Large number of "Failed to complete TLS/SSL handshake initiated by TLS/SSL client" messages in the logs in /opt/SYMCScan/log

search cancel

Large number of "Failed to complete TLS/SSL handshake initiated by TLS/SSL client" messages in the logs in /opt/SYMCScan/log

book

Article ID: 202046

calendar_today

Updated On:

Products

Protection Engine for NAS Protection Engine for Cloud Services

Issue/Introduction

SPE for Secure ICAP scanning and records a large number of "Failed to complete TLS/SSL handshake initiated by TLS/SSL client" messages in the logs in /opt/SYMCScan/log. These messages seem to be coming from SPE and not a server submitting files to be scanned.

1603296285|11|2|1|30|Failed to complete TLS/SSL handshake initiated by TLS/SSL client. Error code: |43|<speserver_ip>|44|11344|45|596082|120|1603296285574|121|hostname.example.com

Environment

SPE 8.x configured for secure ICAP scanning

Cause

There may be multiple causes for the TLS handshake to fail ranging form connection issues to certificate issues to TCP healthchecks. See the Resolution section for both general troubleshooting information and for specific causes.

Resolution

General Troubleshooting Steps

Check configuration.xml to confirm secure ICAP is fully configured per...

Title: SPE 8.1 Help: Configure the secure ICAP options
URL:Configure the secure ICAP options
URL for SPE 8.2.2 : Configure the secure ICAP options
Perform isolatio testing using the ssecls test tool to identify the point of failure
If running ./ssecls ssecls locally on the SPE host returns "error while loading shared libraries...cannot run shared object file", register the path and try again. see 200246 for details
If running ./ssecls ssecls locally on the SPE host with secure ICAP options fails, troubleshoot the secure ICAP settings within configuration.xml
If running ./ssecls ssecls remotely without secure ICAP options fails, troubleshoot the connectivity between the client and SPE
If running ./ssecls ssecls remotely with secure ICAP options fails, compare the ciphers list from the client machine and SPE.

Note: Gathering a packet capture/trace of the network communication during these steps may provide more information than what is logged, including specific TCP or TLS errors.

Specific Causes

There is a hotfix for a known issue with ssecls for Linux that can cause this. The updated binary is published here: https://knowledge.broadcom.com/external/article?articleId=214296
TCP Port Checks: Performing TCP health checks on the Secure ICAP port will cause this error. Port scans on this port will cause this error. Vulnerability scans that do not complete an SSL connection will cause this error. In a packet capture, you will see the following
- Capture
  - Client: SYN
  - SPE: SYN, ACK
  - Client: ACK
  - Client: FIN, ACK
  - SPE: FIN, ACK
  - Client: ACK
- Resolution: Expect these errors when targeting this port with scans. For health checks, consider sending an ICAP OPTIONS request (see the Software Developer's Guide for more information. This can be obtained at the "SPE Related Documents link below)

Additional Information

Title: SPE 8.1 Help: C-based command-line scanner syntax and usage
URL: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/8-1/SSECLS_Demonstration_Tool_11/c-based-command-line-scanner-syntax-and-usage-v128510193-d4995e25461.html
Title: SPE Related Documents
URL: https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/symantec-protection-engine/8-2/Related-Documents.html

Feedback

thumb_up Yes

thumb_down No