topic Re: Can't connect Splunk SOAR to Splunk Enterprise Security in Splunk SOAR

Can't connect Splunk SOAR to Splunk Enterprise Security

Alan_Chan — Tue, 24 Jun 2025 16:36:26 GMT

I am using Enterprise 9.3.2, ES 8.1.0, and SOAR 6.4.1 to test the pairing function. Both devices are on-premises and in the same subnet, with no network issues between them. However, when I try to use the pairing function in ES, the following error message appears:
"Cannot connect to SOAR. Check that the ES IP address is included on the SOAR stack allow list."

When I check the internal log, it shows the following error:
"Unexpected error when attempting pairing: HTTPSConnectionPool(host='xxx.xxx.xxx.xxx', port=8443): Max retries exceeded with URL: /rest/version (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1143)')))".

Does anyone have any ideas on how to resolve this?

Re: Can't connect Splunk SOAR to Splunk Enterprise Security

VatsalJagani — Wed, 25 Jun 2025 09:31:44 GMT

@Alan_Chan - Are you sure your Splunk port is 8443??

Re: Can't connect Splunk SOAR to Splunk Enterprise Security

Alan_Chan — Thu, 26 Jun 2025 01:27:07 GMT

Splunk ES using 8000 port while SOAR using 8443 port

Re: Can't connect Splunk SOAR to Splunk Enterprise Security

PrewinThomas — Thu, 26 Jun 2025 05:16:03 GMT

@Alan_Chan

Is your ES IP added to your SOAR allow list?
Check connection before pairing - Confirm that Enterprise Security can initiate a TCP connection for REST calls to the SOAR port
Also error highlights SSL handshake failure-Are you using self signed or valid CA certificate in the SOAR?
Also note that, Splunk Enterprise Security requires a valid SSL certificate to communicate with Splunk SOAR

Ref:#https://help.splunk.com/en/splunk-enterprise-security-8/administer/8.0/configuration-and-settings/pair-splunk-enterprise-security-with-splunk-soar

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Can't connect Splunk SOAR to Splunk Enterprise Security

VatsalJagani — Thu, 26 Jun 2025 09:03:53 GMT

@Alan_Chan - Here is what got to understand:

* You are using SOAR on 8443 port.

* You are trying to connect SOAR from Splunk ES as per this - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/introduction-to-splunk-soar-on-premises/pair-splunk-soar-on-premises-with-splunk-enterprise-security-on-premises

If this is the case and if:

* you are entering the IP & credentials correct

* and there is no connectivity issue.

Then it is most likely SSL certificate validation issue. And your error also suggests the same thing.

You can follow the document to fix it - https://help.splunk.com/en/splunk-soar/soar-on-premises/administer-soar-on-premises/6.4.1/manage-splunk-soar-on-premises-certificate-store/update-or-renew-ssl-certificates-for-nginx-rabbitmq-or-consul#f311597b_e8dd_40f2_9844_a62f90ffc64c__Updating_the_SSL_certificates

* Please kindly understand SSL certificates well before you apply this on Production to avoid any issues.

I hope this helps!!! Kindly upvote if it does!!!

Re: Can't connect Splunk SOAR to Splunk Enterprise Security

simo1 — Wed, 24 Sep 2025 08:03:31 GMT

Hello @Alan_Chan , did you resolved problem? I have same problem, tried to disable https verification but still have sslv3 alert handshake failure