PA-500 SSL decryption decrypt-error session end

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-500 SSL decryption decrypt-error session end

L0 Member

I apologize of this is a dumb question as I know that some sites will have decyrption issues, but is it normal to have a lot of traffic log entries with decrypt-error as the session end reason?

 

None of our users are complaining that they can't get to something/anything, but I'm seeing a lot of entries with this session end reason. Was going to open a support case, but thought I'd ask hear first to see if perhaps I'm mistaking normal behaviour for an issue.

 

Thanks in advance for your thoughts.

4 REPLIES 4

L5 Sessionator

hi,

 

Stupid question but have you configure some decryption rule ??

This error refer:

  - no HSM availbale is configured

  - No ressources available for decryption

  - unsupported cypher suite ...

If no user complin it's maybe because you allowed undecrypted traffic du to error ???

 

Globally, decryption with PA500 ... is not a good idea 😉

 

Hope help

 

V.

L6 Presenter

What version of PAN-OS?

L3 Networker

Here an article how to dig deeper in the decryption error messages.

For example , The decrypt-error session end can also mean that the firewall has not enough resources to decrypt.

 

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-New-session-end-reasons/ta-p/732...

 

 

 

L0 Member

Thank you all for your replies. We are currently running OS 8.0.2. We had recently upgraded to 8.0.1, but had to upgrade again last week for a memory leak that appears to be ongoing.

 

Regarding decryption, we have a decryption policy that applies to most of our staff through AD group membership as well as a no-decrypt policy for select sites we have determined do not decrypt correctly. I am not certain if our policy is set to allow access on error. I will have to look further in to that.

 

I'm not sure if the reason could be lack of resources. I know that the PA500 is on the low end of the model list. I occassionally see the dataplane cpu usage get rather high, but generally it's not too bad.

  • 3804 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!