Investigate Decryption Failure Reasons

Identify decryption failures and why they happened and drill down into the exact failure reasons so you can address issues.
The most common reasons for decryption failures are TLS protocol errors, cipher version errors (client and server version mismatches and also client and Decryption profile version mismatches), and certificate errors. To investigate decryption errors, start with the Application Command Center (ACC) to identify failures and then go to the Decryption logs to drill down into details.
  1. Begin your investigation at
    ACC
    SSL Activity
    and look at the Decryption Failure Reasons widget.
    decryption-failure-reasons-acc-2-dmitry.png
    In this example, we investigate certificate errors. You can use the same process to investigate version and protocol errors.
  2. Click the green bar next to
    Certificate
    to see which hosts (SNIs) experienced certificate errors and see a list of hosts that experienced the largest number of certificate errors.
    decryption-failure-reasons-acc-certificate-2-dmitry.png
  3. Go to
    Monitor
    Logs
    Decryption
    to drill down into the logs.
    Use the query
    (err_index eq Certificate)
    to filter the Decryption logs to view all Decryption sessions that experienced certificate errors.
    err-index-eq-certificate.png
    The
    Error
    column shows the reason for the certificate error. To filter for all Decryption sessions that had the same error, click the error message to add it to the query and then execute the query. For example, to find all errors based on receiving a fatal alert from the client, clicking the error produces the query
    (err_index eq Certificate) and (error eq ‘Received fatal alert CertificateUnknown from client’)
    :
    err-index-eq-cert-and-error-eq-error-message.png
    To filter for the certificate errors that a specific host received, add that SNI to the query instead of adding error message text. For example, to find all certificate errors for expired.badssl.comm use the query
    (err_index eq Certificate) and (sni eq ‘expired.badssl.com’)
    :
    err-index-eq-certificate-and-sni-eq-expired-badssl-com.png
    The
    Error
    column shows the specific reason for each certificate error associated with expired.badssl.com.
    Once you know the reason for the certificate issue that caused the decryption failure, you can address it. For example, if the certificate chain is incomplete, you can repair the incomplete certificate chain. If a certificate is expired, you can notify the site administrator or create a policy-based exception if you need to access the site.

Recommended For You