Common SSL Visibility error codes

book

Article ID: 168681

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

This article provides explanations of SSL Visibility error codes commonly seen in the SSL Session Logs, and of some Appliance errors. 

Resolution

SSL Session Log 
Alert[S] : unknown (86)IANA has added TLS cipher suite number 0x56,0x00 with name TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number 86 with name inappropriate_fallback to the TLS Alert registry.
Alert[S]: unknown (0)S = Server, Unknown (0) - Close_notify server is rejecting the TLS_FALLBACK_SCSV cipher.
Alert[C]: bad certificate.Most likely an application that is using embedded certs (Not a trusted Source on client)
Alert[C] : unknown CAUnknown Certificate Authority (Not a trusted Source on client) see KB Unknown-CA-errors-accessing-HTTPS-sites
Invalid crypto responseInvalid modular arithmetic result during SSL handshake. Cause unknown.
Flow ended without FIN/RST sequenceSSL session timed out without a TCP RST or a TCP FIN sequence. Happens under normal circumstances if endpoints just drop off the network.
Renegotiation not supportedOne of the SSL endpoints triggered a SSL handshake renegotiation. This feature is not yet supported by the SSL appliance.
Rule expecting X.509 certificatePolicy rule indicated that a certificate is required, but the SSL handshake did not provide a certificate. Probable cause: is misconfiguration (e.g. resign rule applied to Anonymous-Diffie-Hellman traffic).
Invalid MACSSL record authenticity compromised.  Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance.
Lost syncSSL record header invalid. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance.
SSL specification violationSSL handshake message arrived out of sequence (per SSL/TLS specification). Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction).
Master key invalidSSL ChangeCipherSpec message arrived before SSL master key calculated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in SSL handshake messages arriving out of order.
Session verification failureSSL Finished message could not be authenticated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in missing SSL handshake messages.
Handshake message in wrong directionSSL handshake message (ServerHello) received from the wrong SSL endpoint. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction).
Corrupt recordSSL ChangeCipherSpec message received with invalid payload. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake.
Corrupt messageInvalid content in SSL handshake message. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake.
TCP queue processing timeoutSSL endpoint stopped sending payload. Happens under normal circumstances if endpoints crash or drop off the network.
Packet feedback timeoutsOnly applies to Active Inline modes (FTA/FTW). Happens when the decrypted packet sent to the active appliance is not returned to the SSLV within one second.
Drop()Early ACK queue Clearing out generated early ACK packets Freelist Clearing out packets that have already been freed
 
Appliance Errors 
ssldata[3738] Could not send interface configuration to control-plane:NSLIB:RPC [0x08010204;code:4;sub:258] No such file or directory 
ssldata[3614]:  # Failed to open next history log file (/opt/sslv/data/stats/host_stats/host_stats.15549.bin): Read-only file systemDisk was unable to mount after recovery, reboot needed.
sslcontrol[3705]:  # Failed to open next history log file (/opt/sslv/data/stats/platform_interface_stats/platform_interface_stats_nfe_1.820.bin): Read-only file systemDisk was unable to mount after recovery, reboot needed.