troubleshooting SSL decryption

Reply
Highlighted
L4 Transporter

troubleshooting SSL decryption

We've been using SSL decryption for a while now.

Where for the most websites, this is not an issue, once in a while a user complains that certain https website doesn't load at all. Browser just keeps loading indefinitely.

We can't find a reason in the logs, traffic is allowed, not blocked, decrypted flag is checked in the log detail.

For now our workaround is to add those websites to an encryption exception list (address group). But that list is starting to grow to 30+ addresses.

Two problems with this approach:

- the list is hard to maintain

- no SSL decryption, so no full App-ID visiblity for those

How can I troubleshoot this, how can I determine the real reason the sites don't load ?

Tags (2)
L5 Sessionator

Re: troubleshooting SSL decryption

Hi,

Reason for decryption fail shold be:

- Client cert used

- Non RFC app

- unsupported crypto setting

From cli you can use command like:

show system setting ssl-decrypt ecclude-cache

Carefull not trying to decrypt too many thing according law

Hope help

v.

L5 Sessionator

Re: troubleshooting SSL decryption

I am not sure what software version you are on but there was a fix that went in 4.1.9

Bug 43507:Due to a buffering issue, firewalls configured with SSL forward proxy decryption caused performance issues for clients when downloading a large number of files (16k +) from web servers over HTTPS.

If you are on 4.1.8 i would recommend upgrading.

Thanks

Numan

L4 Transporter

Re: troubleshooting SSL decryption

We're on 5.0.8, so that's probably another issue. Thanks anyway.

L4 Transporter

Re: troubleshooting SSL decryption

Thanks, didn't know that command.

At least we now can confirm if there's a problem with certain website.

Currently I see all timing out for reason CERT_UNSUPPORTED. Any setting where I can say if that's te reason, don't decrypt and continue ?

L7 Applicator

Re: troubleshooting SSL decryption

Hello Sir,

Yes,  you can change the settings under the decryption profile assigned to the decryption policy and I disabled ( uncheck) the option "Block sessions with unsupported cipher suites".


SSL-Decryption.JPG.jpg


Thanks

L4 Transporter

Re: troubleshooting SSL decryption

Great info, I'll try that

L1 Bithead

Re: troubleshooting SSL decryption

Hello Guys,

 

What is the best way to troubleshoot SSL interception?

 

Here I have an exception with:

Issuer: RapidSSL RSA CA 2018

Status: untrusted

 

Ok great but I don't understand why the certificate is untrusted. I am trying to find some information in logs but I don't fing anything relevant. The relevant CA is trusted.

 

Is there some commands to troubleshoot that? Maybe the only way in the packet capture.

 

Thanks.

 

Best regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!