https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/1218379#M876374 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It looks like alert code 21 means that the message could not be unencrypted:</P><P></P><P><A class="jive-link-custom" href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Alert_protocol" target="_blank">http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Alert_protocol</A></P><P></P><P>I've never experienced this problem, so I'm not sure how to proceed in troubleshooting it. Could the packets be corrupted during transportation?</P><P></P><P>Also, you mentioned "one of the webpages". Does this mean that you are only having this error when visiting a single page and all other pages are working? If so, you may want to look at the application side of things on the web server.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Mon, 16 Feb 2009 03:00:12 GMT robertson.michael 2009-02-16T03:00:12Z https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/1218378#M876372 <P>Hi, </P><P></P><P>During https connection after the handshake is successfully done, I am getting 'Encrypted Alert' message in Wireshark/Ethereal on one of the webpages. The alert error code is 21. </P><P></P><P>Does anyone know what Alert 21 means. Or is there any list for alert protocol error codes and its description. </P> Mon, 11 Mar 2019 14:50:50 GMT https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/1218378#M876372 cisco_lite 2019-03-11T14:50:50Z https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/1218379#M876374 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>It looks like alert code 21 means that the message could not be unencrypted:</P><P></P><P><A class="jive-link-custom" href="http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Alert_protocol" target="_blank">http://en.wikipedia.org/wiki/Secure_Sockets_Layer#Alert_protocol</A></P><P></P><P>I've never experienced this problem, so I'm not sure how to proceed in troubleshooting it. Could the packets be corrupted during transportation?</P><P></P><P>Also, you mentioned "one of the webpages". Does this mean that you are only having this error when visiting a single page and all other pages are working? If so, you may want to look at the application side of things on the web server.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Mon, 16 Feb 2009 03:00:12 GMT https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/1218379#M876374 robertson.michael 2009-02-16T03:00:12Z https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/3417735#M876378 <P>In a nutshell TLS is all about different&nbsp;records. Different records serve different purposes. Records have <EM>Content-Type</EM> field and <EM>Message</EM> fields (Some other fields too).</P> <P>&nbsp;</P> <P><EM>Content-Type</EM> will state <SPAN><EM>Record Layer Protocol</EM> Type</SPAN>. Depending upon the Content-Type field's value, you know what is the purpose of a particular record. For eg: <EM>Content-Type=21</EM> means that this is an <EM>Alert</EM>&nbsp;protocol and <EM>Content-Type=22</EM> means that this is a <EM>Handshake</EM>&nbsp;protocol.&nbsp;</P> <P>&nbsp;</P> <P><EM>Message</EM> field will contain the actual message related to a particular <EM>Record&nbsp;Protocol </EM>type.</P> <P>&nbsp;</P> <P>The <EM>Alert</EM>&nbsp;protocol further has a field called&nbsp;<SPAN><EM>Description</EM>. This field&nbsp;contains the&nbsp;actual error information.</SPAN></P> <P>There are different Descriptions, the list could be found here:&nbsp;<A href="https://tools.ietf.org/html/rfc5246#page-29&nbsp;" target="_blank">https://tools.ietf.org/html/rfc5246#page-29&nbsp;</A></P> <P><SPAN>Each Description has a Code associated with it. A Description named&nbsp;<EM>decryption_failed_RESERVED</EM> has Code of 21.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Now coming to the wireshark:</SPAN></P> <P>The&nbsp;21 shown in the wireshark capture is <STRONG>not</STRONG> a code but it is value in the <STRONG>Content-Type</STRONG> field of the TLS record. In plain words, the wireshark is telling us that this is a TLS Alert protocol.&nbsp;</P> <P>&nbsp;</P> <P>The&nbsp;Message field&nbsp;&nbsp;is encrypted. The wireshark is not able to look further into this&nbsp;Message field as it is encrypted. So, wireshark doesn't show the actual Message.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alert_Protocol" style="width: 943px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/14840iB6469F5A9CCFB3C4/image-size/large?v=v2&amp;px=999" role="button" title="TLS-record.jpg" alt="Alert_Protocol" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Alert_Protocol</span></span></P> <P>There is a possibility to decrypt the captures in wireshark.&nbsp;<A href="https://wiki.wireshark.org/SSL&nbsp;" target="_blank">https://wiki.wireshark.org/SSL&nbsp;</A></P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>Prab <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> Wed, 18 Jul 2018 19:07:34 GMT https://community.cisco.com/t5/network-security/ssl-content-type-alert-21/m-p/3417735#M876378 Prab 2018-07-18T19:07:34Z