Syslog over TLS fails TLS handshake with error "SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"

Syslog over TLS fails TLS handshake with error "SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"

9396
Created On 04/11/23 08:56 AM - Last Modified 11/13/24 23:29 PM


Symptom


  • Firewall configured to send Syslog messages via TLS.
  • System logs report error message "Syslog SSL error while writing stream; tls_error='SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca'.location='/opt/pancfg/mgmt/syslogng/pan_sysng.cfg:59:3’”.
  • The log message can be observed also in Web GUI, Monitor > Logs > System.
    image.png

Environment

Cause


  • If a syslog server require a client certificate and received client certificate is signed by Unknown CA, the syslog server sends an Alert for Fatal with “Unknow CA”.
  • This means the syslog server does not have the CA certificate for the client certificate sent by Firewall.
  • The Unknown CA error can also be seen in the packet capture.

    image.png
  • Syslog server IP address: 10.137.102.173
  • FW management IP address: 10.137.102.178

Resolution


  1. Import the CA certificate that signed the Client certificate on Firewall on the Syslog Server. OR
  2. Change the client certificate on the Firewall to the one in Syslog Server that is signed by CA certificate.

     
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000g1InCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language