This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LeeBingKang
Advisor
‎2023-12-19 01:16 AM
Jump to solution

Failed to deccrypt CP Site Response...

Hi all,

Have you ever faced this kind reason message as below? I tried to search SK but no SK related to this matter.

 

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Thomas_Eichelbu
Advisor
Advisor
‎2024-06-20 02:10 AM
In response to the_rock
Jump to solution

Hello team!

we just had a very interesting call with TAC regarding this issue:

"[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000"

he said, Threat Clouds answer back to the RAD service is too large for the RAD service to handle!
Threat Cloud is constantly updating its indicator databases and this information is exceeding the 1000000 bytes limit on RAD.
and certain URL in Threat Cloud can contain alot more Indicators then other URL´s, so it means in future the 1000000 will be exceeding very likey on an everyday basis.
This value is also hardcoded in the RAD code, it required a hotfix.


This issue is already known, a Hotfix is available:
PMTR-97475 -> R82
PRJ-54192 -> R81.20
we installed and fixed in on top of R81.20 HFA 65

Also required is to empty the RAD cache via this GuiDBedit procedure "sk105179"
If answers from Threat Cloud are not fully loaded by RAD it can cause a chain of problems with web surfing.
this causes engine errors, https bypass error and many strange things.

 

 

View solution in original post

18 Replies
LeeBingKang
Advisor
‎2023-12-19 01:17 AM
Jump to solution

Attached error message at below

Preview file
156 KB
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-12-19 03:27 AM
In response to LeeBingKang
Jump to solution

And what does the referred log tell you ?

 

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 03:44 AM
In response to G_W_Albrecht
Jump to solution

 

Screenshot 2023-12-19 194401.png

This is what it tells.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-19 04:19 AM
In response to LeeBingKang
Jump to solution

Confirm with TAC that your case matches but I believe there is a hotfix for this issue.

CCSM R77/R80/ELITE
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 05:35 AM
In response to Chris_Atkinson
Jump to solution

I'm not really understand what is the meaning of "Confirm with TAC that your case matches".

 

Meanwhile, I tried to search the R80.40 jumbo hotfix with keyword "decrypt", but no fix show in the jumbo hotix.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-12-19 07:39 AM
In response to LeeBingKang
Jump to solution

Log a case with support and have them check your symptoms, if they match other similar cases there is potentially a private hotfix that will address it. Eventually that same fix may form part of a Jumbo.

CCSM R77/R80/ELITE
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 06:46 PM
In response to Chris_Atkinson
Jump to solution

Noted on it. Will open a TAC case for this matter once ready

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-12-19 06:45 AM
In response to LeeBingKang
Jump to solution

So what is written in flow_2544_330697 ?

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor
‎2023-12-19 06:45 PM
In response to G_W_Albrecht
Jump to solution

Haven't check it yet, but i will check it once having free time

0 Kudos
paolosint
Explorer
‎2023-12-21 09:00 AM
In response to LeeBingKang
Jump to solution

Can you share the solution if you find it? I have same logs in my Firewall.

John_Fenoughty
Collaborator
‎2024-01-11 09:51 AM
In response to G_W_Albrecht
Jump to solution

I have the same issue for a particular site. It's coming up a lot. My referred log had pages and pages of these:

rad_curl_task.cpp:214] CRadCurlTask::write_callback: [INFO] nmemb = 1448
[rad_curl_task.cpp:213] CRadCurlTask::write_callback: [INFO] enter to ...
[rad_curl_task.cpp:214] CRadCurlTask::write_callback: [INFO] nmemb = 1448

 

but then more interestingly has this:

[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000
[rad_decrypted_response_task.cpp:81] CRadDecryptedResponseTask::getResponseString: [ERROR] failed to decrypt response 0xefc34238
[rad_response_task.cpp:67] CRadResponseTask::run: [ERROR] can not get response string

We seem to be overrunning some sort of response size limit.

It's all happening for the same URL over and over, the URL is nothing special, it's just this: cs.mytheresa.com

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-11 10:32 AM
In response to John_Fenoughty
Jump to solution

Does the log entry in smart console show actual name of the protection?

Andy

0 Kudos
John_Fenoughty
Collaborator
‎2024-01-11 10:55 AM
In response to the_rock
Jump to solution

Good question. So it first hits the HTTPS inspection blade, which tells us that this site's certificate is out of date. See 'bad cert' attached. The cert for the 'cs.mytheresa.com' in out of date, the cert on the main mytheresa.com site is fine.

Then the next thing is the Anti-Bot blade registers the 'Failed to decrypt CP Site Response' error.

 

I think I'll try putting in an override for the AB blade.

 

 

Preview file
29 KB
Preview file
47 KB
0 Kudos
the_rock
Legend
Legend
‎2024-01-11 11:01 AM
In response to John_Fenoughty
Jump to solution

Yep, cert is 100% valid, until March 10, 2024. I would also try add an exception first, good idea.

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2024-06-20 02:10 AM
In response to the_rock
Jump to solution

Hello team!

we just had a very interesting call with TAC regarding this issue:

"[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000"

he said, Threat Clouds answer back to the RAD service is too large for the RAD service to handle!
Threat Cloud is constantly updating its indicator databases and this information is exceeding the 1000000 bytes limit on RAD.
and certain URL in Threat Cloud can contain alot more Indicators then other URL´s, so it means in future the 1000000 will be exceeding very likey on an everyday basis.
This value is also hardcoded in the RAD code, it required a hotfix.


This issue is already known, a Hotfix is available:
PMTR-97475 -> R82
PRJ-54192 -> R81.20
we installed and fixed in on top of R81.20 HFA 65

Also required is to empty the RAD cache via this GuiDBedit procedure "sk105179"
If answers from Threat Cloud are not fully loaded by RAD it can cause a chain of problems with web surfing.
this causes engine errors, https bypass error and many strange things.

 

 

the_rock
Legend
Legend
‎2024-06-20 03:55 AM
In response to Thomas_Eichelbu
Jump to solution

Interesting...

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-20 12:28 PM
In response to Thomas_Eichelbu
Jump to solution

This sounds similar to the limit that existed in ioc_feeds in R81.10 and earlier.
This was fixed with new infrastructure (thus the ability to support 2 million+ IOC in R81.20).

0 Kudos
Henrik_Noerr1
Advisor
3 weeks ago
In response to Thomas_Eichelbu
Jump to solution

thank you for this! We see the same

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events