search cancel

Large number of "Failed to complete TLS/SSL handshake initiated by TLS/SSL client" messages in the logs in /opt/SYMCScan/log

book

Article ID: 202046

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

SPE for Secure ICAP scanning and records a large number of "Failed to complete TLS/SSL handshake initiated by TLS/SSL client" messages in the logs in /opt/SYMCScan/log. These messages seem to be coming from SPE and not a server submitting files to be scanned. For example, in the below message, 10.80.246.171 is the IP address of the SPE server.

1603296285|11|2|1|30|Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: |43|10.80.246.171|44|11344|45|596082|120|1603296285574|121|hostname.example.com

Cause

There may be multiple causes for the TLS handshake to fail ranging form connection issues to certificate issues to TCP healthchecks. See the Resolution section for both general troubleshooting information and for specific causes.

Environment

  • SPE 8.x configured for secure ICAP scanning

Resolution

 

General Troubleshooting Steps

  1. Check configuration.xml to confirm secure ICAP is fully configured per...

    Title: SPE 8.1 Help: Configure the secure ICAP options
    URL: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/8-1/Core_server_only_mode_10/configure-the-secure-icap-options-v128513062-d4995e27629.html

  2. Perform isolation testing using the ssecls test tool to identify the point of failure
  3. If running ./ssecls ssecls locally on the SPE host returns "error while loading shared libraries...cannot run shared object file", register the path and try again. see 200246 for details
  4. If running ./ssecls ssecls locally on the SPE host with secure ICAP options fails, troubleshoot the secure ICAP settings within configuration.xml
  5. If running ./ssecls ssecls remotely without secure ICAP options fails, troubleshoot the connectivity between the client and SPE
  6. If running ./ssecls ssecls remotely with secure ICAP options fails, compare the ciphers list from the client machine and SPE.

Note: Gathering a packet capture/trace of the network communication during these steps may provide more information than what is logged, including specific TCP or TLS errors.

 

 

Specific Causes

  • TCP Port Checks: Performing TCP health checks on the Secure ICAP port will cause this error. Port scans on this port will cause this error. Vulnerability scans that do not complete an SSL connection will cause this error. In a packet capture, you will see the following
    • Capture
      • Client: SYN
      • SPE:    SYN, ACK
      • Client: ACK
      • Client: FIN, ACK
      • SPE:    FIN, ACK
      • Client: ACK
    • Resolution: Expect these errors when targeting this port with scans. For health checks, consider sending an ICAP OPTIONS request (see the Software Developer's Guide for more information. This can be obtained at the "SPE Related Documents link below)

Additional Information