Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX connection to the SKYATP portal shows "Disconnected because of HTTP error"

0

0

Article ID: KB31795 KB Last Updated: 21 Jun 2017Version: 1.0
Summary:
Enrollment of the SRX device in the SKYATP portal is successful. However after enrollment, further communication with the SKYATP portal does not take place. This article describes the scenario in which such a situation can occur and provides recommendation for the same.
Symptoms:

Customer enrolled the SRX device in the SKYATP portal. However after enrollment, the communication between the SKY ATP portal and the SRX stopped.  The status for advanced-anti-malware service is displayed as follows:

root@labsrx> show services advanced-anti-malware status
Server connection status:
Server hostname: srxapi.eu-west-1.sky.junipersecurity.net
Server port: 443
Control Plane:    
                     Connection time: 2017-02-10 08:24:28 CET
                     Connection status: Disconnected because of HTTP error

Service Plane:  fpc0
                     Connection active number: 0
                     Connection retry statistics: 0
Cause:

The issue is caused by either of the following cases:

  • Customer has more than one valid SKYATP license bound to the same serial number of the SRX / vSRX
  • Customer has more than one license installed for VSRX on the device. (In the case of VSRX devices)  Even if the licenses are expired, it can cause a problem.

Having multiple licenses with different software serial numbers causes a mismatch between the Serial number the SRX device uses to connect to the SKYATP portal and the serial number registered with the SKY portal.  This is clearly seen in the message logs on the SKYATP portal:

 

message:May 19 23:47:33 SrxAPI-1-74.eu.sky.junipersecurity.net srx_config_api: [WARNING] [client_cert_auth] - Device serial provided in connection URL ABCD1234PQRS@12345678901234 does not match any serial number provided in client certificate: ['ABCD1234PQRS@20150625']

The Message logs on the SRX and the trace-options for the advanced-anti-malware service show that the connection with the SKY Cloud is not successful, as the SKY Cloud rejects the request as a unauthorized connection, as seen in the event logs.

Event logs show the following error:

May 19 13:30:08  labsrx aamwd[35431]: [0x8d37a00] Client's Websocket handshake: GET /api/v1/ws?sn=ABCD1234PQRS%4012345678901234 HTTP/1.0^M Host: 5.6.7.8:443^M Upgrade: websocket^M Connection: Upgrade^M Sec-WebSocket-Key: Tg/5Y4UX+o14j1J2bzooxQ==^M Sec-WebSocket-Protocol: argon-0.3^M Sec-WebSocket-Version: 13^M Sec-Websocket-Extensions: x-argon-aligned^M ^M
May 19 13:30:08  labsrx aamwd[35431]: [0x8d37a00] Websocket handshake has been sent
May 19 13:30:08  labsrx aamwd[35431]: AAMWD_NETWORK_CONNECT_FAILED: <2> Access host srxapi.eu-west-1.sky.junipersecurity.net on ip 5.6.7.8 port 443 Unauthorized.
AAMW trace options are as follows:
May 19 13:57:17 AAMWD: connecting to server 5.6.7.8
May 19 13:57:17 AAMWD:Using client cert profile aamw-srx-cert
May 19 13:57:17 Request client certificate from pkid [1] succeeded
May 19 13:57:17 AAMWD-PKIC:aamw_pki_request_cert:client key:0x8dae440
May 19 13:57:17 AAMWD-PKIC:aamw_pki_request_cert:cert chain:0x8dae640
May 19 13:57:18 AAMWD get client cert/key from pkid
May 19 13:57:18 AAMWD using TLS version 0.0(1)
May 19 13:57:18 ssl_cert_verify_callback:pki cert chain0x8db2d40: error=19
May 19 13:57:18 pki_validation_response_cb:ee_certificate:0x8daae80
May 19 13:57:18 ssl_cert_verify_callback:server cert validation status=1
May 19 13:57:18 AAMWD: Server certificate validation succeeded
May 19 13:57:18 WS: _aamwd_transport_log:_amwd_connection_failed: AAMWD connection 0x8d23b00 failed. Websocket: 0x8d98000, flags: 0x03
May 19 13:57:18 AAMWD to cloud Connection Failed
May 19 13:57:18 AAMWD websocket connect error code TCP 0 SSL 0 http 401 websocket 0:Unauthorized
May 19 13:57:18 WS: _aamwd_transport_log:aamwd_websocket_close: connection: 0x8d23b00
Solution:

This is expected behavior for an SRX running SKYATP. It is strongly recommended to have only one SKYATP instance bound to the device serial number. 
In case of VSRX, please make sure to have only one valid Virtual Appliance license.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search