Management API doesn't recognize Diffie Hellman Gr...

BoldRenewable · ‎2022-01-14

Hi all.

Autoprovision/CME for my new AWS scaleset has been failing resulting in a total inability to provision new instances. For whatever reason immediately after installing the restrictive policy, provisioning decides it wants to reset the instance and part of that seems to be deleting the object. A portion of that deletion attempt involves iterating over VPN communities to make sure the gateway is not mentioned and that activity is causing a stack trace.

cme.log gives me an incident number that when examined in api.elg shows the "show-vpn-communities-star" command is returning an invalid reply for "DH-Group".

I checked my communities using show-vpn-community-star and every community where I have group 24 for Phase 1 causes the API to fail to print output due to our ever popular friend "generic internal error":

[Expert@Management:0]# !121
mgmt_cli show vpn-community-star name "TestCommunity" -s id.txt
code: "generic_internal_error"
message: "Internal error. For more info search for incident [e9ce7b8c-a916-467f-963a-b81a1cd490db] in log file"

Trying to change the Diffie Hellman group to 24 via mgmt_cli fails telling me it isn't a valid parameter:

[Expert@Management:0]# mgmt_cli set vpn-community-star name "TestCommunity" ike-phase-1.diffie-hellman-group "group-24" -s id.txt
code: "generic_err_invalid_parameter"
message: "Invalid parameter for [diffie-hellman-group]. The invalid value [group-24] should be replaced by one of the following values: [group-1, group-2, group-5, group-14, group-19, group-20]"

Checking API reference version 1.8 doesn't mention group 24 as an option either.

Well, it's certainly an option in SmartConsole.
Changing the DH to one of the mentioned groups allows the command to succeed. However I have many, many communities using group 24 and having to change all of them and coordinate with the 3rd party vendors is asking for ulcers.

I don't know why the autoprovision process is deciding to reset/delete the instance immediately after installing the restrictive policy, but its led me here in my troubleshooting so I need to get around it.

Thoughts?

BoldRenewable · ‎2022-01-18

Hi all.

Dug around some more, posting this for any future folks who might get this error.

Looks like group 24 is not a default DH group that SmartConsole will let you use. You have to follow sk27054 to add it manually to the database for use within your communities.

Whoever the previous administrator was for this Management server, they added that DH group for various tunnels. Adding it to the database is fine for SmartConsole but it seems the Management API is not aware of that addition, so it's going off the default list of approved DH groups.

The solution is to change any place you use DH Group 24 to something else. If you can't do that, you'd have to open a support ticket and see what they can do, if anything. I have a feeling I am going to get the old "unsupported config, go away." but we will see.

Perhaps change the group to something default, publish, let the autoprovisioning complete and then just put the group back to 24? Hopefully won't do anything weird when CME iterates over the instances again. You'll be out of luck with any autoscale events though.

Are you a member of CheckMates?

Management API doesn't recognize Diffie Hellman Group 24 as a valid parameter for IKE Phase 1?