Office 365 SOAP error : Session End Reason decrypt-error

Reply
Highlighted
L2 Linker

Office 365 SOAP error : Session End Reason decrypt-error

I am having issues with SSL decryption for office365 . In specific this is related to Azure API and SOAP protocol . 

Traffic to azure cloud via soap to the following URL "roaming.officeapps.live.com/rs/RoamingSoapService.svc" is keep getting "decrypt-error" . 

Trying to bypass and adding the site to the  exclude list , and/or adding it to a url profile that bypass decryption does not seems to work as decryption still occure . 

 

** Decryption is a must as i need to control to which offcice365 domain we allow access, for which we use  cusom app as demonstrated in this KB : https://live.paloaltonetworks.com/t5/Management-Articles/FAQ-Office-365-Access-Control/ta-p/94949 ** 

 

11.jpg12.jpg

 

Have anyone sucssfuly managed SSL decryption with office 365 SOAP Azure API ? 

 

L7 Applicator

Re: Office 365 SOAP error : Session End Reason decrypt-error

@bpeeri,

Is this only on this app-id or do you see the same error elsewhere. From your screenshots it looks like you could be running 8.0.*. Are you potentially running into the following bug fixed in the 8.0.3 release? 

 

Fixed an issue on PA-3000 Series firewalls where SSL sessions failed due to memory depletion in the proxy memory pool; Traffic logs displayed the reason decrypt-error .

L2 Linker

Re: Office 365 SOAP error : Session End Reason decrypt-error

Hi. This issue has been with 8.0.2 running on VM500 and VM700 . Can you let me know what is the bug (or issue ID) on 8.0.2 ? , as i looked in the release notes for 8.0.3 but didn't see any item that seems to be the root cause of my issue .
L7 Applicator

Re: Office 365 SOAP error : Session End Reason decrypt-error

Not the bug I was thinking it could be; is this all SOAP sessions or just the Office 365 sessions that are giving you the decrypt-error log? 

L2 Linker

Re: Office 365 SOAP error : Session End Reason decrypt-error

The issue persist only with soap . 

 

I was able to identify that this is related to a very specific connection to office 365 . 

https://support.office.com/en-us/article/Network-requests-in-Office-365-ProPlus-and-Mobile-eb73fcd1-...

 

Required:Roaming Services.

Office client only | Logged on user

ea-roaming.officeapps.live.com

sea-roaming.officeapps.live.com

neu-roaming.officeapps.live.com

weu-roaming.officeapps.live.com

wus-roaming.officeapps.live.com

eus2-roaming.officeapps.live.com

scus-roaming.officeapps.live.com

ncus-roaming.officeapps.live.com

cus-roaming.officeapps.live.com

No

13.75.42.223/32
13.67.53.38/32
13.69.159.30/32
40.74.50.25/32
104.40.28.30/32
137.116.77.120/32
40.84.149.239/32
65.52.210.135/32
40.122.129.128/32

TCP 80 & 443

 

I am also working with support for this issue however at the moment they cannot figure out why there is a decryption error. 

At the moment i have bypassed ssl decryption for the following FQDN objects above. 

 

Althought this resolve the issue i do want to unwrap the payload. 

 

 

Addtionlay i was able to locate this document from microsoft . 

When SSL decryption is on and the soap connection get broken some office application just crush on startup . 

The following reg changes resolve that however the soap decryption issue on the firewall remains. 

 

https://support.microsoft.com/en-us/help/4012623/office-applications-crash-when-you-open-an-irm-docu...

 

I think PAN need to do better work to document and create a full and holistic guide for office 365 deployments.

Current guides are short and does not include A to Z instruction or all the details. 

 

 

L7 Applicator

Re: Office 365 SOAP error : Session End Reason decrypt-error

@bpeeri,

The issue with O365 deployment guides of any type on NGFW from any company is how often they would need to be updated. You have Microsoft constantly making changes, Palo constantly updating things, and multiple different versions of Office software being used to function outside of O365 that you would need to cover. Not trying to make excuses for it really, but the amount of time that keeping any documentation up-to-date is insane, that's why I just linked an article that was from the 3.0 era a few days ago for another issue. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!