Cluster peer failures after encryption changes
Applies to
- ONTAP 9.11.1P8
- Encryption
- Cluster peering
Issue
- Cluster peering fails after updating the encryption ciphers suites on one cluster in a cluster peer.
- When
cluster peer health show -bypass-cache true
is run we see the connection to the nodes as:
cluster1::> cluster peer health show -bypass-cache true Node Cluster-Name Node-Name Ping-Status RDB-Health Cluster-Health Availability ---------- --------------------------- --------- --------------- ------------ c1node-01 cluster2 c2node-01 Data: unreachable ICMP: interface_reachable true true false c2node-02 Data: unreachable ICMP: interface_reachable true true false c1node-02 cluster2 c2node-01 Data: unreachable ICMP: interface_reachable true true false c2node-02 Data: unreachable ICMP: interface_reachable true true false 4 entries were displayed.
- After adding the required cipher suite to both clusters the failure persists
- KTLS handshake alerts can be seen
ktls.cnxnHandshakeLimit: ONTAP reached the maximum limit of 170 concurrent TLS connection handshakes
[cluster: ktlsd: ktls.failed:notice]: "The TLS connections have failed several times with remote host 'xx.xx.xx.xxx' in IPspace 'xxxxxxx',
for which the latest reason given is: OpenSSL: error:0A000102:SSL routines::unsupported protocol."