Secure message delivery to DLP fails when FIPS mode is enabled


Article ID: 158610


Updated On:


Messaging Gateway


When Symantec Messaging Gateway (SMG) is set to run in FIPS compliant mode, TLS secured message delivery to the configured DLP server fails.  All outbound messages are queued in the delivery queue with an error indicating that TLS negotiation has failed.

 451 4.7.5 [internal] tls negotiation failed


 When in FIPS mode, the SMG appliance is unable to negotiate a secure, TLS encrypted connection to the DLP Prevent server fail due to increased security requirements of running in FIPS-2 compliant mode. This occurs regardless of whether the DLP Prevent server was installed with the FIPS compliant options.


This is a known issue and has been fixed in SMG 10.5.2. Please update when able.

This issue can be worked around by either

  • Reconfiguring the DLP Connect option to use plaintext delivery rather than TLS secured delivery
  • Disable FIPS mode via the CLI fipsmode off command

If neither of these options is compatible with your internal security policies, please contact Symantec Customer Support to discuss other potential workarounds.

Applies To

Messaging Gateway
DLP Prevent