All segments are down on the SSL Visability appliance and appliance has gone into bypass state.
Article ID: 168922
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
The Invalid PKI object message indicates that a rule is utilizing a resigning certificate that is no longer available. If the rules become invalid the appliance will go into bypass mode.
Jan 22 09:38:08 sslmanage[3254] Activation request sent to data-plane
Jan 22 09:38:08 ssldata[3257] Failed to use RSA internal CA in rule 3 from ruleset 'ruleset1': 0x3b00c82c
Jan 22 09:38:08 ssldata[3257] SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Jan 22 09:38:08 ssldata[3257] Failed to parse ruleset associated with segment 'zone1': 0x3b00c82c
Jan 22 09:38:08 sslmanage[3254] Activation request sent to data-plane
Jan 22 09:38:08 ssldata[3257] Failed to use RSA internal CA in rule 3 from ruleset 'ruleset1': 0x3b00c82c
Jan 22 09:38:08 ssldata[3257] SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Jan 22 09:38:08 ssldata[3257] Failed to parse ruleset associated with segment 'zone1': 0x3b00c82c
Cause
This generally means that a certificate that is being utilized in a rule is no longer available. This means that it has been deleted from the PKI store. A review of the rules noted in the log message will indicate which PKI object is being used.
Resolution
In order to correct this issue, you will need to delete the rule that is using the old PKI object. You will then need to create a new rule with a new PKI object or one that already exists on the appliance.
Feedback
Yes
No
Powered by
