Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2039
Views
5
Helpful
4
Replies

Flood of "TLS connection exception: handshake incomplete"

Go to solution
tar_mynastyr
Level 1
Level 1

‎06-03-2008 10:05 AM - edited ‎03-10-2019 04:08 AM

Good day every body!

I am using 4215 IPS-K9-6.0-4a-E1 image. Recently our sensor started to generate a lot of errors like that (when connected by IDM):

evError: eventId=1208572151825393108 severity=error vendor=Cisco

originator:

hostId: sens-1

appName: cidwebserver

appInstanceId: 384

time: 2008/06/03 16:00:26 2008/06/03 16:00:26 UTC

errorMessage: name=errTransport WebSession::sessionTask TLS connection exception: handshake incomplete.

I do understand that there is something wrong with tls certificates. So here are the things that I've tried:

-Regenerate HTTPS certificate and reconnect. Nope, doesn't work.

-Reset sensor to defaults, set IP anew, regenerate certificates. Nope, doesn't work.

-I've also searched this forum, found some topics having the same problem... But there weren't any solution stated.

I do not want to use simple HTTP, so this is not an option.

Could this be a client problem? My client host is MS Windows Server 2003, Sun JRE 1.5, IE 6.

I'd be very thankful if anyone could point me a solution to this issue!

Thanks in advance!

Andrew

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎06-03-2008 02:02 PM

That message is common when something is connecting to the sensor through HTTPS but is using the wrong TLS certificate.

However, this message does not let you know which box is having this connection problem.

If you are able to connect in from IDM and IDM is working fine, then it is likely that it is not IDM that is causing the errors.

More than likely there is another box (or application) on your network that is trying to connect and still has the old SSL certificate of the sensor.

That Other box needs to be updated with the sensor's newest SSL certificate.

To figure out the IP address of the Other box you could try and use the "packet display" command on the sensor's command and control IP Address to look for HTTPS sessions to the sensor that are short lived.

My best guess is that you may have an old installation of IEV or some other monitoring tool that is trying to connect to the sensor using an old SSL certificate, and that application needs to be updated to use the sensor's newest SSL certificate.

If you can't connect in from IDM, and during those attempts you keep getting that error. Then your web browser has the old certificate cached, and you need to get your browser to accept the newest SSL certificate from your sensor. IDM should then start working and the error would go away.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎06-03-2008 02:02 PM

That message is common when something is connecting to the sensor through HTTPS but is using the wrong TLS certificate.

However, this message does not let you know which box is having this connection problem.

If you are able to connect in from IDM and IDM is working fine, then it is likely that it is not IDM that is causing the errors.

More than likely there is another box (or application) on your network that is trying to connect and still has the old SSL certificate of the sensor.

That Other box needs to be updated with the sensor's newest SSL certificate.

To figure out the IP address of the Other box you could try and use the "packet display" command on the sensor's command and control IP Address to look for HTTPS sessions to the sensor that are short lived.

My best guess is that you may have an old installation of IEV or some other monitoring tool that is trying to connect to the sensor using an old SSL certificate, and that application needs to be updated to use the sensor's newest SSL certificate.

If you can't connect in from IDM, and during those attempts you keep getting that error. Then your web browser has the old certificate cached, and you need to get your browser to accept the newest SSL certificate from your sensor. IDM should then start working and the error would go away.

0 Helpful

Go to solution
tar_mynastyr
Level 1
Level 1
In response to marcabal

‎06-03-2008 11:23 PM

Thank you! You are right! Packet display worked! I've found the one who tested IDS Event Viewer. He told me that he had't imagined that IDS Event Viewer tries to connect to IDSes without running GUI :)

0 Helpful

Go to solution
marcabal
Cisco Employee
Cisco Employee
In response to tar_mynastyr

‎06-04-2008 07:43 AM

Both IEV and newer IME have a background process that pulls new events from the sensors and puts them into the database. This way the events are available and can be quickly viewed whenever the GUI is run.

This also allows IEV and IME to send email notifications even when the GUI is not running.

So IEV and IME should normally be run on a machine that is continuously running and staying connected to the network.

If IEV and IME will only be checked occasionally and not used as your main monitoring tool, then try adding the sensor to IEV/IME when starting the GUI, and then remove them each time before closing the GUI. This way alerts are only pulled during the time you have the sensors added.

Go to solution
tar_mynastyr
Level 1
Level 1
In response to marcabal

‎06-04-2008 11:06 AM

Thanks again for a detailed answer!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card