Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 20 replies
  • Answers 3 answers
  • Subscribers 30 subscribers
  • Views 2633 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection - Dropped due to TLS engine error: OUT_OF_MEMORY[201]

Steppenwolf

Hello,

I have problems with a few clients to access some pages. In the browser appears a SSL_PROTOCOL_ERROR. In the log viewer in the module SSL/TLS inspection appears the error "Dropped due to TLS engine error: OUT_OF_MEMORY[201". For some the error occurs only via VPN, for some directly from the LAN. What exactly does this error mean?

Here is an example from the log:

messageid="19006" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="xxx" src_ip="x.x.x.x" dst_ip="40.126.31.70" user_group="VPN-User" src_country="R1" dst_country="IRL" src_port="49893" dst_port="443" app_name="" category="Information Technology" con_id="894151296" rule_id="2" profile_id="4" rule_name="Decrypt" profile_name="Decrypt" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="" resumed="1" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" sni="login.live.com" tls_version="TLS1.2" reason="Dropped due to TLS engine error: OUT_OF_MEMORY[201]" exception="" message=""

Thanks.



This thread was automatically locked due to age.

Top Replies

  • in reply to LuCar Toni +3 suggested

    Yes, the memory in this instance is the packet buffer. Not the RAM on the box. Protecting against an attempt to pack data into a packet buffer that is too large for the buffer.

    Since this is reported to be happening on 19.5 MR1, I would appreciate it if you can PM me support access details so that I can look at the configuration in play, and suggest a possible workaround. It would indeed be good to open a support case for this.

    Jump to answer
Parents Reply
  • 0 in reply to LHerzog

    It is not ultimately related to IPsec, The NPU could find a connection, which does extend the connection size and therefore gets dropped by the NPU with "out of memory". Upgrading to V19.5 MR1 can fix this issue, but if does not fix it, you should generate a support case to get this investigated. If you can reproduce this issue, it is better. 

    __________________________________________________________________________________________________________________

Children