Last Modified: Apr 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6
Fixed In:
13.0.0
Opened: Apr 28, 2016 Severity: 3-Major
False alert cn decryption failure log when peer (client) drops the TCP session during decryption when crypto process is canceled intentionally. ERROR: ssl_cn_decrypt_fin_cb:1985: fin decryption failed
The crypto process is canceled intentionally, so there should be no error.
This issue occurs when all of the following conditions are met: 1. Using a BIG-IP system with a Cavium Nitrox SSL accelerator card, and the handshake goes through the hardware path (Cavium Nitrox). Note: Not all the handshake instances are handled by the hardware; some run the software path. Whether the hardware path is used depends on the SSL protocol and cipher selection. 2. The client (usually the Chrome browser) connects to the BIG-IP system's virtual server but immediately drop the connection (for instance, pressingCtrl-f5 very quickly). The error appears when this termination happens to interrupt the hardware decryption process.
This typically does not cause problem because the client (browsers) could have dropped the connection or restarted another session.
The system no longer posts an error message that indicates an incomplete connection decryption if the connection decryption was already canceled. This is correct behavior.