Logstash input TCP with TLS connection in a CLOSE_WAIT state

Elastic Stack Logstash
1

Hi There,

I'm using logstash 8.12.2 version and trying to use input tcp plugging with ssl_enabled to receive logs from palo alto panorama (client) to logstash.service (server) on port 5400.

below is the input tcp configuration - [Tcp input plugin | Logstash Reference [8.13] | Elastic]

input {
tcp {
port => 5400
ssl_enabled => true
ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
ssl_certificate => "/usr/share/logstash/config/certs/tls.crt"
ssl_key => "/usr/share/logstash/config/certs/tls.pkcs8.key"
ssl_client_authentication => "optional"
tags => ["tls"]
}
}

Followed this knowledge article to configure Palo alto panorama

We've done some tcpdumps and can see we are connecting to the Logstash fine but the connection on the Logstash side seems to hang. After 6-7 minutes connection is to broken to Logstash and established again , i.e. client panorama is notified the connection is pending close state but never receives feedback closing this connection (CLOSE_WAIT),

image
image1664×180 56.1 KB

Also when we've disabled ssl option the solution works with TCP option successfully.

Test we have done so far

Panorama -> syslog
#here we have a separate server which is configured to run rsyslog service and copied the same the intermediary certificate and the server certificate to enable TLS and it is successfully established connection with client and don't see any issues.

Curl from a test server -> logstash
#also executed curl command using same client certificate setup and it is also successfully established connection with server Logstash and don't see any issues.

curl -v logstash.dns.xxxx:5400 -H "Content-Type: application/json" -d '{"test":"testLog"}' --cacert ./issuer.crt --cert ./panorama-cert.crt --key ./pk.crt

Based on above two tests we can confirm and don't see any issues with panorama's configuration and it is able to connect with syslog server, also Logstash is also receiving logs when we preform curl command from a different server.

I think we might be missing additional configuration in Logstash input plugging ? Or could be a limitation or something else Appreciate if someone can help me on this to troubleshoot this issue :melting_face: Thanks.