This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LeeBingKang
Advisor
‎2023-12-19 01:16 AM
Jump to solution

Failed to deccrypt CP Site Response...

Hi all,

Have you ever faced this kind reason message as below? I tried to search SK but no SK related to this matter.

 

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Thomas_Eichelbu
Advisor
Advisor
‎2024-06-20 02:10 AM
In response to the_rock
Jump to solution

Hello team!

we just had a very interesting call with TAC regarding this issue:

"[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000"

he said, Threat Clouds answer back to the RAD service is too large for the RAD service to handle!
Threat Cloud is constantly updating its indicator databases and this information is exceeding the 1000000 bytes limit on RAD.
and certain URL in Threat Cloud can contain alot more Indicators then other URL´s, so it means in future the 1000000 will be exceeding very likey on an everyday basis.
This value is also hardcoded in the RAD code, it required a hotfix.


This issue is already known, a Hotfix is available:
PMTR-97475 -> R82
PRJ-54192 -> R81.20
we installed and fixed in on top of R81.20 HFA 65

Also required is to empty the RAD cache via this GuiDBedit procedure "sk105179"
If answers from Threat Cloud are not fully loaded by RAD it can cause a chain of problems with web surfing.
this causes engine errors, https bypass error and many strange things.

 

 

View solution in original post

21 Replies
LeeBingKang
Advisor
‎2023-12-19 01:17 AM
Jump to solution

Attached error message at below

weird message.png
Preview file
156 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-12-19 03:27 AM
In response to LeeBingKang
Jump to solution

And what does the referred log tell you ?

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 03:44 AM
In response to G_W_Albrecht
Jump to solution

 

Screenshot 2023-12-19 194401.png

This is what it tells.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-19 04:19 AM
In response to LeeBingKang
Jump to solution

Confirm with TAC that your case matches but I believe there is a hotfix for this issue.

CCSM R77/R80/ELITE
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 05:35 AM
In response to Chris_Atkinson
Jump to solution

I'm not really understand what is the meaning of "Confirm with TAC that your case matches".

 

Meanwhile, I tried to search the R80.40 jumbo hotfix with keyword "decrypt", but no fix show in the jumbo hotix.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-19 07:39 AM
In response to LeeBingKang
Jump to solution

Log a case with support and have them check your symptoms, if they match other similar cases there is potentially a private hotfix that will address it. Eventually that same fix may form part of a Jumbo.

CCSM R77/R80/ELITE
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 06:46 PM
In response to Chris_Atkinson
Jump to solution

Noted on it. Will open a TAC case for this matter once ready

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-12-19 06:45 AM
In response to LeeBingKang
Jump to solution

So what is written in flow_2544_330697 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 06:45 PM
In response to G_W_Albrecht
Jump to solution

Haven't check it yet, but i will check it once having free time

0 Kudos
paolosint
Explorer
‎2023-12-21 09:00 AM
In response to LeeBingKang
Jump to solution

Can you share the solution if you find it? I have same logs in my Firewall.

John_Fenoughty
Collaborator
‎2024-01-11 09:51 AM
In response to G_W_Albrecht
Jump to solution

I have the same issue for a particular site. It's coming up a lot. My referred log had pages and pages of these:

rad_curl_task.cpp:214] CRadCurlTask::write_callback: [INFO] nmemb = 1448
[rad_curl_task.cpp:213] CRadCurlTask::write_callback: [INFO] enter to ...
[rad_curl_task.cpp:214] CRadCurlTask::write_callback: [INFO] nmemb = 1448

 

but then more interestingly has this:

[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000
[rad_decrypted_response_task.cpp:81] CRadDecryptedResponseTask::getResponseString: [ERROR] failed to decrypt response 0xefc34238
[rad_response_task.cpp:67] CRadResponseTask::run: [ERROR] can not get response string

We seem to be overrunning some sort of response size limit.

It's all happening for the same URL over and over, the URL is nothing special, it's just this: cs.mytheresa.com

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-11 10:32 AM
In response to John_Fenoughty
Jump to solution

Does the log entry in smart console show actual name of the protection?

Andy

0 Kudos
John_Fenoughty
Collaborator
‎2024-01-11 10:55 AM
In response to the_rock
Jump to solution

Good question. So it first hits the HTTPS inspection blade, which tells us that this site's certificate is out of date. See 'bad cert' attached. The cert for the 'cs.mytheresa.com' in out of date, the cert on the main mytheresa.com site is fine.

