From the link:

bsrinu001 · ‎04-07-2017

Hi Team,

We are seeing below errors when we grep for the TLS failed,

Please let us know what they indicate :

1)Tue Mar 21 17:32:31 2017 Info: DCID 31581697 TLS failed: (336142563, 'error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext

2) Wed Mar 22 11:52:11 2017 Info: DCID 31706681 TLS failed: TLS connection limit exceeded
Wed Mar 22 11:52:11 2017 Info: DCID 31706681 TLS was required but could not be successfully negotiated

Thank you

Libin Varghese · ‎04-07-2017

Hi,

For the first error:

This would be corrected by adjusting the outbound SMTP: SSL Ciphers to use: add -ECDH
Sample: MEDIUM:HIGH:!RC4:!SSLv2:!SSLv3:!aNULL:!EXPORT:@STRENGTH:-ECDH

Then test.

Elliptic curves extension in server hello is not tolerated by CiscoSSL
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva00454

Workaround:
There are two options for working around this issue:

1) Disable TLS in Destination Controls for domains that have this issue
2) Add the following to the end of your outbound cipher specification in the 'sslconfig' CLI command: -ECDH

For the second:

TLS connection limit exceeded are soft bounces and hence they would automatically deliver again once connection is available.

Hence TLS connection limit exceeded is not much of an error but a warning letting you know some connections are getting delayed.

To register for notifications on field notices use the below link:

http://www.cisco.com/cisco/support/notifications.html

Thank You!

Libin Varghese

bsrinu001 · ‎04-07-2017

Hi Libin,

Thank you for your prompt response,we needs to have filed notices for the ESA/SMA we are not finding any options for the same from the link provided please suggest.

Libin Varghese · ‎04-07-2017

From the link:

Add Notification -> Product-centric -> Select from list -> Products -> Security -> Email Security (for ESA)/Security Management (for SMA) -> Check Field Notices -> Finish

- Libin Varghese

TLS Errors needs to check & how to enable filed noties for ESA/SMA