10.02 backup fails with error Secure communication protocol negotiation error

Hello,

DP CM windows 2012 R2, DP 10.02 with SSPF as:

QCCR2A78222_HF1 csm.exe Test binary
QCCR2A77330_HF1 omnidbutil.exe Test binary
QCCR2A78222_HF1 rsm.exe Test binary
QCCR2A77362_HF4 vmwaregre-agent.exe Test binary

out of 100 clients on 1 client I am facing issue with secure communication protocol. All teh backups for this host failed with error:
Secure communication protocol negotiation error when trying to establish a connection.
Check the validity of certificates and their configuration

I have tried adding the "omnicc -secure_comm -configure_peer" on both CM & Client and after this it will work only for 1 time and then again backup will start failing.

I ahve also tried exporting the client, adding teh certificates between them "omnicc -secure_comm -configure_peer" and re-import client. Backup work normal for first but again fails from second time.

Any help what's wrong here?

Parents
  • I had this too and this is what I did to get rid of these errors:

    Below are the steps for DP on Windows. 

    1. On the client, rename the folder C:\ProgramData\OmniBack\Config\client\sscertificates to something like C:\ProgramData\OmniBack\Config\client\sscertificates.orig
    2. On the client, run omnicc -secure_comm -regenerate_cert CM_NAME
    3. On the CM, run omnicc -secure_comm -configure_peer CLIENT_NAME
    4. On the client, run omnicc -secure_comm -configure_peer CM_NAME
Reply
  • I had this too and this is what I did to get rid of these errors:

    Below are the steps for DP on Windows. 

    1. On the client, rename the folder C:\ProgramData\OmniBack\Config\client\sscertificates to something like C:\ProgramData\OmniBack\Config\client\sscertificates.orig
    2. On the client, run omnicc -secure_comm -regenerate_cert CM_NAME
    3. On the CM, run omnicc -secure_comm -configure_peer CLIENT_NAME
    4. On the client, run omnicc -secure_comm -configure_peer CM_NAME
Children
  • I'll give this a try today.

    The issue with my environment is a bit more complicated however.

    I have say 20 servers all running the DA.

    Then I have one of two possible backup desitnations.

    One is disk based where my CM is the MA these backups work.

    The other is to tape where a different server is the MA.  I have 2 out of 20 servers giving the error mentioned in this thread when saving a backup to this destination.

    With that said, I'll just try to run these commands on all 3 servers, but I have done many commands similar already.

  • I tried to do exactly the above first, did not fix my problem.

    Still had disk backups working but not tape.

    I then tried to do some of those commands on the server acting as the MA for the tape, no luck with that either.

    I did not completly delete/regenerate the cert on that rserver as it would probably break the backup for the other 18 servers that are working.  I did run the accept new peer command however.

     

    I see some servers have a .pem file specific to a server in the sscertificates folder usually in relation to when I have run the configure_peer command, but other servers do not, yet they still work without it.

  • After trying EVERYTHING, and I mean everything.

    I got this working, why I don't know, and I can't say for sure if its related to the program or to the environment.

    The Fix: Add a static IP to my HOST file for the MA Server.

    What did not work:

    Full reinstall of the software

    Delete, Create, Import new Secure Certificate

    Turn off Firewall

    Change backup options

    Was able to:

    Ping by name and IP

    Telnet by name and IP

    Tracert by name and IP

    See the correct security certificate when I accepted the peer

    Everything looks like it should, but the backup just would not work until I added a host file line entry, then it worked perfectly.

  • Hello DanielV_,

    The command omnicc -secure_comm -regenerate_cert CM_NAME should not be used for this. This will re-generate the peer certificate on the Cell Manager CM_NAME and cause real harm to the overall client communication when used unprepared.

    Regards,
    Sebastian Koehler