topic Re: SSL proxy allocation error in General Topics https://live.paloaltonetworks.com/t5/general-topics/ssl-proxy-allocation-error/m-p/230214#M66184 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>The 5020 has a relatively small Max concurrent decryption sessions limit of 15,872 in comparison to the rest of the platform limits. One way to get around this would be to take a look at what exactly you are decrypting and seeing if you can potentially leave out some traffic that you don't really care about.&nbsp;</P><P>Otherwise if you have that nailed down to simply what you require to actually be decrypted; then your solution would really be as you already stated, move it to a proxy or upgrade the hardware. Keeping in mind that the *200 series (5200/3200) are vastly better spec'd and the 5220 would bring you all the way up to 400,000 Max concurrent decryption sessions sessions.&nbsp;</P> Mon, 10 Sep 2018 17:58:27 GMT BPry 2018-09-10T17:58:27Z SSL proxy allocation error https://live.paloaltonetworks.com/t5/general-topics/ssl-proxy-allocation-error/m-p/230206#M66182 <P>I had ssl decryption in place on PA_5020 and it seems like during peak times, my internal data traffic is reaching max ssl decryption session limit and those beyond the limit are shown as decrypt error and are sent un-decrypted. Is there any solution for this besides hardware upgrade, offload ssl decrypt to proxy?</P><P>&nbsp;</P><P>Thanks.</P> Mon, 10 Sep 2018 17:23:21 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-proxy-allocation-error/m-p/230206#M66182 SThatipelly 2018-09-10T17:23:21Z Re: SSL proxy allocation error https://live.paloaltonetworks.com/t5/general-topics/ssl-proxy-allocation-error/m-p/230214#M66184 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>The 5020 has a relatively small Max concurrent decryption sessions limit of 15,872 in comparison to the rest of the platform limits. One way to get around this would be to take a look at what exactly you are decrypting and seeing if you can potentially leave out some traffic that you don't really care about.&nbsp;</P><P>Otherwise if you have that nailed down to simply what you require to actually be decrypted; then your solution would really be as you already stated, move it to a proxy or upgrade the hardware. Keeping in mind that the *200 series (5200/3200) are vastly better spec'd and the 5220 would bring you all the way up to 400,000 Max concurrent decryption sessions sessions.&nbsp;</P> Mon, 10 Sep 2018 17:58:27 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-proxy-allocation-error/m-p/230214#M66184 BPry 2018-09-10T17:58:27Z