Decrypt error (soap)

cancel
Showing results for 
Search instead for 
Did you mean: 

Decrypt error (soap)

L4 Transporter

Hi,

 

We realised that we are receiving decrypt errors accessing to O365 from inside to outside. We are doing decrypt in sessions. But we dont know why the sessions are finished with "decrypt-error".

 

error.JPG

 

Any idea?

4 REPLIES 4

Cyber Elite
Cyber Elite

@BigPalo,

It's likely because of Certificate Pinning, which the firewall can't actually transparently decrypt. If you view the associated session directly on the firewall it'll have a tad bit more information that may be helpful, such as if you are running into a proxy decrypt failure. 

Yes, we are doing decrypt for this kind of sessions. This is the log view detailed. Where can i get more info about the root cause for this error???

 

I thought that we could be hitting this link:

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Identify-Root-Cause-for-SSL-Decrypti...

 

 

Captura1.JPG

@BigPalo,

The first line of the 'General' box will be the session id number. Through the CLI running 'show session id session_id_number' would give you a bit more information about what exactly caused the issue in the 'tracker stage firewall' section. You could be hitting a variety of issues with this, but the most common is due to an unsupported SSL protocol. You can verify this by viewing the global counters and seeing if it increments as you see these logs. 

 

@BigPalo

A little strange actually is that the firewalls already sees the application soap which implies that the decryption already happened. In addition the sessions are too big already in my opinion. If a decryption error happens the sessions normally are smaller.

In addition to what @BPry wrote I would also do a packet capture and check if there is already data or if you see TLS handshake errors.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!