Troubleshoot TLS/SSL Oversubscription

If your managed device has TLS crypto acceleration enabled, you can view connection events to determine whether or not the devices are experiencing SSL oversubscription. You must add at least the SSL Flow Flags event to the table view of connection events.

Before you begin

Configure a decryption policy with a setting for Handshake Errors on Undecryptable Actions page.

For more information, see Set Default Handling for Undecryptable Traffic.
Enable logging for your SSL rules as discussed in the section on logging decryptable connections in decryption rules in the Secure Firewall Management Center and Threat Defense Management Network Administration guide.

Procedure

Step 1

Click Analysis > Connections > Events.

Step 2

Click Table View of Connection Events.

Step 3

Click x on any column in the connection events table to add additional columns for at least SSL Flow Flags and SSL Flow Messages.

The following example shows adding the SSL Actual Action, SSL Flow Error, SSL Flow Flags, SSL Flow Messages, SSL Policy, and SSL Rule columns to the table of connection events. (Look in the Disabled Columns section of the dialog box.)

Adding SSL flags to the list of connection events you wish to view.

Step 4

Click Apply.

TLS/SSL oversubscription is indicated by the values of ERROR_EVENT_TRIGGERED and OVER_SUBSCRIBED in the SSL Flow Flags column.

Step 5

If TLS/SSL oversubscription is occurring, log in to the managed device and enter any of the following commands:

Command	Result
show counters	If the value of TCP_PRX BYPASS_NOT_ENOUGH_MEM is large, consider upgrading your device to one with a larger capacity for SSL traffic or use Do Not Decrypt rules for lower priority encrypted traffic.
show snort tls-offload	If the value of BYPASS_NOT_ENOUGH_MEM is large, consider upgrading your device to one with a larger capacity for SSL traffic or use Do Not Decrypt rules for lower priority encrypted traffic.