Printer FriendlyEmail Article Link

Landslide: How to setup proxy on TAS to communicate with license server via proxy and how to troubleshoot if there is communication issue with license server

Environment/Versions
Environment:
Landslide 19.6GA or above, Landslide TAS with cloud license server based license, no direct network connection available between TAS and public license server, a TLS proxy server is needed in this case.
 
Answer
    Usually, if landslide TAS is installed a cloud license server based license, the TAS will need to talk to spirent public license server (ls-lic-server.spirent.com, 38.99.7.67) to register to license server before it could be in normal service state. The communication between landslide TAS and License server uses TLS connection for security, so outbound TCP port 443 or 8443 should be opened on customer's firewall rules. If direct connection between TAS and license server is available and allowed in customer's network, one could easily verify the connectivity by running command "curl -kv https://ls-lic-server.spirent.com" on landslide TAS CLI interface.
    However, in case there is no direct connection between customer's TAS and spirent public license server, a TLS proxy server is needed in this case. The proxy server in customer's network should be responsible for forwarding landslide TAS' data packets to public license server via TLS connection. Below details explains how to setup proxy on landslide TAS and how to troubleshoot if there is any communication issue.
    Steps to enable proxy on TAS:
  1. Start the TAS Manager and login as cfguser.
  2. Select System > Edit Settings from the menu, and a warning message displays saying that the TAS settings File should only be edited with specific instructions provided by Technical Support.
  3. Click Continue only if you have the appropriate instructions and information to modify the settings.
  4. The TAS Settings Editor window displays and provides you with options to Browse your local driver for TAS settings, install new/modified settings, and cancel the task.
  5. Click the Add Settings dropdown list, select an item from the list to modify, or select <blank> to add a new setting and double-click to add/modify as per the instructions from Technical Support.
Add below two keys into settings list:
  1. lic_srv_proxy_host - Select to add Proxy support between the TAS and the License Server. Enter the IP address of the Proxy Server.
  2. lic_srv_proxy_Port - Select to add Proxy support between the TAS and the License Server. Enter the Port of the Proxy Server.
 
After that, restart TAS by "restart" option in TAS manager GUI to make the new proxy setting effective. 
Also, if you want to verify whether the proxy settings has been enabled in TAS, you can login into TAS linux CLI interface by cfguser, then run command "list-tas-settings” to check it.
The output would be like below:
>>>>>>>>
##>list-tas-settings
TAS Advanced Settings/Overrides (empty means nothing set):
rsl_low=9100
lic_srv_proxy_host=10.71.41.222
rsl_high=9988
lic_srv_proxy_port=443
>>>>>>>>>
In case there is any commnication between your TAS and Proxy server, or between Proxy server and License server, you'll see below TAS error info when you run command "cat /usr/sms/data/tasoutput.txt" to see the output of TAS, which indicates error "TAS not licensed: Timeout on Server Request".
>>>>>>>> 
Dec 07, 2020 6:23:40 AM SPLogger SYS
SEVERE: com.sseworks.sp.server.framework.E: TAS not licensed: Timedout on Server Request
              at com.sseworks.sp.server.framework.SMSServer.<init>(Unknown Source)
              at com.sseworks.sp.server.framework.SMSServer.main(Unknown Source)
>>>>>>>>
In that case, you can follow below troubleshooting steps to vefiry the connection with Proxy server and license server:
1. run ping and traceroute to make sure the proxy server is reachable from TAS.
    ping <ip of proxy>
    traceroute <ip of proxy>
    by running traceroute, you could see whether the proxy server is reachable and whether there is any hop on network rejecting the packets to proxy server.
2. use telnet command to check whether the listened port of Proxy is opened or not.
    telnet <ip of proxy> <port>
    If you see output "Connected to 10.71.41.50............Escape character is '^]'.", then the port is listened.
    If you see output "telnet: Unable to connect to remote host: Connection refused", then the port is not listened on proxy. Double check whether you have a correct proxy IP and port.
3. use below curl command sample to check the https connection with license server via proxy, remember to use "-k" to force curl skip the certification verification with proxy server, otherwise you'll get failure when curl setup TLS connection with proxy server. If you see "connected to <ip of proxy>  port xxx", it seems the connection to proxy is good.
##>curl -kv --proxy https://10.71.30.250:6203 https://ls-lic-server.spirent.com
* Rebuilt URL to: https://ls-lic-server.spirent.com/
*   Trying 10.71.30.250...
* Connected to 10.71.30.250 (10.71.30.250) port 6203 (#0)
* Establish HTTP proxy tunnel to ls-lic-server.spirent.com:443
> CONNECT ls-lic-server.spirent.com:443 HTTP/1.1
> Host: ls-lic-server.spirent.com:443
> User-Agent: curl/7.47.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 594 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_GCM_SHA256
*        server certificate verification SKIPPED
*        server certificate status verification SKIPPED
*        common name: ls-lic-server.spirent.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: C=US,ST=Texas,L=Plano,O=Spirent Communications,OU=Engineering,CN=ls-lic-server.spirent.com
*        start date: Wed, 12 Aug 2020 15:51:21 GMT
*        expire date: Sun, 05 Jun 2022 18:20:02 GMT
*        issuer: DC=COM,DC=SPIRENTCOM,DC=AD,CN=Spirent Corporate Issuing CA
*        compression: NULL
* ALPN, server did not agree to a protocol
> GET / HTTP/1.1
> Host: ls-lic-server.spirent.com
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Length: 0
< Date: Fri, 18 Dec 2020 17:48:36 GMT
<
* Connection #0 to host 10.71.30.250 left intact
##>
 
 
      4. If you see failure at step 3, you can do tcpdump to capture the wireshark pcap file to check out what happened between TAS and Proxy server, and see whether TLS conenction request reached to proxy server or not, or whether the TCP connection between TAS and Proxy server had been established, or whether TAS had initiated TCP handshake request with proxy server.
         A. stop TAS first by command "tasstop".
         B. then run command "sudo tcpdump -i eth0 -w <output-file-name> -s 2000" to capture the traffic between TAS and proxy server, replace the eth port name "eth0" by other port name if your TAS is using port other than eth0 for management port.
         C. run command "tasrun" to start TAS, wait for a couple of minutes until TAS reported error with license server.
         D. press "ctrl-C" to stop the tcpdump, then open the pcap file generated by tcpdump to see whether TLS over TCP connection from TAS to proxy had been initiated or not.
     Typically, you should see TCP connection and TLS connection between TAS and proxy like below screenshot. In below example, TAS is initiating request from 10.71.16.37 port 43432  and Proxy server is listening at 10.71.41.238 port 911.


By checking the pcap file, you should be able to see what's the problem between TAS and proxy server. If TCP SYN packet was not responded by Proxy server, most likely, your firewall was not allowing that kind of traffic, or you have connectivity issue with Proxy server.

Product : TAS Manager,Results Manager,Landslide Client,Tcl API