This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

PA-500 SSL decryption decrypt-error session end

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-500 SSL decryption decrypt-error session end

gwosad
L0 Member

‎05-15-2017 12:11 PM

I apologize of this is a dumb question as I know that some sites will have decyrption issues, but is it normal to have a lot of traffic log entries with decrypt-error as the session end reason?

 

None of our users are complaining that they can't get to something/anything, but I'm seeing a lot of entries with this session end reason. Was going to open a support case, but thought I'd ask hear first to see if perhaps I'm mistaking normal behaviour for an issue.

 

Thanks in advance for your thoughts.

1 person had this problem.
0 Likes Likes
4 REPLIES 4

VinceM
L5 Sessionator

‎05-16-2017 06:20 AM

hi,

 

Stupid question but have you configure some decryption rule ??

This error refer:

  - no HSM availbale is configured

  - No ressources available for decryption

  - unsupported cypher suite ...

If no user complin it's maybe because you allowed undecrypted traffic du to error ???

 

Globally, decryption with PA500 ... is not a good idea 😉

 

Hope help

 

V.

0 Likes Likes

Brandon_Wertz
L6 Presenter

‎05-16-2017 06:28 AM

What version of PAN-OS?

0 Likes Likes

Gertjan-HFG
L3 Networker

‎05-16-2017 12:39 PM - edited ‎05-16-2017 12:45 PM

Here an article how to dig deeper in the decryption error messages.

For example , The decrypt-error session end can also mean that the firewall has not enough resources to decrypt.

 

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-New-session-end-reasons/ta-p/732...

 

 

 

0 Likes Likes

gwosad
L0 Member

‎05-16-2017 01:25 PM

Thank you all for your replies. We are currently running OS 8.0.2. We had recently upgraded to 8.0.1, but had to upgrade again last week for a memory leak that appears to be ongoing.

 

Regarding decryption, we have a decryption policy that applies to most of our staff through AD group membership as well as a no-decrypt policy for select sites we have determined do not decrypt correctly. I am not certain if our policy is set to allow access on error. I will have to look further in to that.

 

I'm not sure if the reason could be lack of resources. I know that the PA500 is on the low end of the model list. I occassionally see the dataplane cpu usage get rather high, but generally it's not too bad.

0 Likes Likes
  • 3798 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks