Protection Engine Enrollment fails due to unsupported TLS cipher suites
search cancel

Protection Engine Enrollment fails due to unsupported TLS cipher suites


Article ID: 173733


Updated On:


Protection Engine for Cloud Services Protection Engine for NAS


When enrolling your Symantec Protection Engine (SPE) server to the cloud console via the command line or enroll.bat, the enrollment fails with error "Failed to start Symantec CAF service."

  • Using Enroll.bat fails with the error: Failed to start Symantec CAF service.
  • cafagent.log contains the following:

[|] 2019-02-14 19:04:07 | cafservice.CAFEnrollManager | Error | 1804 : 4196 : caf::CAFEnrollManager::EnrollDevice::<device_ID>::operator ():111 | Error details: {"0":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"1":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"2":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"3":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"4":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"5":{"0":"ProxyModeDisabled (16)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"6":{"0":"ProxyModeAutoDetect (2)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}}}

  • A packet capture of the enrollment process shows a failed TLS handshake. The SPE server sends the Client Hello. The Cloud Console server responds with an ACK packet, followed by an Alert (Level: Fatal, Description: Handshake Failure) packet. This alert packet specifies Handshake Failure (40). The cloud console then sends a FIN ACK packet.


When the enrollment process starts, the CAF agent service is started and attempts to make a TLS connection to the cloud console. If the operating system does not advertise a TLS cipher suite supported by the cloud console during the beginning of the TLS handshake, the communication will terminate, the service will stop, and this error will be thrown.


The server that SPE is installed on must advertise at least one cipher suite that is supported by the cloud console. We can confirm that the following cipher suite(s) are supported:


To ensure your server advertises these cipher suites, you must make configuration changes to the OS.


For Windows, please see the following Microsoft article: