Troubleshoot iSSL Issues

This section lists the iSSL issues that may occur and the steps to troubleshoot such issues. Refer to the following sections for details:

Blacklisted Domain/IP is not getting decrypted
A session is dropped or bypassed due to version mismatch

Blacklisted Domain/IP is not getting decrypted

Problem Description: Sometimes the blacklisted Domain/IP may not get decrypted, though the rules are correctly configured.

For example, if you have uploaded *.yahoo.com in the decrypt list, but news.yahoo.com is not getting decrypted.

Corrective Action: Perform the following tasks to troubleshoot this issue.

Clear browser’s cache or open the browser in private mode and reverify.
Use session details command to verify the match condition. Ensure that the Policy Match Field displays the configured rule. For example, if you have configured the first rule as domain, ensure that the Policy Match Field displays the same domain.
Check for any overlapping rules / categories within the policy decision.

If you can't resolve the issue with these corrective actions, please contact customer support.

A session is dropped or bypassed due to version mismatch

Problem Description:

As the TLS version configured in the iSSL settings, by default the session is:

Dropped, if the client TLS version is lower than the minimum version.
Bypassed, if the client TLS version is higher than the maximum version.

Corrective Action: Perform the following to troubleshoot this issue.

Check the Max Version of TLS configured in the iSSL settings.
If the Max Version is tls12, enter the following command in CLI to change the version to tls13.lab-HC2 (config) # apps inline-ssl min-version sslv3 max-version tls13
Check if tls13 client hello are received.

If you can't resolve the issue with this corrective action, please contact customer support.


Troubleshoot iSSL Issues This section lists the iSSL issues that may occur and the steps to troubleshoot such issues. Refer to the following sections for details: Blacklisted Domain/IP is not getting decrypted A session is dropped or bypassed due to version mismatch Blacklisted Domain/IP is not getting decrypted Problem Description: Sometimes the blacklisted Domain/IP may not get decrypted, though the rules are correctly configured. For example, if you have uploaded .yahoo.com in the decrypt list, but news.yahoo.com is not getting decrypted. Corrective Action: Perform the following tasks to troubleshoot this issue. Clear browser’s cache or open the browser in private mode and reverify. Use session details command to verify the match condition. Ensure that the Policy Match Field displays the configured rule. For example, if you have configured the first rule as domain, ensure that the Policy Match Field displays the same domain. Check for any overlapping rules / categories within the policy decision. If you can't resolve the issue with these corrective actions, please contact customer support. A session is dropped or bypassed due to version mismatch Problem Description: As the TLS version configured in the iSSL settings, by default the session is: Dropped, if the client TLS version is lower than the minimum version. Bypassed, if the client TLS version is higher than the maximum version. Corrective Action: Perform the following to troubleshoot this issue. Check the Max Version* of TLS configured in the iSSL settings. If the Max Version is tls12, enter the following command in CLI to change the version to tls13.lab-HC2 (config) # apps inline-ssl min-version sslv3 max-version tls13 Check if tls13 client hello are received. If you can't resolve the issue with this corrective action, please contact customer support.	Documentation Library Gigamon Validated Designs Gigamon Community Gigamon Training