Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LeeBingKang
Advisor
Jump to solution

Failed to deccrypt CP Site Response...

Hi all,

Have you ever faced this kind reason message as below? I tried to search SK but no SK related to this matter.

 

Thank you.

0 Kudos
1 Solution

Accepted Solutions
Thomas_Eichelbu
Advisor
Advisor

Hello team!

we just had a very interesting call with TAC regarding this issue:

"[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000"

he said, Threat Clouds answer back to the RAD service is too large for the RAD service to handle!
Threat Cloud is constantly updating its indicator databases and this information is exceeding the 1000000 bytes limit on RAD.
and certain URL in Threat Cloud can contain alot more Indicators then other URL´s, so it means in future the 1000000 will be exceeding very likey on an everyday basis.
This value is also hardcoded in the RAD code, it required a hotfix.


This issue is already known, a Hotfix is available:
PMTR-97475 -> R82
PRJ-54192 -> R81.20
we installed and fixed in on top of R81.20 HFA 65

Also required is to empty the RAD cache via this GuiDBedit procedure "sk105179"
If answers from Threat Cloud are not fully loaded by RAD it can cause a chain of problems with web surfing.
this causes engine errors, https bypass error and many strange things.

 

 

View solution in original post

21 Replies
LeeBingKang
Advisor

Attached error message at below

0 Kudos
G_W_Albrecht
Legend Legend
Legend

And what does the referred log tell you ?

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor
 

Screenshot 2023-12-19 194401.png

This is what it tells.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Confirm with TAC that your case matches but I believe there is a hotfix for this issue.

CCSM R77/R80/ELITE
0 Kudos
LeeBingKang
Advisor

I'm not really understand what is the meaning of "Confirm with TAC that your case matches".

 

Meanwhile, I tried to search the R80.40 jumbo hotfix with keyword "decrypt", but no fix show in the jumbo hotix.

 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Log a case with support and have them check your symptoms, if they match other similar cases there is potentially a private hotfix that will address it. Eventually that same fix may form part of a Jumbo.

CCSM R77/R80/ELITE
0 Kudos
LeeBingKang
Advisor

Noted on it. Will open a TAC case for this matter once ready

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So what is written in flow_2544_330697 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
LeeBingKang
Advisor

Haven't check it yet, but i will check it once having free time

0 Kudos
paolosint
Explorer

Can you share the solution if you find it? I have same logs in my Firewall.

John_Fenoughty
Collaborator

I have the same issue for a particular site. It's coming up a lot. My referred log had pages and pages of these:

rad_curl_task.cpp:214] CRadCurlTask::write_callback: [INFO] nmemb = 1448
[rad_curl_task.cpp:213] CRadCurlTask::write_callback: [INFO] enter to ...
[rad_curl_task.cpp:214] CRadCurlTask::write_callback: [INFO] nmemb = 1448

 

but then more interestingly has this:

[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000
[rad_decrypted_response_task.cpp:81] CRadDecryptedResponseTask::getResponseString: [ERROR] failed to decrypt response 0xefc34238
[rad_response_task.cpp:67] CRadResponseTask::run: [ERROR] can not get response string

We seem to be overrunning some sort of response size limit.

It's all happening for the same URL over and over, the URL is nothing special, it's just this: cs.mytheresa.com

 

0 Kudos
the_rock
Legend
Legend

Does the log entry in smart console show actual name of the protection?

Andy

0 Kudos
John_Fenoughty
Collaborator

Good question. So it first hits the HTTPS inspection blade, which tells us that this site's certificate is out of date. See 'bad cert' attached. The cert for the 'cs.mytheresa.com' in out of date, the cert on the main mytheresa.com site is fine.

Then the next thing is the Anti-Bot blade registers the 'Failed to decrypt CP Site Response' error.

 

I think I'll try putting in an override for the AB blade.

 

 

0 Kudos
the_rock
Legend
Legend

Yep, cert is 100% valid, until March 10, 2024. I would also try add an exception first, good idea.

