1. Please help support our sponsors by considering their products and services.
    Our sponsors enable us to maintain high-speed Internet connection and fast webservers.
    They support this free information and knowledge exchange forum service at no cost to you.

    Please welcome our latest sponsor Tectrade . We can show our appreciation by learning more about Tectrade Solutions

Source IP address

Discussion in 'TSM Operation' started by ivandem, Jan 27, 2016.

  1. ivandem

    ivandem ADSM.ORG Member

    Joined:
    Oct 6, 2003
    Messages:
    81
    Likes Received:
    0
    Occupation:
    Technical Specialist
    Location:
    Richmond Hill
    Hi Folks,

    I've got an SSL error coming through my TSM server...

    ANR8583E An SSL socket-initialization error occurred on session 209186. The GSKit return code is 420. (SESSION: 209186)

    This error occurs every 20 minutes; all day, every day. All clients are connecting with no issues. I think it's the firewall (Fortigate) just doing a check on the SSL port to ensure it's up (btw, all clients are external) but my firewall guys can't confirm this. Can turning on verbose logging in TSM tell me the source IP address even tough there is no node associated? And is so, what is the line to insert in dsm.opt. At least then I'd know if it's internal or external.

    Thanks

    John
     
  2.  
  3. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,712
    Likes Received:
    375
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
  4. ivandem

    ivandem ADSM.ORG Member

    Joined:
    Oct 6, 2003
    Messages:
    81
    Likes Received:
    0
    Occupation:
    Technical Specialist
    Location:
    Richmond Hill
    Thanks for the reply, but it's not an SSL error, at least not directly.

    Every client is successfully connected VIA SSL with 0 issues.

    Under normal circumstances there would be an IP address listed, and for the client connections there is. However, I think because the connection is never really established, it's not noting the address in the actlog; Hence the need for more verbose logging.
     
  5. marclant

    marclant ADSM.ORG Moderator

    Joined:
    Jun 16, 2006
    Messages:
    2,712
    Likes Received:
    375
    Occupation:
    Accelerated Value Specialist for Spectrum Protect
    Location:
    Canada
    The instructions for tracing are here:
    http://www-01.ibm.com/support/knowl...ot.doc/t_pdg_enbltrcsrvrstgagent.html?lang=en

    The list of trace classes you can use are here:
    http://www-01.ibm.com/support/knowl...ot.doc/t_pdg_enbltrcsrvrstgagent.html?lang=en

    Probably need TCP and SSLINFO. Don't use too many trace classes, the output will get large quick.

    You may still need IP tracing outside of TSM, if like you say, the connection is not establish, so it's possible the OS never pass the IP to the application.
     
  6. ivandem

    ivandem ADSM.ORG Member

    Joined:
    Oct 6, 2003
    Messages:
    81
    Likes Received:
    0
    Occupation:
    Technical Specialist
    Location:
    Richmond Hill
    Thanks again, marclant. unfortunately the resultant logs did not give me the any answers.
     
  7. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,886
    Likes Received:
    367
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    For "ANR8583E An SSL socket-initialization error occurred on session 209186. The GSKit return code is 420. (SESSION: 209186)" does the SESSION number change every time the error pops up?
     
  8. ivandem

    ivandem ADSM.ORG Member

    Joined:
    Oct 6, 2003
    Messages:
    81
    Likes Received:
    0
    Occupation:
    Technical Specialist
    Location:
    Richmond Hill
    Yes it does.

    John
     
  9. moon-buddy

    moon-buddy ADSM.ORG Moderator

    Joined:
    Aug 24, 2005
    Messages:
    6,886
    Likes Received:
    367
    Occupation:
    Electronics Engineer, Security Professional
    Location:
    Somewhere in the US
    Is the session number identified (or, can be identified) to a certain node?

    If not, then it seems that somehow another device that is not SSL complaint with TSM is trying to access the TSM server.

    I doubt if the firewall is doing this.
     
: TSM, ssl, actlog

Share This Page