PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Reply
L4 Transporter

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Hmm, no..

I managed to reproduce this issue on my PA-200 running 7.0.2 as well.
But I do not have ipv6 at home. So this issue is NOT related to ipv6 it seems.

 

But I do get an certificate error on "fbcdn-profile-a.akamaihd.net".

 

/Jo Christian

L3 Networker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

mmmh interesting i am in europe to.

In my screenshot there is the actual IP  from the serving host.

 

@ITCMPHC do you have te opportunity to put that adres en the domain name from my link in your pc's hostfile.

And then check the link?

Highlighted
L2 Linker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

@Gertjan-HFG

Digging deeper I found that I had a test decrypt policy applied to me with the "Block sessions with untrusted issuers" unchecked. If I recall correctly, I had made this policy to test against a very similiar bug in 6.x. Removing that policy from my traffic now results in the same Untrusted error that you get. I tried importing both the Baltimore root cert and the Verizon intermediate manually, but it still results in the same error. Sorry for the confusion on this one. I'll open a ticket with support as well.

L3 Networker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

@ITCMPHC OK thx for your update.

L1 Bithead

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

I am having the same issues and have opened a case.  Waiting for TAC to lab up.

L1 Bithead

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

I had this same issue on my 5050 units and had to roll back to 7.0.1 to fix.  This issue affected multiple sites including www.paloaltonetworks.com.

L3 Networker

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Any updates from the TAC cases?

L1 Bithead

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Long call with TAC.  No resolution besides rolling back to 7.0.1.  Scheduling a maintenance window to roll back.  Maybe 7.0.2 will join it's 7.0.0 cousin. 

L4 Transporter

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Hi,


Seems like TAC is struggling to find the problem here and also reproduce it.
Can those of you that have opened up cases on this share the case numbers? That way we can make sure that supports know that this problem is common for many users.

 

My casenumber is 00371068

 

/Jo Christian

L1 Bithead

Re: PAN-OS 7.0.2 SSL Decryption certficate untrust issues (No problem on 7.0.1)

Case 00372222


@Sully wrote:

Long call with TAC.  No resolution besides rolling back to 7.0.1.  Scheduling a maintenance window to roll back.  Maybe 7.0.2 will join it's 7.0.0 cousin. 


 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!