troubleshooting SSL decryption

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

troubleshooting SSL decryption

L4 Transporter

We've been using SSL decryption for a while now.

Where for the most websites, this is not an issue, once in a while a user complains that certain https website doesn't load at all. Browser just keeps loading indefinitely.

We can't find a reason in the logs, traffic is allowed, not blocked, decrypted flag is checked in the log detail.

For now our workaround is to add those websites to an encryption exception list (address group). But that list is starting to grow to 30+ addresses.

Two problems with this approach:

- the list is hard to maintain

- no SSL decryption, so no full App-ID visiblity for those

How can I troubleshoot this, how can I determine the real reason the sites don't load ?

1 accepted solution

Accepted Solutions

Hello Sir,

Yes,  you can change the settings under the decryption profile assigned to the decryption policy and I disabled ( uncheck) the option "Block sessions with unsupported cipher suites".


SSL-Decryption.JPG.jpg


Thanks

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi,

Reason for decryption fail shold be:

- Client cert used

- Non RFC app

- unsupported crypto setting

From cli you can use command like:

show system setting ssl-decrypt ecclude-cache

Carefull not trying to decrypt too many thing according law

Hope help

v.

L5 Sessionator

I am not sure what software version you are on but there was a fix that went in 4.1.9

Bug 43507:Due to a buffering issue, firewalls configured with SSL forward proxy decryption caused performance issues for clients when downloading a large number of files (16k +) from web servers over HTTPS.

If you are on 4.1.8 i would recommend upgrading.

Thanks

Numan

We're on 5.0.8, so that's probably another issue. Thanks anyway.

Thanks, didn't know that command.

At least we now can confirm if there's a problem with certain website.

Currently I see all timing out for reason CERT_UNSUPPORTED. Any setting where I can say if that's te reason, don't decrypt and continue ?

Hello Sir,

Yes,  you can change the settings under the decryption profile assigned to the decryption policy and I disabled ( uncheck) the option "Block sessions with unsupported cipher suites".


SSL-Decryption.JPG.jpg


Thanks

Great info, I'll try that

Hello Guys,

 

What is the best way to troubleshoot SSL interception?

 

Here I have an exception with:

Issuer: RapidSSL RSA CA 2018

Status: untrusted

 

Ok great but I don't understand why the certificate is untrusted. I am trying to find some information in logs but I don't fing anything relevant. The relevant CA is trusted.

 

Is there some commands to troubleshoot that? Maybe the only way in the packet capture.

 

Thanks.

 

Best regards

  • 1 accepted solution
  • 11050 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!