Asma Alfayyad Posted June 3 Share Posted June 3 (edited) Hello All I have a Workspace one UEM environment with WS1 Access. the environment contains one server from each component (UEM/DS/Access/UAG-Tunnel...). I need to put DS server on AVI NSX advanced load balancer just for WAF feature (DS &AWCM on the same server) and I tried to follow the steps in the below document but not work with me. https://avinetworks.com/docs/latest/load-balancing-workspace-one-uem-with-fewer-vips/ I need any help to troubleshoot this issue Edited June 3 by Asma Alfayyad Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 3 Employee Share Posted June 3 (edited) The error is an SSL error, did you import the internal server certificate or certificate authority certificate? Import the certificate under security. https://avinetworks.com/docs/latest/ssl-certificates/ Edited June 3 by Sascha Warno 1 Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 3 Author Share Posted June 3 (edited) thanks for your reply. actually I use the same certificate from the backend server but this is not the reason. Edited June 3 by Asma Alfayyad Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 3 Employee Share Posted June 3 Did you add the pool server with a hostname or just IP address? If just IP address did you add it with the option to resolve by IP address and is internal DNS working? Also if you say you use the same cert internally as well, does that have the internal server names as SAN? If not, add Host to your healthcheck /deviceservices/awhealth/v1 Host: ds.server.com 1 Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 3 Author Share Posted June 3 Also I try to create DS on separate VIP based on below document but with same issue. https://avinetworks.com/docs/latest/load-balancing-workspace-one-uem-with-avi-vantage/#load-balancing-workspace-one-uem-device-services I try to change the health monitor to system-tcp , the VIP and pool become up but the vip not pingable and I get an error on the secreen as below Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 3 Author Share Posted June 3 i use the server IP. the server is wild * so I add the Host as you mintioned /deviceservices/awhealth/v1 Host: ds.server.com but unfortunately the same. Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 3 Employee Share Posted June 3 did you try to run the test manually from a service engine? https://avinetworks.com/docs/latest/manually-validate-server-health/ connect to one and run the curl command from there(last command from that page) Try curl with the -v option against the ds server with the ip address use https://ipfromyourconfig:443 Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 3 Author Share Posted June 3 Thanks Sascha for trying to help me. I will test this tomorrow on-site and give you a feedback. 1 Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 4 Author Share Posted June 4 (edited) Hello Sascha, I tried to curl from SE to the DS server and VIP and the result as below: Edited June 4 by Asma Alfayyad Quote Link to comment Share on other sites More sharing options...
Employee Andreano Lanusse Posted June 4 Employee Share Posted June 4 @Asma Alfayyad make sure you assigned the UEM certificate to the virtual service. Under the virtual service configuration check SSL Certificate field, you need to assign the UEM certificate. Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 4 Author Share Posted June 4 (edited) Hello Andreano,, Actually I add the device services server certificate not the uem server certificate to the VIP . Why should i add uem not ds certificate to the vip? @Andreano Lanusse Edited June 4 by Asma Alfayyad Quote Link to comment Share on other sites More sharing options...
Employee Andreano Lanusse Posted June 4 Employee Share Posted June 4 It’s the DS certificate, are you using wildcard cert? Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 4 Author Share Posted June 4 Yes ,, i am using a wildcard cert @Andreano Lanusse Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 5 Author Share Posted June 5 @Andreano Lanusse @Sascha Warno on the DS server I found the below error : Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 5 Employee Share Posted June 5 23 hours ago, Asma Alfayyad said: Hello Sascha, I tried to curl from SE to the DS server and VIP and the result as below: Did you also check with the server name? and if using IP, use the curl https://IPaddress:443 -H "Host: dsservername" Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 5 Employee Share Posted June 5 16 minutes ago, Asma Alfayyad said: @Andreano Lanusse @Sascha Warno on the DS server I found the below error : are you using the default System Standard ssl profile for the pool? Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 5 Author Share Posted June 5 3 minutes ago, Sascha Warno said: are you using the default System Standard ssl profile for the pool? yes i use the default. Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 5 Author Share Posted June 5 14 minutes ago, Sascha Warno said: Did you also check with the server name? and if using IP, use the curl https://IPaddress:443 -H "Host: dsservername" same error appeared Quote Link to comment Share on other sites More sharing options...
Solution Asma Alfayyad Posted June 5 Author Solution Share Posted June 5 14 minutes ago, Asma Alfayyad said: yes i use the default. thank you so much @Sascha Warno , I change the system default SSL profile and added some ciphers then the issue solve finally. thank you so much 1 1 Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 5 Employee Share Posted June 5 Just now, Asma Alfayyad said: same error appeared okay curl behaves different then in the settings. you would need to use curl --resolve example.com:443:192.168.1.100 https://example.com that would be the same as GET /airwatch/awhealth/v1 Host: example.com 1 Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 6 Author Share Posted June 6 Hello @Sascha Warno ,, I face the same error when I try to publish the ws1 access on AVI. I try to check the SSL profile put unfortunately cant solve it. I found the below logs on WS1 access server. can you help in that? Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 6 Employee Share Posted June 6 You followed this guidance? https://avinetworks.com/docs/latest/load-balancing-ws1-access-with-nsx-alb/ cannot really relate the error from your screenshot to it, as this seems sshd process and on high port numbers. Is the health monitoring failing or in general? you can do a packet capture on the traffic and check it in wireshark. Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 6 Author Share Posted June 6 Thanks @Sascha Warno .I will recontinue working on it on Monday and I will back to you with the result. Quote Link to comment Share on other sites More sharing options...
Asma Alfayyad Posted June 10 Author Share Posted June 10 Hello @Sascha Warno yes I followed the document and I did the packet capture for the VS and result as below: .54 ws1 access .65/.66 Service engines for AVI Quote Link to comment Share on other sites More sharing options...
Employee Sascha Warno Posted June 10 Employee Share Posted June 10 @Asma Alfayyad do you have the show pool info? cant really see much from the capture without looking into the requests themselves. It looks like the handshake is finished so. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.