PAN-OS 8.0 Decryption Issue with Firefox and Chrome

cancel
Showing results for 
Search instead for 
Did you mean: 

PAN-OS 8.0 Decryption Issue with Firefox and Chrome

L3 Networker

After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.

IE 11 en Edge still works.

 

For example when i go to www.google.com,

 

Chrome displays: www.google.com uses an unsupported protocol.
                               ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

Firefox:  Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP

 

In the PA logs:  Session end Reason = decrypt-error.

 

PA continues the tradition to break decryption on new major releases ;)

Does anyone else have same issue?

28 REPLIES 28

Try using different browser.

Had same issue here in LAB. FF returned an error while IE ran just fine. See screenshots.

I assume both browsers try to establish a different SSL connection.

 

 

Schermafbeelding 2017-03-08 om 13.44.14.pngSchermafbeelding 2017-03-08 om 13.42.52.png

Niets veranderen aan de PA een aan aantal uren laten draaien en opeens werkt het.

Na een reboot van de PA weer hetzelfde verhaal.

L3 Networker

PAN-OS 8.0.1 issue still exist.

L0 Member

I can confirm I installed 8.1 on 3 units, all of them had the same issue, No Chrome (google sites) working. Spent a few hours trying different rules and fixes, nothing worked. Then I read the post about waiting X hours, so I waited until the next morning and everything works again, great.  Hopefully it does not return after a reboot and the cycle starts again, X hours for things to work again.

 

L2 Linker

Hi

 

Any news on this? Have been seeing strange behaviour very similar to this with Android 7.1 / Google / PAN 8.0.1. 

 

Thanks 

David, we had the same issue after upgrading from 7.1.8 to 8.0.1 and after 24 hours it had resolved itself. Our TAC gave us a command that may help:

 

debug dataplane reset ssl-decrypt certificate-cache

 

I've asked them the question to whether this issue resurfaces after a reboot.

 

We also have issue with most of the Google apps including Play Store, the Wiki and Instagram app and decryption. I have a feeling most will have to bypass decryption at the OS level...

Thanks for this. 

 

Yes - have been chasing why Android phone (Nexus running Android 7.1.1)  when initially connected notifies me of no internet. Think this is now a connectivity check via SSL, if I place a decryption exception I can get past this hurdle so guessing something is pinned in Android. 

 

Also Google play no good, activity feed on Google Now/Assistant no good. Monitoring -> Logs -> Traffic I see session end as "Policy-Deny" on the decrypted traffic - category identified is search engines. 
Do not decrypt - search engines & content delivery networks and everything seems a great deal better. 

 

Ill keep at it. This is all on PAN 8.0.1 with SSL decryption enabled. 

++ update very interesting:-  https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html   looks like Android 7.1.1 has tightened up and possibly mitm no longer possible.

+++ https://serializethoughts.com/2016/09/10/905/

 

L1 Bithead

Hello,

We have that problem on 8.0.1 but we do not use VM series but PA3020. DId you find workaround?

We also have a 3020, the only workaround we have at the moment is the command I posted earlier (untested) or wait 24 hours and it started working.

 

In terms of Google, et al and their apps not working with decryption, this is currently with our TAC (including the links above from David) and a remote session due this morning...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!