Troubleshoot Secure Access Error "TLS Error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER"

Available Languages

Download Options

  • PDF     (174.5 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (255.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (214.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 13, 2023
Document ID:221237

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes a way to resolve the Secure Access error: "TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER".

    Problem 

    When a user tries to open a Private Resource using Browser-Based Zero Trust Access, using the public URL for the resource (for example https://<app-name>.ztna.sse.cisco.io), the application does not load in the browser and the error is seen:

    Application is unreachable

    Please contact your administrator

    upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

    Secure Client ErrorSecure Client Error

    Solution

    Make sure you configure a proper Protocol under the Endpoint Connection Method in the Private Resource Section:

    • If the private application is available over HTTP only, you must select HTTP.
    • If the private application is available over HTTPs only, you must select HTTPs.
    • If the private application is available over HTTP or HTTPs, this error must never be seen.

    Private Resource ConfigurationPrivate Resource Configuration

    Additional Details 

    The Secure Access proxy engine tries to establish a connection to the Private Resource using the Protocol specified in the dashboard.
    If the proxy is unable to establish HTTPs channel with the private application (due to misconfiguration on either side), you can see OpenSSL-related errors in the browser when trying to access Private Resources via the Browser-based connection.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    14-Dec-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Wojciech Brzyszcz
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products