Symptom

I tested sending connection events to a syslog server with a device running 7.0.5-72 dev build. I forced a SSL error to occur and expect to see this error in the connection events. The connection events sent to the FMC included the SSL Flow Error field set to PKI_INTERFACE_ERROR (0xba00284b). Below are the corresponding events sent to the syslog server: Jul 18 22:37:06 csi-hbp-c0-raw2-cs2-p12 %FTD-1-430003: EventPriority: High, DeviceUUID: ce3c8458-21a7-11ee-9b18-81d2cada8093, InstanceID: 1, FirstPacketSecond: 2023-07-18T22:37:05Z, ConnectionID: 0, AccessControlRuleAction: Block, AccessControlRuleReason: SSL Block, SrcIP: 10.10.10.65, DstIP: 10.10.10.66, SrcPort: 36022, DstPort: 443, Protocol: tcp, IngressInterface: eth1, EgressInterface: eth2, ACPolicy: AllowAllACPolicy, AccessControlRuleName: AllowAll, Prefilter Policy: Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 1, InitiatorPackets: 3, ResponderPackets: 35, InitiatorBytes: 723, ResponderBytes: 44470, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: TestSSLPolicy, SSLRuleName: Default Rule, SSLFlowStatus: Decryption Error, SSLCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSLCertificate: 37c27dc375015b4d91ada2a11c669ac450e01d9f, SSLVersion: TLSv1.2, SSLServerCertStatus: Invalid Issuer, SSLActualAction: Block, SSLExpectedAction: Decrypt (Resign), SSLSessionID: b2e95ebbaf8719d7ea71f692565ca7cf4bc807c5b4bf05b6485fc203aba6d9e3, URL: https://www.1100.com Jul 18 22:37:06 csi-hbp-c0-raw2-cs2-p12 %FTD-1-430003: EventPriority: High, DeviceUUID: ce3c8458-21a7-11ee-9b18-81d2cada8093, InstanceID: 2, FirstPacketSecond: 2023-07-18T22:37:05Z, ConnectionID: 0, AccessControlRuleAction: Block, AccessControlRuleReason: SSL Block, SrcIP: 10.10.10.65, DstIP: 10.10.10.66, SrcPort: 36024, DstPort: 443, Protocol: tcp, IngressInterface: eth1, EgressInterface: eth2, ACPolicy: AllowAllACPolicy, AccessControlRuleName: AllowAll, Prefilter Policy: Default Prefilter Policy, Client: SSL client, ApplicationProtocol: HTTPS, ConnectionDuration: 1, InitiatorPackets: 3, ResponderPackets: 35, InitiatorBytes: 723, ResponderBytes: 44470, NAPPolicy: Balanced Security and Connectivity, SSLPolicy: TestSSLPolicy, SSLRuleName: Default Rule, SSLFlowStatus: Decryption Error, SSLCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSLCertificate: 835c37555d13066c47b8c11f2c415bc17b7be79c, SSLVersion: TLSv1.2, SSLServerCertStatus: Invalid Issuer, SSLActualAction: Block, SSLExpectedAction: Decrypt (Resign), SSLSessionID: eed9cb4f681116654fff5abb8b6238020a8b1eb8f50caaee88cad4abebbac5f8, URL: https://www.1101.com The SSL Flow Error field set to PKI_INTERFACE_ERROR (0xba00284b) is missing here.

Conditions

AC policy configured to send connection events to syslog server SSL policy attached to AC policy SSL traffic blocked due to an internal error

Workaround

You can see the SSL Flow Error field in the connection events sent to the FMC

Further Problem Description