search cancel

Protection Engine Enrollment fails due to unsupported TLS cipher suites

book

Article ID: 173733

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

When enrolling your Symantec Protection Engine (SPE) server to the cloud console via the command line or enroll.bat, the enrollment fails with error "Failed to start Symantec CAF service."

  • Using Enroll.bat fails with the error: Failed to start Symantec CAF service.
  • cafagent.log contains the following:

[|] 2019-02-14 19:04:07 | cafservice.CAFEnrollManager | Error | 1804 : 4196 : caf::CAFEnrollManager::EnrollDevice::<device_ID>::operator ():111 | Error details: {"0":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"1":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"2":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"3":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"4":{"0":"ProxyModeDefault (8)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"5":{"0":"ProxyModeDisabled (16)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}},"6":{"0":"ProxyModeAutoDetect (2)","1":"EpmpClientErrorCodes: HttpTransportNetworkError (20)","2":{"0":"windows","1":12175,"2":"A security error occurred\r\n"}}}

  • A packet capture of the enrollment process shows a failed TLS handshake. The SPE server sends the Client Hello. The Cloud Console server responds with an ACK packet, followed by an Alert (Level: Fatal, Description: Handshake Failure) packet. This alert packet specifies Handshake Failure (40). The cloud console then sends a FIN ACK packet.

Cause

When the enrollment process starts, the CAF agent service is started and attempts to make a TLS connection to the cloud console. If the operating system does not advertise a TLS cipher suite supported by the cloud console during the beginning of the TLS handshake, the communication will terminate, the service will stop, and this error will be thrown.

Resolution

The server that SPE is installed on must advertise at least one cipher suite that is supported by the cloud console. We can confirm that the following cipher suite(s) are supported:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

To ensure your server advertises these cipher suites, you must make configuration changes to the OS.

 

For Windows, please see the following Microsoft article: https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls.