cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2664
Views
0
Helpful
5
Replies

TLS failed. Reason: Unknown Error

Andrei88
Level 1
Level 1

Hi guys,

Can you help me with this problem with inbound mails. From certain domains i get this response on ESA(TLS failed. Reason: Unknown Error).  After that the receiving is aborded. What may be the cause of this. Current version of my OS is 14.2.1.

Thanks!

 

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

check TLS configuration :

 enabled TLS versions can be checked under System Administration -> SSL Configuration.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kasimalbayrak
Level 1
Level 1

Hello,


I have the same problem with ESA version 14.2.1-015
I enabled TLSv1.0 in SSL configuration, the problem did not improve.
SSL Cipher(s) to use: I tried the following and I still get the same error.

AES128:AES256:!SRP:!AESGCM+DH+aRSA:!AESGCM+RSA:!aNULL:!kRSA:@STRENGTH:-aNULL:-EXPORT:-IDEA
MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256

I am waiting for your solution suggestions.

Thanks

ironport4she
Level 1
Level 1

I see the same error here:
Sun Jan 21 15:38:18 2024 Info: New SMTP ICID 3299541 interface mailout (x.x.x.x) address y.y.y.y reverse dns host unknown verified no
Sun Jan 21 15:38:18 2024 Info: ICID 3299541 RELAY SG RELAYLIST match y.y.y.y SBRS not enabled country not enabled
Sun Jan 21 15:38:18 2024 Info: ICID 3299541 TLS success protocol TLSv1.2 cipher ECDHE-RSA-AES256-GCM-SHA384
Sun Jan 21 15:38:18 2024 Info: ICID 3299541 TLS failed: Unknown Error
Sun Jan 21 15:38:18 2024 Info: ICID 3299541 lost
Sun Jan 21 15:38:18 2024 Info: ICID 3299541 close

and need information why the TLS connection is failing. I've opened today a service request to Cisco support. maybe they can help or give more information about this issue.

Regards
Ralf

It is a TLS version issue. The remote site is probably using TLS version 1.0 which is higly deprecated.



You have the option to deactivate TLS with the remote site.

Your mailflow policy must be configured to use TLS in preferred mode.

To disable TLS with the remote site, create a "Destination control" for the remote mail domain, setting TLS to "none".


Hello,
thanks for your answer. But acording the mail log both parties are using TLS1.2. Disabling TLS is not a real option since the sender has required TLS configured and won't disable it, For testing because of the current issue he has disabled TLS .