Investigate Decryption Failure Reasons
Focus
Focus

Investigate Decryption Failure Reasons

Table of Contents
End-of-Life (EoL)

Investigate Decryption Failure Reasons

Identify decryption failures and why they happened and drill down into the exact failure reasons so you can address issues.
The most common reasons for decryption failures are TLS protocol errors, cipher version errors (client and server version mismatches and client and Decryption profile version mismatches), and certificate errors. To investigate decryption errors, start with the Application Command Center (ACC) to identify failures and then go to the Decryption logs to drill down into details.
For additional information about these errors and possible remediation, see Decryption Log Errors, Error Indexes, and Bitmasks.
  1. Begin your investigation at ACCSSL Activity and look at the Decryption Failure Reasons widget.
    In this example, we investigate certificate errors. You can use the same process to investigate version and protocol errors.
  2. Click the green bar next to Certificate to see which hosts (SNIs) experienced certificate errors and see a list of hosts that experienced the largest number of certificate errors.
  3. Go to MonitorLogsDecryption to drill down into the logs.
    Use the query (err_index eq Certificate) to filter the Decryption logs to view all Decryption sessions that experienced certificate errors.
    The Error column shows the reason for the certificate error. To filter for all Decryption sessions that had the same error, click the error message to add it to the query and then execute the query. For example, to find all errors based on receiving a fatal alert from the client, clicking the error produces the query (err_index eq Certificate) and (error eq ‘Received fatal alert CertificateUnknown from client’):
    To filter for the certificate errors that a specific host received, add that SNI to the query instead of adding error message text. For example, to find all certificate errors for expired.badssl.comm use the query (err_index eq Certificate) and (sni eq ‘expired.badssl.com’):
    The Error column shows the specific reason for each certificate error associated with expired.badssl.com.
    Once you know the reason for the certificate issue that caused the decryption failure, you can address it. For example, if the certificate chain is incomplete, you can repair the incomplete certificate chain. If a certificate is expired, you can notify the site administrator or create a policy-based exception if you need to access the site.