PAN-OS 8.0 Decryption Issue with Firefox and Chrome

Reply
Highlighted
L3 Networker

PAN-OS 8.0 Decryption Issue with Firefox and Chrome

After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.

IE 11 en Edge still works.

 

For example when i go to www.google.com,

 

Chrome displays: www.google.com uses an unsupported protocol.
                               ERR_SSL_VERSION_OR_CIPHER_MISMATCH

 

Firefox:  Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP

 

In the PA logs:  Session end Reason = decrypt-error.

 

PA continues the tradition to break decryption on new major releases ;)

Does anyone else have same issue?

Highlighted
L3 Networker

What version were you running in your lab prior to moving to 8.0? It sounds like the same problem I had when I moved from 7.0.x to 7.1.x where in 7.1 they changed the default behavior in app-id and I had to make sure my outbound rules from "application-default" to "any".

-Brad
Highlighted
Cyber Elite

I'm planning on upgrading my lab this weekend and can look at it then; I'm not sure how many people even have 8.0 on their lab enviroments yet. 

Highlighted
L3 Networker

Before 8.0 it was running 7.1.7, en decypting fine.

The decryption security rule was already set at "any"

But thanks for for the suggestion.

.

Highlighted
L2 Linker

PanOS-8.0 is going to have a large number of issues, I remember upgrading to one of the beta versions a couple months back and it broke everything on the box. It continued to go through a reboot cycle until I was finally able to catch is correctly to jump into maint mode. It wasn't the simple you have 5 seconds to type "maint", it would jump past that 9/10 times and just restart the cycle all over again. :(

 

It seemed to break because there was some config on there from 7.1 and it did not accept anything. I had to go and factory reset a 200 to have no configuration whatsoever before putting 8.0 on it.

 

 

- Peter

 

 

Highlighted
L3 Networker

It finally works now but its still strange.

 

What did i do:

It al VM so i reverted the snapshot to the previous  (working) 7.1.7 snapshot.

For panos-8 you need to modify your VM "hardware" increase mem to 6.5 Gb and the disk size needs to be 60 GB

But the last time i only increased the memory, so for this time i also increase the disk from 40 to 60GB

 

After the disksize increase i upgraded to 8.0 again.

Then started the vm100 and that was it for that day, i did not test it or use it.

Today(1 day later) i want to examine the decryption issue further, but its started working immediately.

Highlighted
L4 Transporter

Hi,

 

I have the same issue and its affecting all google domains on Chrome and Firefox but the weird thing its working fine on Internet Explorer!

 

Do I need to downgrade to resolve this?

 

Regards,

Sharief

Regards,
Sharief
Highlighted
Cyber Elite

If the VM that you are using (if using a VM) meets requirements, then yes you will likely need to revert to get things working again. I've seen that sometimes the upgrade itself causes an issue and simply reinstalling 8.0 gets things working again. Seeing as 8.0 is a brand new major software version I would advise that most people stick with 7.1.* as 8.0 is not yet a recommended release. 

Highlighted
L3 Networker

First: Open a case with TAC

 

I did some more research after my issue. 

Immediately after installing or rebooting a panos 8.0 firewall this issue is present.

 

The issue disappeared by just waiting  x hours whitout changing anything.

 Yet i don't no what the minimum time for x is. 

In my test i waited approx 12 hours

 

 

Highlighted
L3 Networker

On some new models PANOS 8 is the only version available.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!