Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6610
Views
0
Helpful
3
Replies

TLS failed. Reason: (336130329, 'error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac')

abdelhamid_mahmoud
Level 1
Level 1

‎09-26-2017 04:27 AM - edited ‎03-08-2019 07:24 PM

I am getting this error in the mail_logs on just a few incoming connections...   After this error the connection is lost and the sending SMTP server is unable to send e-mail to us.

 

Any idea what this is and how I correct it?

Labels:
Preview file
127 KB
0 Helpful
3 Replies 3

Libin Varghese
Cisco Employee
Cisco Employee

‎09-26-2017 05:12 AM

Hi,

 

The error suggests the sending server was not able to negotiate TLS with the ESA.

 

This could be due to a mis-match in TLS versions offered or not being able to agree upon a cipher.

 

The ciphers configured to be offered by the ESA can be viewed from the GUI System Administration -> SSL Configuration or from the CLI sslconfig -> verify -> Paste the cipher string for inbound seen from the GUI.

 

You can also set up a packet capture on the ESA for the sending IP to confirm why the connection was not successful.

 

In TLS, the Client ESA offers the supported protocol and ciphers to the Server in the "Client Hello“. The TLS Server makes a decision on the cipher and takes the first match from the ordered cipher suites that are offered.

 

Regards,

Libin Varghese

0 Helpful

abdelhamid_mahmoud
Level 1
Level 1
In response to Libin Varghese

‎09-26-2017 06:17 AM

Thanks for fast reply,

 

in ssl configuration :

 

Inbound SMTP method: tlsv1_0tlsv1_1tlsv1_2tlsv1_0tlsv1_1tlsv1_2
Inbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT

 

SSLV3 method not configured, this is the issue or not? , if not what is the the error in SMTP method or ciphers that cause the tls failed (SSL routines:SSL3_GET_RECORD) ?

 

Thanks

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to abdelhamid_mahmoud

‎09-26-2017 06:20 AM

SSLv3 ciphers are used by TLSv1.

 

TLSv1 does not have a dedicated set of ciphers apart from that.

 

Based on the configuration it appears to be default, so you can set up a packet capture or contact the sender to confirm what ciphers they require to be offered.

 

- Libin V

0 Helpful
Customers Also Viewed These Support Documents