Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

TLS Stats

We turned on TLS Preferred for all Outbound messgae on our 2 C650's this afternoon, and I am trying to get my head round the figures on the TLS Status Page.

Figures for the last hour show the following within the "TLS Connections" GUI on one of our boxes:

Outbound TLS Connections
Successful - Required = 2
Successful - Preferred = 943
Failed - TLS Required = 0
Failed - Preferred = 0
Unencrypted Connections = 0

OUtgoing TLS Messages
TLS Ecrypted = 1,019
Unencrypted = 2,903

Surly if I have had no unencrypted outbound connections, I should have had no Unencrypted messages.

Has anyone got any idea's, cause I have been scratching my head and can't seem to find a logical conclusion.

Thanks
:?

9 REPLIES
Community Member

Re: TLS Stats

My understanding is the following...

Outbound TLS Connections
Unencrypted Connections = 0
-> This section is the number of TLS attempted connections which failed back to clear text in Preferred mode after a failed STARTTLS attempt. The recieving MTA shows STARTTLS, your IronPort attempts STARTTLS, but something did work and the connect failed back to clear text due to the fact TLS is set to Preferred but not Required.


Outgoing TLS Messages
Unencrypted = 2,903
-> This section is the number of outgoing messages which were set to TLS Preferred, but the recieving MTA does not support STARTTLS. Hence Unencrypted.

- Erich

Community Member

Re: TLS Stats

Erich

Thanks for the explanation, but I don't see how that relates to the figures we are getting.

The number of TLS Encrypted Messages should be the same as or slightly higher than the number of Successful TLS Required and Preferred Conenctions, which in this case it is.

Therefore I am assuming that the number of Unencrypted messages should be equal to or slightly higher than the number of Unencrypted and Failed TLS Connections, which is certainly not the case. I would not expect 2903 message to be sent unencrypted if we have had no Unencrypted or failed TLS Connections.

I need to get a full understanding of the figures as I know that our businesses will be asking the exact same questions when we start reporting on the TLS Figures.

Thanks

Community Member

Re: TLS Stats

Outbound TLS Connections
Unencrypted Connections = 0
-> Does not include connections where TLS was not attempted (due to the fact the receiving MTA does not support STARTTLS), this counter only shows where attempts were made and failed.

Outgoing TLS Messages
Unencrypted = 2,903
-> Includes all messages which were processes through a destination control that included TLS (TLS Preferred/Required). Basically if the message was flagged to attempt TLS and TLS was not supported by the receiving MTA.

- Erich

Community Member

Re: TLS Stats

What you have said has maid sence, but it doesn't tie in with the figures we where getting before we turned on TLS Preferred for all outbound.

If you look at the figures for last week:

TLS Stats:
Successful - Required = 137
Successful - Preferred = 0
Failed - Required = 0
Failed - Preferred = 0
Unencrypted = 198,232

TLS Encrypted Messages = 139
Unencrypted Messages = 255,487

Outbound Message Stats:
Total Attempted Messages = 261,502

Now we have turned on TLS Preferred for all Outbound, it looks like it is only reporting on the messages that could be sent via a TLS Connection and not all message as we would assume it would.

I guess it might be worth waiting until I have genreated this weeks repots next Monday to see if the figures do tally, but I am not confident that they will.

Community Member

Re: TLS Stats

So I put together the Stats for last week and they do not make sense. Before we turned on Preferred TLS the number of Unencrypted Outbound Connections correlated with the number of unencrypted messages (About 74%).

Now we have turned on Preferred for all outbound connections the number of Unencrypted Connections is about 4% of the number of unencrypted messages, which is not right.

I have logged a call with support and they also agree that the reporting is not right. They are trying to replicate the problem and hopefully will be able to fix it.

As a side note I have also spotted a problem with the System Capacity Stats since upgrading to 6.1, in which the reported number of Outbound Connections is higher than the reported number of Outbound Messages, which is not correct.

Support is also looking into this, but I would be interested if anyone else has spotted the same?

Community Member

Re: TLS Stats

Update..

Support have got back to me. They were unable to reproduce the issue within the LAB environment as they can't replicate the volume in question.

However someone else has also reported the problem a Bug report has been raised.

Bug Report Ref is "42751 (Outgoing TLS Summary is Probably lying)"

Community Member

sale thing here !

Hi !
Got the same kind of stats here...
Incoming stats are OK though :)
Cheers,
Fred

Outgoing TLS Connections Summary
Connection Category % Connections
Successful - Required
0.0% 0
Successful - Preferred
96.6% 1,904
Failed - TLS Required
0.0% 0
Failed - Preferred
1.7% 34
Unencrypted Connections
1.7% 34
Total Connections 1,972


Outgoing TLS Messages Summary
Message Category % Messages
TLS Encrypted 21.2% 3,390
Unencrypted 78.8% 12.6k
Total Messages 16.0k


Incoming TLS Connections Summary
Connection Category % Connections
Successful - Required
0.0% 0
Successful - Preferred
13.4% 1,091
Failed - TLS Required
0.0% 0
Failed - Preferred
0.0% 0
Unencrypted Connections
86.6% 7,055
Total Connections 8,146
Info... | Export...



Incoming TLS Messages Summary
Message Category % Messages
TLS Encrypted 14.4% 1,401
Unencrypted 85.6% 8,314
Total Messages 9,715

Community Member

Re: TLS Stats

Have you logged a ticket with support.

The more people that report it, the more likey they are to issue a fix?

Community Member

Bug status

Hi there,
I logged a ticket for this issue, and got following reply :

"It is planned to be fixed in a future release, but won't make it into the upcoming 6.5 release."

Just a little patience ...

BTW, perfect support from ironport. I had a reply within 10 minutes of opening the call via the Website !!

Cheers,
Fred

333
Views
0
Helpful
9
Replies
CreatePlease to create content