-
Title
Unable to monitor ssl traffic, why? -
Description
We are using Foglight Experience Monitor (FxM) with a SPAN port. And we are unable to monitor ssl traffic. We are certain that there is actually live traffic. And we are certain it is not due to a problem with the SSL Key file. From SOL31887, I've noticed that our capture rate of 60,000 packets per second is three times the recommended limit. But out of all those packets, less than 0.1% of the incoming data is actually being processed by FxM. So, the appliance is not overloaded. Also, our system is reporting 0 packet drops. In other words, neither the NIC nor the kernel are discarding packets.
FxM's protocol analysis, where it sequences the TCP packets and checks that it has all of the data in order, is showing 30-60% of the TCP data blocks are missing. -
Cause
Since you are are not dropping any packets in the FxM appliance, those drops must be external to the appliance. Probably you have overloaded the SPAN port. SPAN ports can be configured to duplicate multiple switch ports to the one SPAN. The problem with this is it is easy to overload the switch's SPAN causing packets to be dropped in the switch at the SPAN port.
If you were to look at a TCP dump, you would likely see that there are a lot of missing data blocks in the data FxM is getting from your SPAN port . For example, the system may be reporting 50%+ missing data. And when you are missing 50% of the data, FxM cannot decrypt anything.
The root cause of this missing SSL-traffic data is really an external network configuration issue. -
Resolution
Once you reduce the packet loss at the switch's SPAN port, you should be able to successfully decrypt the SSL.
RESOLUTION 1:
Reconfigure your SPAN port to reduce the amount of traffic being copied to the SPAN port.
RESOLUTION 2:
Use Network Taps. Network taps ensure 100% of the packets transmitted on the wire make it to the appliance.