If your web server fails to establish secure communication, your users will see certification. In the meantime, you may see “SChannel error state is 960” message in Event Viewer. Here is the full error message:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.
The root cause of this issue is that the different or incompatible chiper suites used in web server and load balancer. Cipher suites (chiper blocks) are encryption methods (RSA, DHE etc.).
If there is a conflict or mismatch in the chiper suites, web server cannot decrypt the encrypted request logs this error message: “The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960.”
You can fix secure connection failures and Schannel by enabling custom chiper suite and editing the list of chiper suites in your web server. Here are steps to edit chiper suites:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Note: The list you provide in the Step 7 cannot exceed 1023 characters. In order to reduce it, make sure to give priority to the ones at top in the default cipher list. This list is ordered from strongest chipper suites to the weakest ones. Additionally, you can remove the suites that are in the black list for HTTP/2. Here is more information about HTTP/2 black list.
A less likely cause of this issue is that a change in MAC (Message Authentication Code) (Source). Web servers use this code to determine that the request hasn’t changed on the way (request forgery or man-in-the-middle attack). If the web server finds out that the MAC has changed, it drops the connection. In order to solve it, make sure that your load balancer doesn’t make any changes to the MAC value.
Another possible cause is a Windows update (KB4457129) that reportedly breaks NLB (Network Load Balancer) Cluster. Uninstalling this update or installing the patch (KB4457133) solves the issue (Source).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.