Bug ID 590244: False alert cn decryption failure log when peer (client) drops the TCP session during decryption.

Last Modified: Dec 20, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4

Fixed In:
13.0.0

Opened: Apr 28, 2016
Severity: 3-Major

Symptoms

False alert cn decryption failure log when peer (client) drops the TCP session during decryption when crypto process is canceled intentionally. ERROR: ssl_cn_decrypt_fin_cb:1985: fin decryption failed

Impact

The crypto process is canceled intentionally, so there should be no error.

Conditions

This issue occurs when all of the following conditions are met: 1. Using a BIG-IP system with a Cavium Nitrox SSL accelerator card, and the handshake goes through the hardware path (Cavium Nitrox). Note: Not all the handshake instances are handled by the hardware; some run the software path. Whether the hardware path is used depends on the SSL protocol and cipher selection. 2. The client (usually the Chrome browser) connects to the BIG-IP system's virtual server but immediately drop the connection (for instance, pressingCtrl-f5 very quickly). The error appears when this termination happens to interrupt the hardware decryption process.

Workaround

This typically does not cause problem because the client (browsers) could have dropped the connection or restarted another session.

Fix Information

The system no longer posts an error message that indicates an incomplete connection decryption if the connection decryption was already canceled. This is correct behavior.

Behavior Change