SSLV interface went down once ruleset are being imported from another box
Article ID: 168889
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
SSLV interface went down once ruleset are being imported from another box. Checked from var/log/messages and the following was found
Dec 1 06:34:20 abc123 sslmanage[3853]: ? Activation request sent to data-plane
Dec 1 06:34:20 abc123 ssldata[3860]: # Failed to activate default RSA internal CA in ruleset 'ruleset1': 0x3b00c82c
Dec 1 06:34:20 abc123 ssldata[3860]: # Failed to parse ruleset associated with segment 'zone1': 0x3b00c82c
Dec 1 06:34:20 abc123 ssldata[3860]: # Rule parser: failure:SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Dec 1 06:34:20 abc123 ssldata[3860]: ! Deactivate (Activation failure):SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Dec 1 06:34:20 abc123 sslmanage[3853]: ? Activation request sent to data-plane
Dec 1 06:34:20 abc123 ssldata[3860]: # Failed to activate default RSA internal CA in ruleset 'ruleset1': 0x3b00c82c
Dec 1 06:34:20 abc123 ssldata[3860]: # Failed to parse ruleset associated with segment 'zone1': 0x3b00c82c
Dec 1 06:34:20 abc123 ssldata[3860]: # Rule parser: failure:SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Dec 1 06:34:20 abc123 ssldata[3860]: ! Deactivate (Activation failure):SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Resolution
Checked that one of the rule is point to an unknown CA under "Default RSA and EC Internal Certificate Authority". There were also a Decrypt (Resign Certificate) rule which the "RSA Resigning CA" had a empty value.
Interface came back up once the ruleset and decrypt rule is pointed to the correct CA
Interface came back up once the ruleset and decrypt rule is pointed to the correct CA
Feedback
Yes
No
Powered by
