Cluster peer failures after encryption changes

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 482

Visibility:: Public

Votes:: 0

Category:: snapmirror

Specialty:: dp

Last Updated:

Applies to

ONTAP 9.11.1P8
Encryption
Cluster peering

Issue

Cluster peering fails after updating the encryption ciphers suites on one cluster in a cluster peer.
When cluster peer health show -bypass-cache true is run we see the connection to the nodes as:

cluster1::> cluster peer health show -bypass-cache true
Node       Cluster-Name                 Node-Name
             Ping-Status               RDB-Health Cluster-Health Availability
---------- --------------------------- --------- --------------- ------------
c1node-01    cluster2                  c2node-01
             Data: unreachable
             ICMP: interface_reachable true      true            false
                                       c2node-02
             Data: unreachable
             ICMP: interface_reachable true      true            false
c1node-02    cluster2                  c2node-01
             Data: unreachable
             ICMP: interface_reachable true      true            false
                                       c2node-02
             Data: unreachable
             ICMP: interface_reachable true      true            false
4 entries were displayed.

After adding the required cipher suite to both clusters the failure persists
KTLS handshake alerts can be seen

ktls.cnxnHandshakeLimit: ONTAP reached the maximum limit of 170 concurrent TLS connection handshakes

[cluster: ktlsd: ktls.failed:notice]: "The TLS connections have failed several times with remote host 'xx.xx.xx.xxx' in IPspace 'xxxxxxx', 
for which the latest reason given is: OpenSSL: error:0A000102:SSL routines::unsupported protocol."