Alert[S] : unknown (86) |
IANA has added TLS cipher suite number 0x56,0x00 with name TLS_FALLBACK_SCSV to the TLS Cipher Suite registry, and alert number 86 with name inappropriate_fallback to the TLS Alert registry. |
Alert[S]: unknown (0) |
S = Server, Unknown (0) - Close_notify server is rejecting the TLS_FALLBACK_SCSV cipher. |
Alert[C]: bad certificate. |
Most likely an application that is using embedded certs (Not a trusted Source on client) |
Alert[C] : unknown CA |
Unknown Certificate Authority (Not a trusted Source on client) see KB Unknown-CA-errors-accessing-HTTPS-sites |
Invalid crypto response |
Invalid modular arithmetic result during SSL handshake. Cause unknown. |
Flow ended without FIN/RST sequence |
SSL session timed out without a TCP RST or a TCP FIN sequence. Happens under normal circumstances if endpoints just drop off the network. |
Renegotiation not supported |
One of the SSL endpoints triggered a SSL handshake renegotiation. This feature is not yet supported by the SSL appliance. |
Rule expecting X.509 certificate |
Policy rule indicated that a certificate is required, but the SSL handshake did not provide a certificate. Probable cause: is misconfiguration (e.g. resign rule applied to Anonymous-Diffie-Hellman traffic). |
Invalid MAC |
SSL record authenticity compromised. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance. |
Lost sync |
SSL record header invalid. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance. |
SSL specification violation |
SSL handshake message arrived out of sequence (per SSL/TLS specification). Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction). |
Master key invalid |
SSL ChangeCipherSpec message arrived before SSL master key calculated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in SSL handshake messages arriving out of order. |
Session verification failure |
SSL Finished message could not be authenticated. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance resulting in missing SSL handshake messages. |
Handshake message in wrong direction |
SSL handshake message (ServerHello) received from the wrong SSL endpoint. Probable cause (Passive-Tap mode): drops in switch/TAP feeding SSL appliance, or asymmetric feed of packets (e.g. TAP per direction). |
Corrupt record |
SSL ChangeCipherSpec message received with invalid payload. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake. |
Corrupt message |
Invalid content in SSL handshake message. Probable cause: test equipment generating non-SSL stream that mimics the SSL handshake. |
TCP queue processing timeout |
SSL endpoint stopped sending payload. Happens under normal circumstances if endpoints crash or drop off the network. |
Packet feedback timeouts |
Only applies to Active Inline modes (FTA/FTW). Happens when the decrypted packet sent to the active appliance is not returned to the SSLV within one second. |
Drop() |
Early ACK queue Clearing out generated early ACK packets Freelist Clearing out packets that have already been freed |