'proxy decrypt failure' in session detail even though no ssl decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

'proxy decrypt failure' in session detail even though no ssl decryption

Cyber Elite
Cyber Elite

CLI shows 

 


Session 33880958

c2s flow:
source: 10.29.32.146 [_DMZ]
dst: 65.55.163.76
proto: 6
sport: 59760 dport: 443
state: INIT type: FLOW
src user: unknown
dst user: unknown

s2c flow:
source: 65.55.163.76 [_EXT]
dst: 198.160.191.5
proto: 6
sport: 443 dport: 32999
state: INIT type: FLOW
src user: unknown
dst user: unknown
qos node: ae1.3741, qos member N/A Qid 0

DP : 1
index(local): : 326526
start time : Thu Nov 8 08:56:49 2018
timeout : 90 sec
total byte count(c2s) : 263
total byte count(s2c) : 128
layer7 packet count(c2s) : 3
layer7 packet count(s2c) : 2
vsys : vsys1
application : ssl
rule : interzone-default
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
address/port translation : source
nat-rule :x.x.x
layer7 processing : enabled
URL filtering enabled : True
URL category : computer-and-internet-info
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ae1.3741
egress interface : ethernet1/13.4001
session QoS rule : N/A (class 4)
tracker stage firewall : proxy decrypt failure
end-reason : policy-deny

 

 

Rule is there to allow any app on port 443 tcp

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

L7 Applicator

This is because that session was denied for some reason in your security policy.

 

 

Session 33880958
...
tracker stage firewall : proxy decrypt failure end-reason : policy-deny

 

This article talks about the setup to ensure that a deny page is displayed (instead of a generic connection error). Your firewall has likely enabled that config, but was unable to display the page to the client. It could be as simple as the client not trusting the cert, which would make sense if you haven't set up decryption for your userbase.

View solution in original post

The session you pasted before was on port 443, so the port 80 allowance wouldn't have helped this session:

 

 

Session 33880958

        c2s flow:
                source: 10.29.32.146 [_DMZ]
                dst: 65.55.163.76
                proto: 6
                sport: 59760 dport: 443

 

If I had to hazard a guess, it was probably the destination blocks that were in place. But since you do have a next-gen firewall, if you are seeing TLS(ssl) traffic on port 80, the firewall will still know it's TLS and will try to display the block page if it's denied.

 

View solution in original post

4 REPLIES 4

L7 Applicator

This is because that session was denied for some reason in your security policy.

 

 

Session 33880958
...
tracker stage firewall : proxy decrypt failure end-reason : policy-deny

 

This article talks about the setup to ensure that a deny page is displayed (instead of a generic connection error). Your firewall has likely enabled that config, but was unable to display the page to the client. It could be as simple as the client not trusting the cert, which would make sense if you haven't set up decryption for your userbase.

seems it was denying  on port 80 and some destination ips.

 

Allowed the port 80 and those destination ips it was good then.

 

strange the cli gives error 

tracker stage firewall : proxy decrypt failure

even though traffic was not decrypted?

any thoughts on that? 

MP

Help the community: Like helpful comments and mark solutions.

The session you pasted before was on port 443, so the port 80 allowance wouldn't have helped this session:

 

 

Session 33880958

        c2s flow:
                source: 10.29.32.146 [_DMZ]
                dst: 65.55.163.76
                proto: 6
                sport: 59760 dport: 443

 

If I had to hazard a guess, it was probably the destination blocks that were in place. But since you do have a next-gen firewall, if you are seeing TLS(ssl) traffic on port 80, the firewall will still know it's TLS and will try to display the block page if it's denied.

 

on Gui it is  showing as 

 

type deny

 

action reset both

application ssl 

 

session end reason policy deny

MP

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 3806 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!