-
Title
On FxM, Invalid SSL Content errors. Ruled out it being due to a problem with the network -
Description
On Foglight Experience Monitor (FxM), we are getting Invalid SSL Content errors. We've ruled out it being due to a problem with the network taps (or span ports).
-
Cause
Possibly defect FXM-287. These are false positives for SSL content errors. They are not real errors and FxM is decrypting all the data it sees.
FxM is stuck with some un-ACKed data in its TCP queue that basically represents a partial SSL record.
It gets into this state because one or more clients that start an SSL connection, sends the SSL client hello to the Server. Then, after receiving the SSL Server hello and SSL server certificate from the server, the clients are sending TCP RESETs for that connection. The client is immediately sending the server a RESET after the server is done sending, instead of first sending cleanly TCP ACKing that data. (The bigger question to ask your network team is why are those clients just opening and resetting SSL connections instead of sending any actual data.)Then FxM attempts to process that partial SSL data and that triggers the Invalid SSL Content error. FxM ought to not attempt to process the partial SSL data on the TCP RESET.
-
Resolution
WORKAROUND
Talk with your network team about reconfiguring the network so that the servers get a good ACK before the TCP RESET. The client ought to be sending a TCP ack of the server hello and SSL certificate and only then sending a TCP reset.
STATUS
Fixed in version 5.6.5. By "fixed" we mean that the partial SSL data in the traffic will no longer cause an 'Invalid SSL Content' error. However, you should still let your network team know that TCP RESETs are being sent prematurely. The latest version of FxM can be downloaded at:
http://support.quest.com/Search/SearchDownloads.aspx -
Defect ID
FXM-287