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello team!

we just had a very interesting call with TAC regarding this issue:

"[rad_decrypted_response_task.cpp:138] CRadDecryptedResponseTask::decrypt: [ERROR] response size is 1394880' limit to 1000000"

he said, Threat Clouds answer back to the RAD service is too large for the RAD service to handle!
Threat Cloud is constantly updating its indicator databases and this information is exceeding the 1000000 bytes limit on RAD.
and certain URL in Threat Cloud can contain alot more Indicators then other URL´s, so it means in future the 1000000 will be exceeding very likey on an everyday basis.
This value is also hardcoded in the RAD code, it required a hotfix.


This issue is already known, a Hotfix is available:
PMTR-97475 -> R82
PRJ-54192 -> R81.20
we installed and fixed in on top of R81.20 HFA 65

Also required is to empty the RAD cache via this GuiDBedit procedure "sk105179"
If answers from Threat Cloud are not fully loaded by RAD it can cause a chain of problems with web surfing.
this causes engine errors, https bypass error and many strange things.

 

 

the_rock
Legend
Legend

Interesting...

0 Kudos
PhoneBoy
Admin
Admin

This sounds similar to the limit that existed in ioc_feeds in R81.10 and earlier.
This was fixed with new infrastructure (thus the ability to support 2 million+ IOC in R81.20).

0 Kudos
Henrik_Noerr1
Advisor

thank you for this! We see the same

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello team, 

this is now fixed in R81.20 HFA 89

PRHF-36617/PRJ-54192 (Antibot error: Failed to Decrypt CP Site Response)

 

PRJ-54192

PRHF-31001

Anti-Bot

The Anti-Bot Blade may generate error logs with the "Failed to Decrypt CP Site Response" reason. Refer to sk182494.





the_rock
Legend
Legend

Good to know!

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello Folks, 

regarding this stuff, i just saw ... after installing HFA89/HFA90 the rad_conf.C is enriched with a new paramater:

cat /opt/CPsuite-R81.20/fw1/conf/rad_conf.C
(
:urlfs_service_check_seconds (7200)
:amws_service_check_seconds (1800)
:cpu_cores_as_number_of_threads (false)
:number_of_threads (0)
:threads_to_cores_ratio (0.334)
:minimal_resources_usage_ratio (0.2)
:number_of_threads_fast_response (0)
:number_of_threads_slow_response (0)
:number_of_threads_zph_response (0)
:number_of_threads_update (0)
:queue_max_capacity (2000)
:debug_traffic (false)
:use_dns_cache (true)
:dns_cache_timeout_sec (2)
:use_ssl_cache (true)
:cert_file_name ("ca-bundle.crt")
:cert_type ("CRT")
:ssl_version ("TLSv1_0")
:ciphers ("TLSv1")
:autodebug (true)
:timeout_events (false)
:normal_flow_events (false)
:log_timeouts (false)
:log_errors (true)
:number_of_reports (512)
:max_repository_multiplier (20)
:flow_timeout (6)
:excessive_flow_timeout (120)
:transfer_timeout_sec (15)
:max_flows (1000)
:max_pc_in_reply (0)
:max_content_length_in_reply (1000000)
:retry_mechanism_on (true)
:max_retries (25)
:retry_peroid_mins (15)
:happy_eyeballs_timeout (200)
:large_scale_min_cpus (100)
:large_scale_max_threads (70)
:max_threads (32)
:max_mal_pm_cache_size (100)
)

:max_content_length_in_reply (1000000)
this parameter can be tweaked to increase the buffer/cache for all return messages from ThreatCloud
set it to 1500000 for example 🙂

regarding this parameter
:autodebug (true)
we often get advice to stop the autodebug, since this creates a lot unnecessary load on the GW and is not required, since a manual RAD debug does the job as well 🙂

i would say its time for Check Point to create a comprehensive SK about rad_conf.C to explain every single parameter in great detail!





Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events