topic Re: Office 365 SOAP error : Session End Reason decrypt-error in General Topics

Office 365 SOAP error : Session End Reason decrypt-error

bpeeri — Wed, 28 Jun 2017 15:46:03 GMT

I am having issues with SSL decryption for office365 . In specific this is related to Azure API and SOAP protocol .

Traffic to azure cloud via soap to the following URL "roaming.officeapps.live.com/rs/RoamingSoapService.svc" is keep getting "decrypt-error" .

Trying to bypass and adding the site to the exclude list , and/or adding it to a url profile that bypass decryption does not seems to work as decryption still occure .

** Decryption is a must as i need to control to which offcice365 domain we allow access, for which we use cusom app as demonstrated in this KB : https://live.paloaltonetworks.com/t5/Management-Articles/FAQ-Office-365-Access-Control/ta-p/94949 **

Have anyone sucssfuly managed SSL decryption with office 365 SOAP Azure API ?

Re: Office 365 SOAP error : Session End Reason decrypt-error

BPry — Wed, 28 Jun 2017 18:00:26 GMT

@bpeeri,

Is this only on this app-id or do you see the same error elsewhere. From your screenshots it looks like you could be running 8.0.*. Are you potentially running into the following bug fixed in the 8.0.3 release?

Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error .

Re: Office 365 SOAP error : Session End Reason decrypt-error

bpeeri — Wed, 28 Jun 2017 18:12:27 GMT

Hi. This issue has been with 8.0.2 running on VM500 and VM700 . Can you let me know what is the bug (or issue ID) on 8.0.2 ? , as i looked in the release notes for 8.0.3 but didn't see any item that seems to be the root cause of my issue .

Re: Office 365 SOAP error : Session End Reason decrypt-error

BPry — Wed, 28 Jun 2017 20:07:30 GMT

Not the bug I was thinking it could be; is this all SOAP sessions or just the Office 365 sessions that are giving you the decrypt-error log?

Re: Office 365 SOAP error : Session End Reason decrypt-error

bpeeri — Thu, 06 Jul 2017 12:19:53 GMT

The issue persist only with soap .

I was able to identify that this is related to a very specific connection to office 365 .

https://support.office.com/en-us/article/Network-requests-in-Office-365-ProPlus-and-Mobile-eb73fcd1-ca88-4d02-a74b-2dd3a9f3364d

Required:Roaming Services.

Office client only | Logged on user

ea-roaming.officeapps.live.com

sea-roaming.officeapps.live.com

neu-roaming.officeapps.live.com

weu-roaming.officeapps.live.com

wus-roaming.officeapps.live.com

eus2-roaming.officeapps.live.com

scus-roaming.officeapps.live.com

ncus-roaming.officeapps.live.com

cus-roaming.officeapps.live.com

13.75.42.223/32
13.67.53.38/32
13.69.159.30/32
40.74.50.25/32
104.40.28.30/32
137.116.77.120/32
40.84.149.239/32
65.52.210.135/32
40.122.129.128/32

TCP 80 & 443

I am also working with support for this issue however at the moment they cannot figure out why there is a decryption error.

At the moment i have bypassed ssl decryption for the following FQDN objects above.

Althought this resolve the issue i do want to unwrap the payload.

Addtionlay i was able to locate this document from microsoft .

When SSL decryption is on and the soap connection get broken some office application just crush on startup .

The following reg changes resolve that however the soap decryption issue on the firewall remains.

https://support.microsoft.com/en-us/help/4012623/office-applications-crash-when-you-open-an-irm-document-if-https-proxy

I think PAN need to do better work to document and create a full and holistic guide for office 365 deployments.

Current guides are short and does not include A to Z instruction or all the details.

Re: Office 365 SOAP error : Session End Reason decrypt-error

BPry — Thu, 06 Jul 2017 13:44:03 GMT

@bpeeri,

The issue with O365 deployment guides of any type on NGFW from any company is how often they would need to be updated. You have Microsoft constantly making changes, Palo constantly updating things, and multiple different versions of Office software being used to function outside of O365 that you would need to cover. Not trying to make excuses for it really, but the amount of time that keeping any documentation up-to-date is insane, that's why I just linked an article that was from the 3.0 era a few days ago for another issue.