Support Center > Search Results > SecureKnowledge Details
VPN Site creation on a Client fails due to mismatch in versions of TLS protocol
Symptoms
  • Debug of VPND daemon on Security Gateway (per sk89940) shows:

    ClientHello: finished parsing
    ClientHello: >>>>>>>>>>>>>>>>
    cptlsChooseVer: Client supports up to version 301.
    cptlsChooseVer: I support between version 302 and 303.
    cptlsChooseVer: Cannot choose version
    invalidate_session: called.
    invalidate_session: did not find any session to invalidate.
    
  • VPN Site creation on Client fails.

  • trac.log file from the Client shows the following failure:

    [cpwssl] cpWinSSL_fwasync_connected: SSL failure: SSL negotiation error. 
    [cpwssl] cpWinSSL_fwasync_close: closing - conn - 0x... 
    [] fwasync_close: close(...): Unknown Winsock error (10038) 
    [talkssl] talkssl::end_handler: ending connection
    
  • Traffic capture on Security Gateway shows that TCP handshake is complete on TCP port 443, but then the Security Gateway resets the connection:

    1. Client Hello:

      Secure Sockets Layer
        TLSv1 Record Layer: Handshake Protocol: Client Hello
          Content Type: Handshake (22)
          Version: TLS 1.0 (0x0301)
          Length: ...
          Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: ...
            Version: TLS 1.0 (0x0301)
      
    2. Security Gateway response (which is followed by 'FIN-ACK' packet):
      Secure Sockets Layer
        TLSv1 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
          Content Type: Alert (21)
          Version: TLS 1.0 (0x0301)
          Length: 2
          Alert Message
            Level: Fatal (2)
            Description: Protocol Version (70)
      
Cause

Client sends TLS v1.0, but Security Gateway is configured to support TLS v1.1 or TLS v1.2 only.


Solution
Note: To view this solution you need to Sign In .