SSL/TLS inspection - Dropped due to TLS engine error: OUT_OF_MEMORY[201]

Question

Hello, 
 I have problems with a few clients to access some pages. In the browser appears a SSL_PROTOCOL_ERROR. In the log viewer in the module SSL/TLS inspection appears the error "Dropped due to TLS engine error: OUT_OF_MEMORY[201". For some the error occurs only via VPN, for some directly from the LAN. What exactly does this error mean? 
 Here is an example from the log: 
 messageid="19006" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="xxx" src_ip="x.x.x.x" dst_ip="40.126.31.70" user_group="VPN-User" src_country="R1" dst_country="IRL" src_port="49893" dst_port="443" app_name="" category="Information Technology" con_id="894151296" rule_id="2" profile_id="4" rule_name="Decrypt" profile_name="Decrypt" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="" resumed="1" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" sni="login.live.com" tls_version="TLS1.2" reason="Dropped due to TLS engine error: OUT_OF_MEMORY[201]" exception="" message="" 
 Thanks.

Elardus Erasmus · Answer

Yes, the memory in this instance is the packet buffer. Not the RAM on the box. Protecting against an attempt to pack data into a packet buffer that is too large for the buffer. 
 Since this is reported to be happening on 19.5 MR1, I would appreciate it if you can PM me support access details so that I can look at the configuration in play, and suggest a possible workaround. It would indeed be good to open a support case for this.

emmosophos · Answer

Hello there, 
 Thank you for the follow-up. 
 If the issue persists, please open a case and mention NC-107042 and feel free to reference this community link as well. 
 Additionally, also share the Case ID once you have it. 
 Regards,

Steppenwolf · Answer

Hi, 
 the MTU on the ipsec0 Interface was 1500 here, but the IPsec acceleration was turned off, i don't know why. I enabled the IPsec acceleration in the CLI and we had no problems with the "OUT_OF_MEMORY" problem in relation with IPsec so far. However, we will continue to monitor this. So far, the problem has not yet occurred over the LAN.

SSL/TLS inspection - Dropped due to TLS engine error: OUT_OF_MEMORY[201]

Top Replies