Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12236
Views
0
Helpful
6
Replies

TLS failed. Reason: (336027900, 'error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol').

PedroNg028067
Level 1
Level 1

‎06-06-2019 01:32 AM

Hi, we recently found a lot of blocked connection to our Cisco C100V - Cloud Email Security Appliance due to TLS error. 

 

Any help is greatly appreciated. Many thanks!!

 

This is my first time to post question in this community. Sorry that if I posted in the wrong area.

 

06 Jun 2019 16:18:13 (GMT +08:00)06 Jun 2019 16:18:13 (GMT +08:00)06 Jun 2019 16:18:14 (GMT +08:00)06 Jun 2019 16:18:14 (GMT +08:00)06 Jun 2019 16:18:14 (GMT +08:00)

Protocol SMTP interface Data 1 (IP 139.xxx.xxx..xx) on incoming connection (ICID 316515) from sender IP 165.xxx.xxx.xx Reverse DNS host sendmail.flyasiana.com verified yes.
(ICID 316515) ACCEPT sender group ACCEPTLIST match sbrs[4.0:10.0] SBRS 5.1 sender IP 165.141.xx.xx country Korea, Republic of
(ICID 316515) TLS failed. Reason: (336027900, 'error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol').
(ICID 316515) Unknown command: \\x00\\x009\\x00\\x008\\x00\\x005\\x00\\x00\\x16\\x00\\x00\\x13\\x00\\x00.
Incoming connection (ICID 316515) lost.

 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-06-2019 02:18 AM

I'm going to guess this is a typical example of someone scanning to try and find a system they can compromise.

 

Looking at the command that was logged you can see that it is not valid.

0 Helpful

PedroNg028067
Level 1
Level 1
In response to Philip D'Ath

‎06-06-2019 02:59 AM

hi Philip, thanks for your reply! Actually, this ip address belongs to one of our clients, who complains that they can't send us email. Hence, I think it is not caused by someone is scanning our device. 

 

Any other possible reasons? 

 

many thanks!

0 Helpful

Ken Stieers
VIP
VIP
In response to PedroNg028067

‎06-06-2019 03:42 AM

What TLS versions and ciphers do you have enabled?

0 Helpful

PedroNg028067
Level 1
Level 1
In response to Ken Stieers

‎06-09-2019 11:03 PM

Hi Dennis, thank you very much for your response!

 

After getting a reply from Cisco, I understand the problem is caused by TLS V.1.0. From 12.x, TLS v.1.0 is disabled by default in Cloud Email Security Appliance but the senders are using using TLS v.1.0. The problem to temporarily fix it is to enable 1.0 until the senders uses 1.1 or above. 

 

Go to system Administration | SSL Configuration | Enable TLSv1.0 for inbound and outbound

Submit and commit the changes.

 

Hope that this can help others if they have similar problem.

 

Thanks!

 

Pedro

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to PedroNg028067

‎06-10-2019 07:57 AM

Hello,

 

Glad to hear you figured everything out. :) Thanks for providing us with the fix!

 

Thanks!

-Dennis M.

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to PedroNg028067

‎06-06-2019 06:58 AM

Hello,

 

Is this the only sender that you're seeing this issue with? If so, it's most likely to be on their end and they're sending incorrect SMTP commands when trying to perform TLS. You may also want to make sure that SMTP fixup/ESMTP inspection is not enabled on any firewalls for the traffic incoming to your ESA.

 

Thanks!

-Dennis M.

0 Helpful
Customers Also Viewed These Support Documents