search cancel

Common SSL Visibility error codes

book

Article ID: 168681

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

This article provides explanations of SSL Visibility error codes commonly seen in the SSL Session Logs, and of some Appliance errors. 

Resolution

SSL Session Log  
Alert[S] : unknown (86) IANA has added TLS cipher suite number 0x56,0x00 with name TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number 86 with name inappropriate_fallback to the TLS Alert registry.
Alert[S]: unknown (0) S = Server, Unknown (0) - Close_notify server is rejecting the TLS_FALLBACK_SCSV cipher.
Alert[C]: bad certificate. Most likely an application that is using embedded certs (Not a trusted Source on client)
Alert[C] : unknown CA Unknown Certificate Authority (Not a trusted Source on client) see KB Unknown-CA-errors-accessing-HTTPS-sites
Invalid crypto response Invalid modular arithmetic result during SSL handshake. Cause unknown.
Flow ended without FIN/RST sequence SSL session timed out without a TCP RST or a TCP FIN sequence. Happens under normal circumstances if endpoints just drop off the network.
Renegotiation not supported One of the SSL endpoints triggered a SSL handshake renegotiation. This feature is not yet supported by the SSL appliance.
Rule expecting X.509 certificate Policy rule indicated that a certificate is required, but the SSL handshake did not provide a certificate. Probable cause: is misconfiguration (e.g. resign rule applied to Anonymous-Diffie-Hellman traffic).
Invalid MAC SSL record authenticity compromised.  Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance.
Lost sync SSL record header invalid. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance.
SSL specification violation SSL handshake message arrived out of sequence (per SSL/TLS specification). Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction).
Master key invalid SSL ChangeCipherSpec message arrived before SSL master key calculated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in SSL handshake messages arriving out of order.
Session verification failure SSL Finished message could not be authenticated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in missing SSL handshake messages.
Handshake message in wrong direction SSL handshake message (ServerHello) received from the wrong SSL endpoint. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction).
Corrupt record SSL ChangeCipherSpec message received with invalid payload. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake.
Corrupt message Invalid content in SSL handshake message. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake.
TCP queue processing timeout SSL endpoint stopped sending payload. Happens under normal circumstances if endpoints crash or drop off the network.
Packet feedback timeouts Only applies to Active Inline modes (FTA/FTW). Happens when the decrypted packet sent to the active appliance is not returned to the SSLV within one second.
Drop() Early ACK queue Clearing out generated early ACK packets Freelist Clearing out packets that have already been freed

 

Appliance Errors  
ssldata[3738] Could not send interface configuration to control-plane:NSLIB:RPC [0x08010204;code:4;sub:258] No such file or directory  
ssldata[3614]:  # Failed to open next history log file (/opt/sslv/data/stats/host_stats/host_stats.15549.bin): Read-only file system Disk was unable to mount after recovery, reboot needed.
sslcontrol[3705]:  # Failed to open next history log file (/opt/sslv/data/stats/platform_interface_stats/platform_interface_stats_nfe_1.820.bin): Read-only file system Disk was unable to mount after recovery, reboot needed.