WinSTAP 10.5 receiving alerts "Correlation Timeout Errors" and "Decryption of Messages Failed" resulting in missing DB User Names for sessions.

Symptom

The following error may be seen during troubleshooting in the STAP.ctl log:

ERROR:

`E 05/30/2017 16:22:12.607 Wfp: DecryptMessage [xx.xx.xx.116:43150, xx.xx.xx.144:1433] failed: [The handle specified is invalid]
`W 05/30/2017 16:28:37.776 Wfp: Correlation delay timeout [xx.xx.xx.116:43227, xx.xx.xx.144:1433].

MEANING:

This message is an artifact of the new STAP correlation process. The STAP now uses code to decrypt the encrypted SQL Server stream before sending to the appliance. Prior to this (in V9), the encrypted stream was sent to the appliance along with an unencrypted stream and the appliance provided correlation.

The V10 STAP detects that it has received an encrypted packet for a stream and then waits for the driver (either NmpMonitor or WfpMonitor) to provide the encryption key so it can start decrypting the stream. What's happening is that the key is arriving late and the STAP times out waiting for the key and logs the "Correlation Delay Timeout" message. And then decryption of the stream fails because the STAP doesn't have the key so it logs the "Decryption of Message Failed" message. Login packets are always encrypted, so if the STAP doesn't have the key it can't decrypt the login packet and the customer will see missing information (like DB username) in the reports.