Symptoms

In /usr/local/avamar/var/mc/server_log/mcserver.log.0, there is an HTTP error code: 500 error caused by an SSL handshake failure: INFO: getAvamarMtree started 07/26-14:00:09.00126 [DdrCache_thread#93] com.avamar.mc.datadomain.DdrRestClient.getAvamarMtree INFO: getAvamarMtree use credential to login DD 07/26-14:00:09.00126 [DdrCache_thread#93] com.avamar.mc.datadomain.DdrRestClient.login INFO: login started 07/26-14:00:09.00155 [pool-8-thread-1#294] com.avamar.mc.util.MCException.logException WARNING: com.avamar.asn.service.ServiceException: Failed with HTTP error code : 500 additional information : Socket is closed The rest of the Java stack trace follows the log.

Cause

The issue is that there are no cipher suites shared between the Avamar and Data Domain. This can be confirmed by doing the following: 1. Check the current supported cipher suite list on the Data Domain: adminaccess option show cipher-list Example: ddboost@test_dd# adminaccess option show cipher-list Adminaccess option "cipher-list" set to "DHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256". 2. Compare that output to the list of cipher suites that Avamar is configured to support on client connections to Data Domain. grep ddr_rest_supported_cipher_suites /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml <entry key="ddr_rest_supported_cipher_suites" value="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA" /> The examples confirm that there are no cipher suites shared between the Avamar and Data Domain. The Data Domain output shows the cipher suites as OpenSSL names, whereas Avamar shows the cipher suites as IANA names.

Resolution

While these alerts have no impact on functionality, they continue to trigger every 30 minutes. This can be addressed by correcting the cipher suite mismatch between the Avamar and the Data Domain.Add these cipher suites, as shown below, to the "allowed list" in the Avamar mcserver configuration file: 1. Make a copy of mcserver.xml: cp -p /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml /usr/local/avamar/var/mc/server_data/prefs/x-mcserver.xml-pre-kb219622 2. Edit mcserver.xml: vi /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml 3. Add these cipher suites to the allowed list: TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Note: The allowed suites on the Data Domain may vary. Depending on the Data Domain configuration, the cipher suites that must be added may change. Note: Although the following website is not affiliated with Dell Technologies, it provides a convenient method for checking the OpenSSL and IANA names for a cipher suite.Example of searching for TLS_RSA_WITH_AES_256_GCM_SHA384: Cipher suite Info 4. Restart MCS and the backup scheduler per Avamar: How to restart Management Console Server (MCS) when done applying changes to mcserver.xml.

Support Cases