https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226306#M65153 <P>Yes, we are doing decrypt for this kind of sessions. This is the log view detailed. Where can i get more info about the root cause for this error???</P><P>&nbsp;</P><P>I thought that we could be hitting this link:</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Identify-Root-Cause-for-SSL-Decryption-Failure-Issues/ta-p/59445" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Identify-Root-Cause-for-SSL-Decryption-Failure-Issues/ta-p/59445</A></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Captura1.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16197iCECF8B0DF0AF8898/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Captura1.JPG" alt="Captura1.JPG" /></span></P> Tue, 07 Aug 2018 15:42:12 GMT BigPalo 2018-08-07T15:42:12Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226278#M65148 <P>Hi,</P><P>&nbsp;</P><P>We realised that we are receiving decrypt errors accessing to O365 from inside to outside. We are doing decrypt in sessions. But we dont know why the sessions are finished with "decrypt-error".</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16191i6F91338F4A0CB63D/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="error.JPG" alt="error.JPG" /></span></P><P>&nbsp;</P><P>Any idea?</P> Tue, 07 Aug 2018 12:54:51 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226278#M65148 BigPalo 2018-08-07T12:54:51Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226303#M65152 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>,</P><P>It's likely because of Certificate Pinning, which the firewall can't actually transparently decrypt. If you view the associated session directly on the firewall it'll have a tad bit more information that may be helpful, such as if you are running into a proxy decrypt failure.&nbsp;</P> Tue, 07 Aug 2018 15:37:29 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226303#M65152 BPry 2018-08-07T15:37:29Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226306#M65153 <P>Yes, we are doing decrypt for this kind of sessions. This is the log view detailed. Where can i get more info about the root cause for this error???</P><P>&nbsp;</P><P>I thought that we could be hitting this link:</P><P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Identify-Root-Cause-for-SSL-Decryption-Failure-Issues/ta-p/59445" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Identify-Root-Cause-for-SSL-Decryption-Failure-Issues/ta-p/59445</A></P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Captura1.JPG" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16197iCECF8B0DF0AF8898/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Captura1.JPG" alt="Captura1.JPG" /></span></P> Tue, 07 Aug 2018 15:42:12 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226306#M65153 BigPalo 2018-08-07T15:42:12Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226308#M65155 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a>,</P><P>The first line of the 'General' box will be the session id number. Through the CLI running 'show session id&nbsp;<EM>session_id_number</EM>' would give you a bit more information about what exactly caused the issue in the 'tracker stage firewall' section. You could be hitting a variety of issues with this, but the most common is due to an unsupported SSL protocol. You can verify this by viewing the global counters and seeing if it increments as you see these logs.&nbsp;</P><P>&nbsp;</P> Tue, 07 Aug 2018 15:48:47 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226308#M65155 BPry 2018-08-07T15:48:47Z https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226363#M65167 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85066">@BigPalo</a></P><P>A little strange actually is that the firewalls already sees the application soap which implies that the decryption already happened. In addition the sessions are too big already in my opinion. If a decryption error happens the sessions normally are smaller.</P><P>In addition to what <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;wrote I would also do a packet capture and check if there is already data or if you see TLS handshake errors.</P> Tue, 07 Aug 2018 20:26:07 GMT https://live.paloaltonetworks.com/t5/general-topics/decrypt-error-soap/m-p/226363#M65167 Remo 2018-08-07T20:26:07Z