Error: "SSL Library Error 45" on Secure Gateway

Description

Users intermittently get disconnected and the SSL Library Error 45 appears in the event log.

In the event logs of Citrix Secure Gateway, the following error is displayed prior to Secure Gateway 3.3.1:
"SSL library error 45 on <Secure Gateway FQDN>:443 with peer <Client IP>: The cryptographic security of the SSL connection has been compromised".

After the installation of Secure Gateway 3.3.1, the following error might appear:
"SSL Library error 45 on <Secure Gateway FQDN>:443 with peer <Client IP>: An unclassified SSL protocol error occurred. (error code: error:140943FC:lib(20):func(148):reason(1020))"

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Resolution

If you are on Secure Gateway 3.3.1 then upgrade to Secure Gateway 3.3.2. Also ensure that you are using the latest version of Receiver, XenApp and XenDesktop. If the Secure Gateway still continues to report SSL Library Error 45 on the event log and on its error.log files, complete the following steps to troubleshoot the issue:

Enable Logging

Ensure All events including informational is selected in the Secure Gateway Configuration wizard to increase the level of Secure Gateway logging.
Select Enable session reliability on the Web Interface site and Services site to handle any type of network related issues, affecting these users. The session is halted momentarily instead of getting closed.
Enable extra display columns in Secure Gateway management console to see that user sessions are using the session reliability port (default 2598) in the Server column.

Close the Secure Gateway management console, make the following registry changes, and open the Secure Gateway management console to view the extra display columns.
Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

64-bit machines	32-bit machines
To show the server and resource columns in the session information HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CitrixSecureGateway\3.3 Name: ShowServerAndAppForSession Type: DWORD Data: 1	To show the server and resource columns in the session information HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CitrixSecureGateway\3.3 Name: ShowServerAndAppForSession Type: DWORD Data: 1
To show the time idle column in the session information HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\CitrixSecureGateway\3.3 Name: ShowTimeIdleForSession Type: DWORD Data: 1	To show the time idle column in the session information HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CitrixSecureGateway\3.3 Name: ShowTimeIdleForSession Type: DWORD Data: 1

Implementing the preceding changes helps in gathering data for quick review of the users impacted by the SSL Library Error 45.

Collecting Logs

Open the Error<todays date>.log from \program files*\citrix\secure gateway\logs and search for the SSL Library Error 45 message.

Note the time when it occurred and also examine the other logs that are generated around the same time. The following is a sample log for your reference.

[Wed May 16 16:57:29 2012] [error] SSL Library Error 45 on <SG Fqdn>:443 with peer <Client IP>: An unclassified SSL protocol error occurred. (error code: error:140943FC:lib(20):func(148):reason(1020))
[Wed May 16 16:57:29 2012] [info] CGP forwarding session stopped: client IP [x.x.x.x:<random port>], username [user@domain], destination server [x.x.x.x:2598], resource [<published app>].

The preceding lines are important because they show you the time of occurrence (Wed May 16 16:57:29 2012) in addition to the user IP address (client IP address [x.x.x.x:<random port>]) and name (username [user@domain]).
Note the User account and IP address of the alleged workstation, then contact the user to note if any event was written into the Application event log and whether the user recalls their last actions for the session. Verify to see if the workstation time of the user matches that of the Secure Gateway, if in the time zone; otherwise, match the minutes:seconds to get the correct reading of the Application log.

Upon Citrix technical support request, furnish this example table that should be used to keep track of these users and any patterns observed for the issue.

User information	Workstation OS release and patches	Citrix Receiver Client version	XenApp / XenDesktop Versions and hotfixes	Client workstation and Secure Gateway Time Matched
[Wed May 16 16:57:29 2012] [info] CGP forwarding session stopped: client IP [x.x.x.x:<random port>], username [user@domain], destination server [x.x.x.x:2598], resource [<published app>].

Gather CDF tracing from the latest Receiver installation on the users workstation using the article CTX124934 - How to Enable Additional Client Providers and Collect Client-Side CDF Traces for Citrix Receiver.
This information helps Citrix in any additional discovery against ongoing SSL Library Error 45 continuing in your environment.

Issue/Introduction

Users intermittently get disconnected and the SSL Library Error 45 appears in the event log.

Additional Information

Citrix Documentation - XenApp and Secure Gateway

Welcome to "KB Articles"