Common SSL Visibility error codes
Article ID: 168681
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
This article provides explanations of SSL Visibility error codes commonly seen in the SSL Session Logs, and of some Appliance errors.
Resolution
| SSL Session Log | |
|---|---|
| Alert[S] : unknown (86) | IANA has added TLS cipher suite number 0x56,0x00 with name TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number 86 with name inappropriate_fallback to the TLS Alert registry. |
| Alert[S]: unknown (0) | S = Server, Unknown (0) - Close_notify server is rejecting the TLS_FALLBACK_SCSV cipher. |
| Alert[C]: bad certificate. | Most likely an application that is using embedded certs (Not a trusted Source on client) |
| Alert[C] : unknown CA | Unknown Certificate Authority (Not a trusted Source on client) see KB Unknown-CA-errors-accessing-HTTPS-sites |
| Invalid crypto response | Invalid modular arithmetic result during SSL handshake. Cause unknown. |
| Flow ended without FIN/RST sequence | SSL session timed out without a TCP RST or a TCP FIN sequence. Happens under normal circumstances if endpoints just drop off the network. |
| Renegotiation not supported | One of the SSL endpoints triggered a SSL handshake renegotiation. This feature is not yet supported by the SSL appliance. |
| Rule expecting X.509 certificate | Policy rule indicated that a certificate is required, but the SSL handshake did not provide a certificate. Probable cause: is misconfiguration (e.g. resign rule applied to Anonymous-Diffie-Hellman traffic). |
| Invalid MAC | SSL record authenticity compromised. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance. |
| Lost sync | SSL record header invalid. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance. |
| SSL specification violation | SSL handshake message arrived out of sequence (per SSL/TLS specification). Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction). |
| Master key invalid | SSL ChangeCipherSpec message arrived before SSL master key calculated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in SSL handshake messages arriving out of order. |
| Session verification failure | SSL Finished message could not be authenticated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in missing SSL handshake messages. |
| Handshake message in wrong direction | SSL handshake message (ServerHello) received from the wrong SSL endpoint. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction). |
| Corrupt record | SSL ChangeCipherSpec message received with invalid payload. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake. |
| Corrupt message | Invalid content in SSL handshake message. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake. |
| TCP queue processing timeout | SSL endpoint stopped sending payload. Happens under normal circumstances if endpoints crash or drop off the network. |
| Packet feedback timeouts | Only applies to Active Inline modes (FTA/FTW). Happens when the decrypted packet sent to the active appliance is not returned to the SSLV within one second. |
| Drop() | Early ACK queue Clearing out generated early ACK packets Freelist Clearing out packets that have already been freed |
| Appliance Errors | |
|---|---|
| ssldata[3738] Could not send interface configuration to control-plane:NSLIB:RPC [0x08010204;code:4;sub:258] No such file or directory | |
| ssldata[3614]: # Failed to open next history log file (/opt/sslv/data/stats/host_stats/host_stats.15549.bin): Read-only file system | Disk was unable to mount after recovery, reboot needed. |
| sslcontrol[3705]: # Failed to open next history log file (/opt/sslv/data/stats/platform_interface_stats/platform_interface_stats_nfe_1.820.bin): Read-only file system | Disk was unable to mount after recovery, reboot needed. |
Feedback
Yes
No
Powered by
