session_end_reason eq decrypt-error - 8.0.9

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

session_end_reason eq decrypt-error - 8.0.9

L3 Networker

Attempting to decrypt inbound ssl traffic to our federation server. I have been unsuccessful and getting decrpyt error.

 

We have been decrpyting other public servers in the same manner with individual certs succesfully for the past couple years. I have confirmed the cert is correct and cyphers are PA supported.

 

Anyone have advice of what I could be missing or what to look for?

 

running OS 8.0.9

1 accepted solution

Accepted Solutions

14 REPLIES 14

Cyber Elite
Cyber Elite

@clewis1,

If you take a packet capture on the firewall is the firewall sending the full certificate chain or only the server certificate to the client? If you need to chain the certificates you can find infomraiton on how to do so HERE

I am also seeing same here on PA 8.0.9

 

application is web browsing and web socket.

session end reason is decrypt error

 

how can i narrow it down ?

 

is firewall unable to decrypt ssl traffic and ending the session?

 

Also this traffic will not be seen in ssl decrypt exclude cache right?

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

You need to look at the detailed session logs on the firewall and see what stage it failed at. That will at least get you pointed in the right direction. 

I have looked at session details at gui that does not show me stage field.

i look at cli only thing i can found close is 

 

tracker stage l7proc ?

 

Is this the right field to check the stage?

MP

Help the community: Like helpful comments and mark solutions.

I have looked at session details at gui that does not show me stage field.

i look at cli only thing i can found close is 

 

tracker stage l7proc ?

 

Is this the right field to check the stage?

MP

Help the community: Like helpful comments and mark solutions.

L2 Linker

I've experiencing similar problems with ssl inbound decryption, session end reasons an decryption errors just after upgrading to 8.0.6:

https://live.paloaltonetworks.com/t5/General-Topics/SSL-decryption-inbound-issue/m-p/209561

 

Look at 8.1.3 addressed issue PAN-97208

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os-release-notes/pan-os-8-1-addressed-i...

 

You may try to upgrade to 8.1.3 or 8.1.4 and check if it's related.

@MP18,

The GUI is not capable of showing the stage at this time. If the traffic was able to make it to l7proc it kind of sounds like you're only seeing a decrypt-error because the firewall isn't seeing enough traffic to properly categorize the application. If you do a lookup of the effected IP address are they add networks or something of the like? 

The most common error when dealing with decrypt-error is honestly 'proxy decrypt failure' which is easy enough to troubleshoot. Failing at the l7proc stage is kind of odd. 

@ACortes,

PAN-97208 is specific to vwire configurations when using active/active HA; that's a very uncommon scenario to run into, as it's a rather unusual deployment. 

 

At this point in time I would still hold off on recommending anyone install 8.1.* unless they have properly vetted the version within their environment. This could be done by reviewing the documentation for all known issues and the issues that have already been addressed; or better the ability to run it in a lab environment that closely mimics your production environment. While the number of issues decreases with every maintenance release, the ability to run it in production without issues still depends on a number of criteria which isn't really safe to assume any one deployment fits into unless specific questions are asked. If you feel like you are running into PAN-97208 (which again fits into a very small number of deployments), it was addressed in 8.0.12. 
If you want to most stable platform for your production environment and lack access to a proper lab environment, I would still highly recommend you stay with 8.0.* for the time being. 

Sorry, I meant 97082.

Finally we solved upgrading to 8.1.5.

I forgot I had this post open, we resolved when we upgraded too. We also resolved a few smtp decrpytion issues to that we were recieveing errors.  Thanks for reporting!

Thanks for updating.

Does this mean that with new PAN OS you do not get any more decrypt error?

The websites which were not working earlier is PA able to decrypt them now ?

 

or

 

PA is sending those websites to the SSL exclude cache?

 

Please confirm

MP

Help the community: Like helpful comments and mark solutions.

Well, we have solved the problem with the upgrade. Now, decryption is working as expected.

I think SSL exclude cache only applies for ssl-forward-proxy mode, which is not my case.

Thanks for updating on this.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 20604 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!