All segments are down on the SSL Visability appliance and appliance has gone into bypass state.

book

Article ID: 168922

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

The Invalid PKI object message indicates that a rule is utilizing a resigning certificate that is no longer available.  If the rules become invalid the appliance will go into bypass mode.

Jan 22 09:38:08 sslmanage[3254] Activation request sent to data-plane
Jan 22 09:38:08 ssldata[3257] Failed to use RSA internal CA in rule 3 from ruleset 'ruleset1': 0x3b00c82c
Jan 22 09:38:08 ssldata[3257] SSLe:Modification [0x3b00c82c;code:44;sub:200] Invalid PKI object
Jan 22 09:38:08 ssldata[3257] Failed to parse ruleset associated with segment 'zone1': 0x3b00c82c


 

Cause

This generally means that a certificate that is being utilized in a rule is no longer available.  This means that it has been deleted from the PKI store.  A review of the rules noted in the log message will indicate which PKI object is being used.  

Resolution

In order to correct this issue, you will need to delete the rule that is using the old PKI object.  You will then need to create a new rule with a new PKI object or one that already exists on the appliance.