How to configure the Transport Layer Security (TLS) 1.2 protocol and troubleshoot backup failures due to TLS error 0xe0009b97

Description

Backup Exec 20.4 mandates use of Transport Layer Security (TLS) 1.2. It makes use of TLS v1.2 when it is communicating with Backup Exec agent. TLS v1.1 and below is considered less secure and is planned to be deprecated. Hence Backup Exec 20.4 will make use of only TLS v1.2 to communicate with Backup Exec agent.  

Backup Exec started supporting TLS v1.2 with Backup Exec 15 FP1. All versions after BE 15 FP1 of Backup Exec media server and Backup Exec agent talk only on TLS v1.2. However Backup Exec was still supporting backup and restore of servers which have version of Backup Exec agents less than BE 15 FP1.  This behaviour is changing from BE 20.4. With this change, browse, backup and restore of servers which have version of Backup Exec agents less than BE 15 FP1 will start failing with following error:

Error Code: 0xe0009b97 - Connection to remote computer failed because the installed agent does not support Transport Layer Security (TLS) 1.2. TLS 1.2 is supported with Backup Exec 15 FP1 and later versions. It is recommended that you upgrade the remote agent and then establish the trust again. For more information about TLS settings, refer to the Backup Exec Administrator's Guide.
UMI Code: V-79-57344-39831

TLS related setting during upgrade / patch install process:

Upgrade process for Backup Exec 20.4 displays the following dialog if it detects versions of Backup Exec agent earlier than Backup Exec 15 FP1.

Select the Allow fall back to TLS v1.0 option ONLY IF you cannot upgrade the remote agents. It is recommended that you upgrade the older remote agents to the latest version of BE.

Patch install process for Backup Exec 20.4 displays the following dialog if it detects versions of Backup Exec agent earlier than Backup Exec 15 FP1.

Select No ONLY IF you cannot upgrade the remote agents. It is recommended that you upgrade the older remote agents to the latest version of BE.

In both the ealier scenarios, if you choose not to fall back to TLS 1.0 for older agents, backup and restore jobs for these servers fail until the remote agent is upgraded. If you want to change this setting, you can edit the following registry key:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Backup Exec For Windows\Backup Exec\Engine\Backup
Value Name: AllowTLSFallback
Value type: DWORD (32-bit)
Value data:  When the value is 1, BE 20.4 media server falls back to TLS v 1.0 while talking to older agents. When the value is 0, BE 20.4 media server always uses TLS v1.2.

Weekly reminder alert for upgrade of older agents

If you chose less secure option of continuing to use TLS v1.0, Backup Exec media server displays the following reminder alert message every week.

If you want Backup Exec to not show this weekly alert message, you must upgrade all the older agents to the latest version of Backup Exec. If you want to disable this alert message, you can edit following registry key:

Key="HKEY_LOCAL_MACHINE\Software\Symantec\Backup Exec For Windows\Backup Exec\Server
ValueName= SupressTLSAlert
Value type: DWORD (32-bit)
Value data:  When the value is 1, above mentioned weekly reminder alert will not be shown.

TLS related errors for RMAL\RALUS

Backup Exec 20.4 has "Remote Media Agent for Linux" (RMAL) and a tape device is attached to the Linux agent server, and the Linux server has "Backup Exec Remote Agent" version earlier than BE 15 FP1. If during upgrade/install of media server, the "Allow fall back to TLS v1.0" option is not selected, the following information alert is displayed after BE services restart.

When a backup job is targeted to a tape device attached to such RMAL agent, the job fails with the "Operation failed to acquire the minimum number of drives and media needed" error.

To resolve this error, either (recommended option) upgrade the RMAL version to the latest version of BE, or (not recommended option) edit the registry key “AllowTLSFallback” mentioned earlier

If an attempt is made to add a RALUS or RMAL server that has older version (< BE 15 FP1), the following messages are displayed: