- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-03-2017 01:50 AM - edited 02-03-2017 04:31 AM
After uprading my lab to pan-os 8.0 The forward Decryption failed when using Firefox and Chrome.
IE 11 en Edge still works.
For example when i go to www.google.com,
Chrome displays: www.google.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Firefox: Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP
In the PA logs: Session end Reason = decrypt-error.
PA continues the tradition to break decryption on new major releases 😉
Does anyone else have same issue?
02-03-2017 08:58 AM
What version were you running in your lab prior to moving to 8.0? It sounds like the same problem I had when I moved from 7.0.x to 7.1.x where in 7.1 they changed the default behavior in app-id and I had to make sure my outbound rules from "application-default" to "any".
02-03-2017 09:48 AM
Before 8.0 it was running 7.1.7, en decypting fine.
The decryption security rule was already set at "any"
But thanks for for the suggestion.
.
02-03-2017 10:57 AM
PanOS-8.0 is going to have a large number of issues, I remember upgrading to one of the beta versions a couple months back and it broke everything on the box. It continued to go through a reboot cycle until I was finally able to catch is correctly to jump into maint mode. It wasn't the simple you have 5 seconds to type "maint", it would jump past that 9/10 times and just restart the cycle all over again. 😞
It seemed to break because there was some config on there from 7.1 and it did not accept anything. I had to go and factory reset a 200 to have no configuration whatsoever before putting 8.0 on it.
- Peter
02-05-2017 06:28 AM - edited 02-20-2017 11:24 AM
It finally works now but its still strange.
What did i do:
It al VM so i reverted the snapshot to the previous (working) 7.1.7 snapshot.
For panos-8 you need to modify your VM "hardware" increase mem to 6.5 Gb and the disk size needs to be 60 GB
But the last time i only increased the memory, so for this time i also increase the disk from 40 to 60GB
After the disksize increase i upgraded to 8.0 again.
Then started the vm100 and that was it for that day, i did not test it or use it.
Today(1 day later) i want to examine the decryption issue further, but its started working immediately.
02-20-2017 02:45 AM
Hi,
I have the same issue and its affecting all google domains on Chrome and Firefox but the weird thing its working fine on Internet Explorer!
Do I need to downgrade to resolve this?
Regards,
Sharief
02-20-2017 06:43 AM
If the VM that you are using (if using a VM) meets requirements, then yes you will likely need to revert to get things working again. I've seen that sometimes the upgrade itself causes an issue and simply reinstalling 8.0 gets things working again. Seeing as 8.0 is a brand new major software version I would advise that most people stick with 7.1.* as 8.0 is not yet a recommended release.
02-20-2017 11:19 AM
First: Open a case with TAC
I did some more research after my issue.
Immediately after installing or rebooting a panos 8.0 firewall this issue is present.
The issue disappeared by just waiting x hours whitout changing anything.
Yet i don't no what the minimum time for x is.
In my test i waited approx 12 hours
02-20-2017 11:21 AM
On some new models PANOS 8 is the only version available.
03-08-2017 04:47 AM
Try using different browser.
Had same issue here in LAB. FF returned an error while IE ran just fine. See screenshots.
I assume both browsers try to establish a different SSL connection.
03-08-2017 06:29 AM
Niets veranderen aan de PA een aan aantal uren laten draaien en opeens werkt het.
Na een reboot van de PA weer hetzelfde verhaal.
03-22-2017 10:44 AM
PAN-OS 8.0.1 issue still exist.
03-26-2017 05:39 AM
I can confirm I installed 8.1 on 3 units, all of them had the same issue, No Chrome (google sites) working. Spent a few hours trying different rules and fixes, nothing worked. Then I read the post about waiting X hours, so I waited until the next morning and everything works again, great. Hopefully it does not return after a reboot and the cycle starts again, X hours for things to work again.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!