https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450747#M24139 <P>This alert is returned if a record is received with an incorrect MAC. This alert also MUST be returned if an alert is sent because a TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length, or its padding values, when checked, weren't correct.</P> <P>Possible causes: <BR /> SNAT isn't enabled <BR /> F5 is unloading ssl and rebaking with F5's cert<BR /> Wrong ciphers in use on both ends</P> <P>Check server.conf [ssl] &amp; [shclustering] stanzas on each search head.</P> <P>Also you mentioned one search head is captain. Are you running static captain? If so that's only supported for when you're recovering a failed cluster.</P> Wed, 14 Aug 2019 21:22:30 GMT jkat54 2019-08-14T21:22:30Z https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450744#M24136 <P>Hey guys,</P> <P>Been troubleshooting my distributed searching for the last two days. My environment:</P> <P>Primary facility:<BR /> Cluster Master<BR /> deployment server<BR /> 2 Search Heads<BR /> 2 indexers</P> <P>Secondary:<BR /> 2 Search Heads ( captain is here for testing)<BR /> 2 indexers</P> <P>the 2 search headers in Primary can't reach the captain and splunkd.log is showing the following:</P> <P>WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSL negotiation finished successfully', alert_description='bad record mac'.<BR /> 08-14-2019 18:04:48.986 +0000 ERROR HttpClientRequest - HTTP client error=error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac while accessing server=https://:8089 for request=https://:8089/services/shcluster/captain/members.</P> <P>On the cluster master i'm seeing the following:<BR /> (obfuscating the IPs)<BR /> Bundle Replication: Problem replicating config (bundle) to search peer ' secondary indexer 1 ', Unknown write error<BR /> Bundle Replication: Problem replicating config (bundle) to search peer ' secondary indexer 2 ', Unknown write error</P> <P>so it seems to me that what ever Master ( search or clustermaster) in either site, can't talk to devices in the other site. </P> <P>few thoughts:<BR /> There is a F5 in between<BR /> other is it's going over a WAN and latency is effecting it.</P> <P>Anyone have ideas?</P> Wed, 30 Sep 2020 01:46:23 GMT https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450744#M24136 ekenne06 2020-09-30T01:46:23Z https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450745#M24137 <P>You have an F5 between sites? Why?</P> Wed, 14 Aug 2019 19:13:41 GMT https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450745#M24137 richgalloway 2019-08-14T19:13:41Z https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450746#M24138 <P>this is because this is two separate subnets. We use the F5 as a gateway to route the traffic</P> Wed, 14 Aug 2019 19:16:59 GMT https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450746#M24138 ekenne06 2019-08-14T19:16:59Z https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450747#M24139 <P>This alert is returned if a record is received with an incorrect MAC. This alert also MUST be returned if an alert is sent because a TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple of the block length, or its padding values, when checked, weren't correct.</P> <P>Possible causes: <BR /> SNAT isn't enabled <BR /> F5 is unloading ssl and rebaking with F5's cert<BR /> Wrong ciphers in use on both ends</P> <P>Check server.conf [ssl] &amp; [shclustering] stanzas on each search head.</P> <P>Also you mentioned one search head is captain. Are you running static captain? If so that's only supported for when you're recovering a failed cluster.</P> Wed, 14 Aug 2019 21:22:30 GMT https://community.splunk.com/t5/Deployment-Architecture/SHClustering-SSLv3-Errors/m-p/450747#M24139 jkat54 2019-08-14T21:22:30Z