RUM probe decyption sucess is 1%

We have a RUM setup. We do get reports. But the users complained that we miss a lot of data.  I checked out our probe decryption page.  It says 1% decryption sucess, and 81% failure due to handshakng, and 18% failure due to cache timeout.  Do yo have any suggestion where I should start to look for the possible root cause?  There is 1% sucess. Does it mean my cert is fine?

  • Hi Rufeng,

    Some times SSL traffic cannot be decrypted due to lack of handshake: for example when the SSL session is monitored from the middle or SSL traffic is not completely mirrored to RUM Probe.

    I think you have ok key, but maybe you are missing SSL handshakes in traffic. You can record traffic with Wireshak and then try to decrypt it with the key you have (google it).

    Best regards, Alexey

  • Thank you very much Alexey.  I have a question about the data decrytion. When I looked at report from the engine console.  It says all the server decryption is 100%, while the app decryption is 1%.  What does it mean?  How could that be?  What is server decryption and what is application decryption?

  • Hi Rufeng,

    I am not sure what exactly you mean. I think some snapshots might be helpful here.

    But, a small question. How is your RUM app  defined? By URL or IP port? The thing is that when SSL application is defined with URL only, Probe is trying to decrypt all SSL traffic and then if that succeeded try to match URL pattern. That could cause the statistics you faced with. Please reconfigure your app with both  IP port and URL, sync, restart Engine and generate new traffic to check that.

    Best regards, Alexey

     

  • Thanks Alexey!

     

    The page I am referring is from engine console -> probe management -> SSL.

    For the app, we configured them by IPs port.  Should I configure with URL as well?  Or URL only?

     

    Thanks,

    Rufeng

     

    SSL decryption.pptx
  • Verified Answer

     

    Hi Rufeng,

    IPs and Ports are the most important in this case.  Adding URLs is good practise, but probably won't have much impact on decryption.

    The low decryption rate could be caused by one of the following:

       Packet loss on the Probe (check the packet loss monitors for the Probe on the RUM Engine web console)

       Unsupported ciphers (e.g. Diffie–Hellman) or TLS 1.2 if you are pre RUM 9.25.  It's possible that clients use different ciphers and TLS versions.

    Check that the Probe is seeing bi-directional traffic to and from each of the servers.

    I can see that one server is 0% in the lower half of the SSL page in your attachment.  Can you check RUM Application Infrastructure Summary and compare the number of connections across the servers (Total Connections column)?  RUM should be detecting connections even if it isn't decrypting.  Maybe a lot of traffic is being served by that server.

    Also, in the top part of the SSL screen (not in your screenshot) it shows the number of servers each key is being used with.  Does that add up to what you expect for each key?

    Regards,

    Tim

  • Hi,

    Please suggest, if this case is resolved. If yes then what measure were taken.

    Thanks

    Akhil

  • Yes, the case can be considered to be resolved for now.  We did two things

    1. Updated the probe to 9.25 to support TLS protocol.  Though 9.25 kept crashing.  It is upgraded to9.26 now.

    2. Updated the certs (some are found to be old).

    Thanks,

    Rufeng