Then the next thing is the Anti-Bot blade registers the 'Failed to decrypt CP Site Response' error.

 

I think I'll try putting in an override for the AB blade.

 

 

Bad Cert.PNG
Preview file
29 KB
ANtri-Bot error.PNG
Preview file
47 KB
0 Kudos
the_rock
Legend
Legend
‎2024-01-11 11:01 AM
In response to John_Fenoughty
Jump to solution

Yep, cert is 100% valid, until March 10, 2024. I would also try add an exception first, good idea.

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-06-20 02:10 AM
In response to the_rock
Jump to solution

Hello team!

we just had a very interesting call with TAC regarding this issue:

"[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000"

he said, Threat Clouds answer back to the RAD service is too large for the RAD service to handle!
Threat Cloud is constantly updating its indicator databases and this information is exceeding the 1000000 bytes limit on RAD.
and certain URL in Threat Cloud can contain alot more Indicators then other URL´s, so it means in future the 1000000 will be exceeding very likey on an everyday basis.
This value is also hardcoded in the RAD code, it required a hotfix.


This issue is already known, a Hotfix is available:
PMTR-97475 -> R82
PRJ-54192 -> R81.20
we installed and fixed in on top of R81.20 HFA 65

Also required is to empty the RAD cache via this GuiDBedit procedure "sk105179"
If answers from Threat Cloud are not fully loaded by RAD it can cause a chain of problems with web surfing.
this causes engine errors, https bypass error and many strange things.

 

 

PhoneBoy
Admin
Admin
‎2024-06-20 12:28 PM
In response to Thomas_Eichelbu
Jump to solution

This sounds similar to the limit that existed in ioc_feeds in R81.10 and earlier.
This was fixed with new infrastructure (thus the ability to support 2 million+ IOC in R81.20).

0 Kudos
Henrik_Noerr1
Advisor
‎2024-07-09 03:11 AM
In response to Thomas_Eichelbu
Jump to solution

thank you for this! We see the same

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-10-11 02:05 AM
In response to Henrik_Noerr1
Jump to solution

Hello team, 

this is now fixed in R81.20 HFA 89

PRHF-36617/PRJ-54192 (Antibot error: Failed to Decrypt CP Site Response)

 

PRJ-54192

PRHF-31001

Anti-Bot

The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.





Thomas_Eichelbu
Advisor
Advisor
‎2024-11-27 07:51 AM
In response to Thomas_Eichelbu
Jump to solution

Hello Folks, 

regarding this stuff, i just saw ... after installing HFA89/HFA90 the rad_conf.C is enriched with a new paramater:

cat /opt/CPsuite-R81.20/fw1/conf/rad_conf.C
(
:urlfs_service_check_seconds (7200)
:amws_service_check_seconds (1800)
:cpu_cores_as_number_of_threads (false)
:number_of_threads (0)
:threads_to_cores_ratio (0.334)
:minimal_resources_usage_ratio (0.2)
:number_of_threads_fast_response (0)
:number_of_threads_slow_response (0)
:number_of_threads_zph_response (0)
:number_of_threads_update (0)
:queue_max_capacity (2000)
:debug_traffic (false)
:use_dns_cache (true)
:dns_cache_timeout_sec (2)
:use_ssl_cache (true)
:cert_file_name ("ca-bundle.crt")
:cert_type ("CRT")
:ssl_version ("TLSv1_0")
:ciphers ("TLSv1")
:autodebug (true)
:timeout_events (false)
:normal_flow_events (false)
:log_timeouts (false)
:log_errors (true)
:number_of_reports (512)
:max_repository_multiplier (20)
:flow_timeout (6)
:excessive_flow_timeout (120)
:transfer_timeout_sec (15)
:max_flows (1000)
:max_pc_in_reply (0)
:max_content_length_in_reply (1000000)
:retry_mechanism_on (true)
:max_retries (25)
:retry_peroid_mins (15)
:happy_eyeballs_timeout (200)
:large_scale_min_cpus (100)
:large_scale_max_threads (70)
:max_threads (32)
:max_mal_pm_cache_size (100)
)

:max_content_length_in_reply (1000000)
this parameter can be tweaked to increase the buffer/cache for all return messages from ThreatCloud
set it to 1500000 for example 🙂

regarding this parameter
:autodebug (true)
we often get advice to stop the autodebug, since this creates a lot unnecessary load on the GW and is not required, since a manual RAD debug does the job as well 🙂

i would say its time for Check Point to create a comprehensive SK about rad_conf.C to explain every single parameter in great detail!





Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top