Why is the SSL Visibility Dashboard showing the Segment interfaces as down and the Status as "Activation Failed | Software Failure Triggered"?


Article ID: 167628


Updated On:


SSL Visibility Appliance Software


This failure is triggered when any rule in the segments ruleset is invalid. Invalid rules are usually caused by matching conditions within a rule being removed from policy. These conditions can be Common Names Lists, Distinguished Names Lists, IP Address Lists, Cipher Suite Lists, or PKI objects.

For example:
A ruleset contains two rules. The first one cuts through traffic to a specific destination IP address and second decrypts traffic from a specific set of source IP addresses using Resign Certificate.


If for some reason the IP Address List was deleted and the changes committed, the segment would become inactive. The system logs will show the corresponding details:


Jan 22 21:51:07sslmanage[4873][0007:sysadmin]: Committed changes to policy
Jan 22 21:51:08sslmanage[4873]Store update detected: Policy
Jan 22 21:51:09ssldata[4876]Activation request received. Activation pending
Jan 22 21:51:09sslmanage[4873]Activation request sent to data-plane
Jan 22 21:51:09ssldata[4876]Failed to obtain source IP list field in rule 2 from ruleset 'ruleset1': 0x84004545
Jan 22 21:51:09ssldata[4876]SSLNGapi:Policy [0x84004545;code:69;sub:69] Policy object not found
Jan 22 21:51:09ssldata[4876]Failed to parse ruleset associated with segment 'zone3': 0x84004545
Jan 22 21:51:09ssldata[4876]Deactivate (No active segments)
Jan 22 21:51:09ssldata[4876]Updated segment information
Jan 22 21:51:15sslcontrol[5000]Activated failure mode (Fail-to-wire): 1+2+3+4
Jan 22 21:51:15sslcontrol[5000]Interfaces UP->DOWN: 1+2+3+4

To resolve the problem the missing condition needs to be recreated and added back to the rule, or the rule needs to be removed from the ruleset if it is no longer required.