EX SSL-VPN: Connect tunnel and On Demand tunnel agents fails to establish proper connection after u
03/26/2020 3 13340
DESCRIPTION: EX SSL-VPN: Connect tunnel and On Demand tunnel agents fails to establish proper connection after upgrading to 10.6.4 firmware
After upgrading the fimware to 10.6.4 (or even 10.7.0), working Connect tunnel and On demand tunnel connections might fail with the following ngutil log references. Connect tunnel client will fail to download the Realm information from the appliance and Workplace based OD Tunnel will fail with agent activation errors.
SslNegotiate: Starting SSL negotiation with [vpn.aventail.lab]. SslNegotiate: Sending  bytes. SslNegotiate: Recieved  bytes. SslNegotiate: Recieved  bytes. SslNegotiate: Assembled  bytes to process. LPRPCTransportSSPI::Connect() FAILED Ras 0x00000001 No logon server was detected on the appliance. [vpn.aventail.lab] Set tunnel state from SslNegotiate to Closed
From 10.6.4 onwards our connect tunnel client will first attempt TLS 1.2 based connection. For TLS 1.2 based connections to work, the Server side certificate needs to be setup with a minimum of SHA1 algorithm. The client platform will abort any connection to a sever having weak MD5 hash algorithm in the server certificate chain. We believe that some existing customer deployments might use MD5 signed Certificates in their workplace configuration and this will affect CT/ODT connections (resulting in above ngutil log errors).
This scenario can be also simulated for Browser based Workplace access using Internet Explorer. Enable TLS 1.2 in IE settings and uncheck TLS 1.0 & TLS 1.1 option. You can notice IE is failing to open workplace page configured with MD5 (*) algorithm Certificate.
To resolve the issue, we recommend our customers to upgrade their server certificate with stronger signature algorithm (>SHA-1).
For More details, please refer the following Microsoft link: "http://blogs.msdn.com/b/ieinternals/archive/2011/03/25/misbehaving-https-servers-impair-tls-1.1-and-tls-1.2.aspx".