https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/617673#M122015 <P>Thank will look into that</P> Thu, 14 Nov 2024 09:34:54 GMT Salathiwe 2024-11-14T09:34:54Z https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/590483#M117627 <P>We have forward proxy (ssl decryption configured)</P> <P>We are having intermittent access to some webpages users have to reload the page to gain access.<BR />We are seeing General TLS Error on the decryption logs under Error.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 171px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60540i74E7B5EB2F03EC7B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> <P>&nbsp;</P> <P>What Iv found out about the error is that&nbsp;&nbsp;</P> <TABLE class="table colsep rowsep table-striped"> <TBODY class="tbody"> <TR class="row"> <TD class="entry relcol"> <DIV> <DIV class="p"> <DIV>This message indicates that an error doesn't meet the criteria for any of the aforementioned protocol errors</DIV> </DIV> </DIV> </TD> </TR> </TBODY> </TABLE> Wed, 26 Jun 2024 13:50:06 GMT https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/590483#M117627 Salathiwe 2024-06-26T13:50:06Z https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/590542#M117639 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206322">@Salathiwe</a>,</P> <P>Unfortunately that particular error message doesn't give you much to go off of from a troubleshooting aspect. The best step forward is taking a PCAP and look through to validate that everything looks good from the logs as far as what the server is exchanging and what the firewall itself actually supports.</P> Wed, 26 Jun 2024 23:33:52 GMT https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/590542#M117639 BPry 2024-06-26T23:33:52Z https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/617200#M121994 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/206322">@Salathiwe</a>&nbsp;Normally&nbsp;this means that Server only supports TLS1.3</P> <P>This is what i have seen so far. Make sure on Firewall Decryption Profile - TLS version - TLS1.3 is selected.</P> <P>&nbsp;</P> <P>Regards</P> Tue, 12 Nov 2024 16:19:12 GMT https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/617200#M121994 MP18 2024-11-12T16:19:12Z https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/617673#M122015 <P>Thank will look into that</P> Thu, 14 Nov 2024 09:34:54 GMT https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/617673#M122015 Salathiwe 2024-11-14T09:34:54Z https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/627649#M122099 <P>In addition, when debugging SSL decrypt problems I also recommend running SSLLabs "Test Your Server" on the endpoint server.&nbsp; I have come across quite a few TLS/1.2 and 1.3 capable public servers that deliberately choose weak encryption algorithms for TLS/1.2 (server side prefers weak ciphers before strong). After successful TLS/1.2 negotiation the server then tries to upgrade the connection to HTTP/2.0, which explicitly forbids weak ciphers, causing the TLS/1.2 to abort. When doing a TLS/1.3 connection everything works fine as 1.3 requires strong ciphers to start. So the server is actually causing the problem, not the PaloAlto.</P> Tue, 19 Nov 2024 16:49:01 GMT https://live.paloaltonetworks.com/t5/general-topics/general-tls-protocol-error/m-p/627649#M122099 Adrian_Jensen 2024-11-19T16:49:01Z