Troubleshooting
Problem
IBM Secure Gateway failing to connect with "unhandled critical extension" error
Symptom
Secure Gateway logs have the following errors:
The following exception was thrown: Error: not opened
The Secure Gateway tunnel was disconnected
Pausing Secure Gateway tunnel reconnection attempts for 10 minutes
The following error occurred on the Secure Gateway tunnel, unhandled critical extension
The Secure Gateway tunnel was disconnected
Pausing Secure Gateway tunnel reconnection attempts for 10 minutes
The following error occurred on the Secure Gateway tunnel, unhandled critical extension
Cause
This issue is caused by such things as a proxy or SSL inspection.
Environment
IBM Bluemix Secure Gateway Client Version 1.8.0fp8
Diagnosing The Problem
To diagnose the issue, use Wireshark to trace the attempted connection
Wireshark results - where to look
- Source: SG tunnel server (50.22.254.135)
- Destination: SG client install on customer system
- Certificate, Server Key Exchange, Server Hello Done
- Secure Socket Layer > TLSv1.2 Record Layer: Handshake Protocol: Certificate > Handshake Protocol: Certificate > Certificates
This entry in the Wireshark trace, will show the the Secure Gateway certificate followed by the customer's certificate (blanked out here). This renders the certificate chain invalid.
Resolving The Problem
The cloud servers (hostname or IPs) used by Secure Gateway must be added to the fireway or excluded from scans.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000blfjAAA","label":"Troubleshooting"}],"ARM Case Number":"TS006026647","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
28 June 2021
UID
ibm16467721