state change [WaitingToStart] -> [Connecting]
511265839mS SSL VPN [AVAYA_SUPPORT]: Session connecting from 192.168.0.27:11402 to 135.11.82.20:443
511265909mS ERR: TLS:Certificate not in Certificate Store Src=0xc0a8001b:11402 Dst=0x870b5214:443
511266217mS RES: Wed 4/1/2017 09:45:56 FreeMem=56560560 55740024(2) CachedMem=820536 CMMsg=4(5) Buff=5200 1406 999 12404 5 Links=28700 BTree=0 CPU=2/6/3564/12583/15590/1
511266217mS RES2: IP 500 V2 8.1(95) Tasks=47 RTEngine=0 CMRTEngine=0 ExRTEngine=0 Timer=60 Poll=0 Ready=0 CMReady=0 CMQueue=0 VPNNQueue=0 Monitor=2 SSA=1 TCP=19 TAPI=0 ASC=1 SYS=MNTD OPT=UMNT SDSPD=2034
511266217mS RES4: XML MemObjs=77 PoolMem=2097152(1) FreeMem=2081680(1)
511270948mS SSL VPN [AVAYA_SUPPORT]: Network connection has been disconnected (failure: 1) - If this is unexpected, check your configuration or network connectivity to the SSL VPN server
511270948mS SSL VPN [AVAYA_SUPPORT]: Session state change [Connecting] -> [NeedsRestart]
511270949mS SSL VPN [AVAYA_SUPPORT]: End session
511270949mS SSL VPN [AVAYA_SUPPORT]: Session state change [NeedsRestart] -> [Idle]
511270949mS SSL VPN [AVAYA_SUPPORT]: Session state change [Idle] -> [WaitingToStart]
511270950mS SSL VPN [AVAYA_SUPPORT]: Restart session in 60 seconds
511271217mS RES: Wed 4/1/2017 09:46:01 FreeMem=56570416 55740024(2) CachedMem=830392 CMMsg=4(5) Buff=5200 1407 999 12404 5 Links=28702 BTree=0 CPU=1/4/3564/12630/15590/0
511271218mS RES2: IP 500 V2 8.1(95) Tasks=47 RTEngine=0 CMRTEngine=0 ExRTEngine=0 Timer=59 Poll=0 Ready=0 CMReady=0 CMQueue=0 VPNNQueue=0 Monitor=2 SSA=1 TCP=18 TAPI=0 ASC=1 SYS=MNTD OPT=UMNT SDSPD=2034
511271218mS RES4: XML MemObjs=77 PoolMem=2097152(1) FreeMem=2081680(1)


Is the "AVAYA_SUPPORT" some kind of default user setup ?



mbatech

 

[kyle555]

Oh yeah, that's the SSL VPN client in the IPO for remote support. If onboarded and registered properly - and I'm not explicitly familiar with the mechanics of the connection, but presumably a certificate would be generated by Avaya in that process that needs to be loaded in your IPO and that would permit Avaya to connect to your box for support.

So, I'd say its safe to ignore unless you expected your IPOSS support with Avaya to allow them to connect to you.

 

[MBATech173]

HAZAA !! I found it !! There was an entry in the Service menu within the Manager that was setup with a SSL connection for Avaya, since that was their previous maintenance provider. I've deleted the entry and the TLS alarm is now gone. Thanks for all of your input.

mbatech