https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188679#M57226 <P>It seems when you have the decryption rule enabled, firewall is failing to decrypt the session and ending with cert validation error.</P><P>Open up a case with TAC to check why the decryption is failing.</P><P>There was a bug reported on 7.1.4 code for 3k devices where the decryption failed to proxy memory pool exhaustion and was fixed on 7.1.11 or 8.0.3</P><P>&nbsp;</P><P>But getting a validation from TAC engineer would be the first step here.</P> Fri, 24 Nov 2017 17:29:52 GMT mgarg 2017-11-24T17:29:52Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188627#M57217 <P><SPAN>I had configured SSL decryption on PaloAlto VM-50 before 6-7 months ago. There was working normally till today. Today some users get below error when they want to enter site. There is shown “decrypt-cert-validation” message on PaloAlto traffic logs. There isn’t shown any error on PaloAlto and on user computer When I disable SSL decryption rule.</SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image005.jpg" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/12609i2E15CAE2197A0F6B/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="image005.jpg" alt="image005.jpg" /></span></P> Fri, 24 Nov 2017 10:22:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188627#M57217 Radmin_85 2017-11-24T10:22:04Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188679#M57226 <P>It seems when you have the decryption rule enabled, firewall is failing to decrypt the session and ending with cert validation error.</P><P>Open up a case with TAC to check why the decryption is failing.</P><P>There was a bug reported on 7.1.4 code for 3k devices where the decryption failed to proxy memory pool exhaustion and was fixed on 7.1.11 or 8.0.3</P><P>&nbsp;</P><P>But getting a validation from TAC engineer would be the first step here.</P> Fri, 24 Nov 2017 17:29:52 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188679#M57226 mgarg 2017-11-24T17:29:52Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188748#M57239 <P>Any other suggestions? it was working until&nbsp; 4 days ago</P> Mon, 27 Nov 2017 05:50:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188748#M57239 Radmin_85 2017-11-27T05:50:14Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188862#M57257 <P>As previously mentioned, have you contacted TAC?</P><P>&nbsp;</P><P>Aside from that, what version of PAN-OS are you running?&nbsp; On two seperate occurances my company ran into SSL decyption issues 5060 HA-pair running 7.1.6 where we hit a bug and needed to upgrade to 7.1.10.&nbsp; Then again where we needed to upgrade to 7.1.12 from 7.1.10.&nbsp; (We got the same log message you did in traffic logs)</P><P>&nbsp;</P><P>It's very likely you could be running into the same bugs we did, but the only way to confirm is to open a TAC case.</P><P>&nbsp;</P><P>In our case we simply failed to passive HA device and I think rebooted the previously active 5060.&nbsp; But the end fix was upgrading out of the bug.</P> Mon, 27 Nov 2017 22:21:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188862#M57257 Brandon_Wertz 2017-11-27T22:21:05Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188875#M57265 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70049">@Radmin_85</a> wrote:<BR /><P>Any other suggestions? it was working until&nbsp; 4 days ago</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>I looked through my old cases...Just for clarity the bugs were in 7.1.6 and 7.1.10:</P><P>&nbsp;</P><P>7.1.10 - Bug - PAN‐75337<BR />7.1.6&nbsp; &nbsp;- Bug - PAN-76535</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>*Edit* --&nbsp; (I'd still suggest a case with TAC)&nbsp;</P><P>&nbsp;</P><P>I'll bet you're hitting <SPAN>Bug - PAN-76535.&nbsp; The summary of my case on 7.1.6 is below:</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>"<SPAN>&nbsp;Session end-reason "decrypt-cert-validation". Client browser receives "ERR_SSL_VERSION_OR_CIPHER_MISMATCH".&nbsp;</SPAN><BR /><BR /><SPAN>Reboot fixes the issue."</SPAN></P> Mon, 27 Nov 2017 22:29:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-error/m-p/188875#M57265 Brandon_Wertz 2017-11-27T22:29:15Z