Jump to content
Welcome to our new Citrix community!
  • 0

SSL handshake error with Splunk integration for Citrix Analytics


PABLO VENTURINI

Question

I have followed the directions to enable Data Export for Splunk in Citrix Analytics. I also installed and configured the Splunk add-in. However, I am not getting any data in Splunk as of yet. I have verified there is no issue with firewall rules as I can telnet to the hosts on port 9094 from the Splunk server. The Splunk internal logs are showing a SSL handshake error as shown below. Can anybody help with resolving this issue?

 

message from "python /opt/splunk/etc/apps/TA_CTXS_AS/bin/cas_siem_consumer.py" %3|1554996636.071|ERROR|cas.siem.b380b033-cefa-4c1b-acb3-5055ac8d5758#consumer-1| [thrd:sasl_ssl://casnbkafka-broker-1.eastus2.cloudapp.azure.com:9094/]: sasl_ssl://casnbkafka-broker-1.eastus2.cloudapp.azure.com:9094/bootstrap: SSL handshake failed: SSL transport error: Connection reset by peer (after 29ms in state CONNECT

Link to comment

5 answers to this question

Recommended Posts

  • 1

After debugging this issue with our customer the root cause was related to firewall settings. In case you run into a similar issue please check your firewall settings for blocking ports/deep packet inspection enabled on port 9094 outbound to the provided hosts within the Citrix Analytics Splunk configuration process:  https://docs.citrix.com/en-us/citrix-analytics/splunk-integration.html#get-configuration-on-citrix-analytics

 

For further testing you can run the following command:

 

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect casnbkafka-broker-0.eastus2.cloudapp.azure.com:9094 -tls1 -CAfile $SPLUNK_HOME/etc/apps/TA_CTXS_AS/bin/certificate.pem -status -debug <<< \"Q\"

 

If the response looks like this it's most likely related to the mentioned firewall issue:

...
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1558536628
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

-T

  • Like 1
Link to comment
  • 0

Hi,

 

You find all details within the splunkd.log logfile. If the error message stays the same after enabling debug mode and nothing else related to the cas_siem_consumer.py script was added to the logs this would be also a helpful information for us to proceed further debugging.

 

Would you mind sharing your installed OS + version you have Splunk installed on and the Splunk version you have installed the SIEM app on?

 

- T

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...