ESRS 3.06 esrshttpdlistener keeps stopping

Have the same issue with 3.04

Same issue with 3.04, anyone got any ideas?

Does Network Check show all tests passing?  It sounds like the customer is blocking traffic to EMC.  Ask if they are using any web monitoring tools like Websense or performing any SSL checking, SSL inspections, etc.  If all that doesn't turn up anything, ask them to sniff the network while you test the connection to EMC; they should see where the failure is.

ESRSVE is not connected to EMC.

There is no proxy, and can telnet to esrs-core.emc.com 443

The xgate logs show:

08-08-2015 06:11:04.196 ERROR-- xgEnterpriseProxy: Web Client (https://esrs-core.emc.com/eMessage): Connection reset by peer

08-08-2015 06:11:04.196 INFO xgEnterpriseProxy: Previous Connection Settings unreachable. Attempting alternate connection. Please verify below settings

08-08-2015 06:11:04.196 INFO xgEnterpriseProxy: No HTTP proxy server used

08-08-2015 06:11:04.196 INFO xgEnterpriseProxy: No SOCKS proxy server used

08-08-2015 06:12:00.451 ERROR-- xgEnterpriseProxy: Web Client

I’m thinking of re-deploying the GW as a last resort.

Ok Our Network team found a problem on the firewall, There were some packets being dropped from the ESRS gateway to esrs-core.emc.com, so they have added the IP address 128.221.192.14 to the allow rule on the firewall and ESRS gateway now connects and all core services stay up.

HTH

Network checks pass. There is no proxy in use, and the customer stated they do not sue SSL checking.

A network trace from the ESRSVE server shows SSL Handshake failures. But, the certificate exchange from the ESRSVE looks valid.

No. Time Source Destination Protocol Length Info

206 22.882199 10.170.0.104 128.221.192.14 TLSv1 1157 Certificate

Certificates (1878 bytes)

Certificate Length: 1032

Certificate (id-at-commonName=WINSTON AND STRAWN_2KTF5DR9CNMD05,id-at-organizationalUnitName=esrs,id-at-organizationName=emc.com,id-at-localityName=webo,id-at-stateOrProvinceName=ma,id-at-countryName=us,id-at-serialNumber=2KTF5DR9CNMD05,id

signedCertificate

algorithmIdentifier (shaWithRSAEncryption)

Padding: 0

encrypted: 39ce4ecfa1df2329f256e9aa4192398ba478d6b7301cde69...

Certificate Length: 840

Certificate (id-at-commonName=ESRS2CA,id-at-organizationalUnitName=Global Security Organization,id-at-organizationName=EMC Corporation,id-at-countryName=US)

signedCertificate

algorithmIdentifier (shaWithRSAEncryption)

Padding: 0

encrypted: 5b429fff867f7431f45764843157bee2d7a34bf6934d86c2...

Just came across this: You can see there are two certificates in the exchange. One called ESRS2CA, that is from the EMC root CA dedicated to ESRS and expected by the client. Also there is a certificate with the name WINSTON_AND_STRAWN_2KTF5DR9CNMD05. This is probably injected by a firewall or proxy appliance that is performing SSL checking. My guess is that the last part is the serial number of the appliance. The ESRS client detects the additional (or a replaced) certificate as a man-in-the-middle attack and rejects the communication. As documented in the Operations Guide, any variant of SSL checking, DPI, SSL proxying etc will prevent ESRS from working

hi WLee,

  what's the solution for this issue? i have this problem with ESRS VE 3.10, the httpdlistener could not start.

The solution depends on the cause. There are two common causes that I know of:

- ESRS VE not connected to the EMC enterprise servers. The underlying connection issue needs to be resolved. Check on the Dashboard in the GUI if ESRS VE is connected, there should be an indicator in the top right corner of the GUI

- duplicate lines in the /etc/hosts file. If you have two lines containing the same IP and the hostname, the listener will not start. Remove one of the lines and try to start the service if this is the case

If it is none of these you will need to open a SR and get ESRS support or a SME from the FSS community involved.

Regards

Frank

hi FrankMS,

   thanks a lot, the issue was solved by deleted the duplicated lines in the /etc/hosts, wonderful!

Check DNS setting using the command YaST2, valid dns server need to resolve esrs server names. This worked for me.

this thread helped me today, I updated to 3.42.10.06 yesterday and on reboot the service esrshttpdlistener would run intermittently - I commented out two lines referring to the host name but with a local address rather than the actual address and rebooted and esrshttpdlistener was no longer throwing any issues.