Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

ACE SSL - Decryption failure

I have deployed ACE in a portal architecture with two web servers in test environment. ACE does the SSL offloading.

Users are experiencing 'Invalid Session' error 'randomly' while accessing various links on the web page. However, at other times same pages show perfectly.

This is only experienced while accessing the pages from the internet. It never happens on the local lan. So the only addition via internet is 1) the internet itself 2) outside ASA with CSC-SSM and 3) outside ASA with AIP-SSM

The URL is currently registered with the ISP DNS with a different IP (current Production). The test environment uses another public IP and the site is accessed via local host file. Over the internet, the traffic goes through transparent proxy as well.

When I captured the packets via Ethereal/Wireshark, I noticed 'Encrypted Alert' packets sent by ACE to the client. Following are the details of the packet

- SSLv3 Record Layer: Encrypted Alert

Content Type: Alert (21)

Version: SSL 3.0 (0x0300)

Length: 18

Alert Message: Encrypted Alert

Alert code 21 means 'Decryption failed (fatal, TLS only)'

The certificate is authentic and verified.

Please advise on how to troubleshoot this error.


New Member

Re: ACE SSL - Decryption failure

Ok. Out of the above, internet is ruled out. I connected my laptop to the outside of the ASA and tried testing the portal. In this case, I bypassed the internet but included all the components of our infrastructure including firewalls. The problem still happens.

So the only two things now are the 1) ASA CSC-SSM and 2) ASA AIP-SSM on the perimeter.

Does ASA in any way tamper with the SSL traffic flowing througn it or any other data.

New Member

ACE SSL - Decryption failure

I am having the same problem with SSL termination with the ACE only in the picture. No ASA in use. All works well with a server which is not behind the ACE.

Have anyone got a work around of the decryption failure.

New Member

ACE SSL - Decryption failure

Software Version A2(1.5) Resolved Caveats


—When you transfer a  large file, the ACE sends an encrypted alert to the client. Prior to  this action, the ACE reduces its TCP window to zero, bumps up the size,  receives the packet that it was acknowledging from the client, and sends  the encrypted alert

I am running Version A2(3.2), I found that implementing sticky group helped with yhis issue.

serverfarm host webfarm
  rserver r1
    inservice standby
  rserver r2
  rserver r3
    backup-rserver r1

\\define static sticky server, here we are mapping r2 to r3 and r3 to r2

sticky ip-netmask address source sticky_webfarm
  serverfarm webfarm
  8 static client source rserver r3
  16 static client source rserver r2


New Member

ACE SSL - Decryption failure

Actually, there has not been any change. Traffic from the LAN works perfectly fine but for some reason, Microsoft (e-mail cloud) and Blackberry traffic is still having the same issue.

Any ideas why those two are being affected. Might it have something to do with how there implement IMAPS on their side which is different from all other services.

CreatePlease to create content