'unkonwn_ca' error observed in endpoint server logs.
search cancel

'unkonwn_ca' error observed in endpoint server logs.

book

Article ID: 265236

calendar_today

Updated On:

Products

Data Loss Prevention Data Loss Prevention Endpoint Prevent

Issue/Introduction

There has been a recent occurrence of 'unknown_ca' alerts in the endpoint server logs. 

Cause

If you receiving this error without a change in agent reporting states, then it is likely some other software, such as a security scanner is connecting to the endpoint server(s). This may be a security scanner such as Qualys. 

 

Resolution

Several lines down from the unknown_ca error the aggregator logs will list the RemoteHostAndPort of the remote host in question. 
Example Log Entry:

com.symantec.dlp.communications.common.activitylogging.JavaLoggerImpl log
WARNING: 
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:214)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1667)
    ...

NCE - Connected                                                                  0  
TC - Connection opened                                                           0  RemoteHostAndPort=/<some internal IP>:<Port>
TC - Connection accepted by connection acceptor                                  0  RemoteHostAndPort=/<some internal IP>:<Port>

This IP will be the IP address of the remote host that presented an unknown certificate.

If this IP is identified as a security device not related to DLP, contact the owner of the device/application to have the Endpoint Server host name and port (10443) excluded from scans, if required.

Additional Information

If you are receiving this error, in conjunction with a large number of agents no longer reporting unexpectedly, please see article 162818 for more information.