11-07-2024 08:07 AM
Brief summary, we have a pair of 3420's that where on 10.2.8-h3 for several months with no issues, suddenly one day we had issues with what seems to be OOM but was never fully confirmed by TAC, but recommended to upgrade to 10.2.10-hx(we choose 7 as it included the fix and other fixes as its incremental). This seems to have fixed the OOM issue, but now we have issues with decryption, and it seems traffic is not decrypted properly which causes "ERR_CONNECTION_RESET" or simply doesn't load the webpages. The strange part is it seems it was fine for several hours after the upgrade then we began to start seeing the problem later. TAC suggested to go to 10.2.11-h4 which includes both OOM and decryption fixes, but this does not seem to work either as we experienced the same thing, worked for several hours but then decryption fails/doesn't work properly.
I'm currently baffled that TAC again came to the conclusion that the only other fix is to upgrade to an 11.x version which is a major upgrade and I find this completely unacceptable, the strange part to all of this is that we have dozens of other firewalls, including other PA3420's that are on 10.2.8-h4 and not experiencing any issues.
I have 2 questions:
1. Would it be advisable to downgrade from 10.2.11-h4 to let's say 10.2.8-h13 (which seems to be the latest), because it seems anything higher than 10.2.8 seems to have these decyrption issues?
2. Anyone on here on a higher version than 10.2.8 that has decryption enabled and not having any issues?
11-07-2024 05:14 PM
Personally I would move forward with the downgrade to 10.2.8-h13 since you have issues running any maintenance release above that and I wouldn't personally perform a major version jump when you're already encountering issues, that's just a recipe for harder troubleshooting. See if that fixes your decryption issue.
11-07-2024 11:55 PM
Is the issue happening only w/ Chrome and Edge, but not with Firefox? If so, it might be related to Kyber. Try disabling Kyber on the affected browser.
11-13-2024 09:18 AM
So we actually downgraded to 10.2.9-h9 per long conversation with TAC and it was fine for a few hours and as soon as we get a large influx of people logging in (in the morning) we began to see the error. Yes, this is the Kyber error but it seems none of the versions that have the fix, truly have the fix
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
