SSL Visibility Dashboard showing the Segment interfaces as down and the Status as "Activation Failed | Software Failure Triggered"
Article ID: 167628
Updated On:
Products
Issue/Introduction
This failure is triggered when any rule in the segments ruleset is invalid. Invalid rules are usually caused by matching conditions within a rule being removed from policy. These conditions can be Common Names Lists, Distinguished Names Lists, IP Address Lists, Cipher Suite Lists, or PKI objects.
For example:
A ruleset contains two rules. The first one cuts through traffic to a specific destination IP address and second decrypts traffic from a specific set of source IP addresses using Resign Certificate.
If for some reason the IP Address List was deleted and the changes committed, the segment would become inactive. The system logs will show the corresponding details:
| Jan 22 21:51:07 | sslmanage[4873] | [0007:sysadmin]: Committed changes to policy |
| Jan 22 21:51:08 | sslmanage[4873] | Store update detected: Policy |
| Jan 22 21:51:09 | ssldata[4876] | Activation request received. Activation pending |
| Jan 22 21:51:09 | sslmanage[4873] | Activation request sent to data-plane |
| Jan 22 21:51:09 | ssldata[4876] | Failed to obtain source IP list field in rule 2 from ruleset 'ruleset1': 0x84004545 |
| Jan 22 21:51:09 | ssldata[4876] | SSLNGapi:Policy [0x84004545;code:69;sub:69] Policy object not found |
| Jan 22 21:51:09 | ssldata[4876] | Failed to parse ruleset associated with segment 'zone3': 0x84004545 |
| Jan 22 21:51:09 | ssldata[4876] | Deactivate (No active segments) |
| Jan 22 21:51:09 | ssldata[4876] | Updated segment information |
| Jan 22 21:51:15 | sslcontrol[5000] | Activated failure mode (Fail-to-wire): 1+2+3+4 |
| Jan 22 21:51:15 | sslcontrol[5000] | Interfaces UP->DOWN: 1+2+3+4 |
Resolution
To resolve the problem the missing condition needs to be recreated and added back to the rule, or the rule needs to be removed from the ruleset if it is no longer required.
Feedback
