Post 7.0x upgrade intermittend SSL traffic hangs when being decrypted

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Post 7.0x upgrade intermittend SSL traffic hangs when being decrypted

L1 Bithead

Hi

 

We have noticed this with two customers and on our own PA's , all of these are PA3020's in a HA a/s setup 

SSL decrypted outbound traffic hangs intermittently for a few minutes and then it starts to pass through again.

 

This happens both with 7.0.1 and 7.0.2 

 

anyone seen this issue as well ?

kinda hard to work with support on this since it's intermittent 

 

regards

Gudmundur

59 REPLIES 59

Tried the workaround but it gives just very little improvement.

Palo Alto please release the 7.0.4 asap. Where in the week of 21 december!

The Syn-Cookie-Workaround worked for me.  Before this commits were when I saw the biggest SSL traffic hangs.

Thanks

Upgrading to 7.0.4 right now.

-Brad

It looks like there were quite a few fixes to SSL decryption in this release. I'm hopeful this is actually the release where it's been fixed.

Let's hope. I have both of my 5050's upgraded, but we're 45K student school and everyone is out on break, so I don't have the load this week and next to verify if the fix is working.

-Brad

How'd it go? Any glaring issues? I'm looking to upgrade tonight

Sorry, I was already gone for the day when I saw your message. I haven't seen any new problems, and I have not seen the SSL freeze, but like I said in an earlier post our load is really low right now.

-Brad

L3 Networker

Hi,

 

Upgraded yesterday from 7.0.3 to 7.0.4 (3 firewalls), no issues so far. SSL freeze seemes to be fixed.

And also the annoying bug  that some Microsoft sites failed to load randomly.

 

This is the first time that i am satisfied with the 7.0.x release.

It looks finally "production ready"

 

Yeah I have the same experience. I upgraded one set of 3050s last night and so far things look good. I noticed they increased the FPTCP buffer from 32768 to 131072... quite the jump! I monitor this value every 5 seconds and I've yet to see the buffer go under 129000, whereas before it would hit 0 quite often (and thus cause the decryption outage). I'll continue to keep an eye on it and will report here if things go south again.

So far no issues in a week. I'd say this bug is squashed finally.

Here also, no issues after a week.

I agree bug squashed!

Hi Guys,

 

We are planning on upgrading to 7.0.4 in a couple of days, has anyone upgraded yet and if so was your decryption issues resolved.

 

Thanks

Sol.

I upgraded on Sunday afternoon and so far so good.

@sokonta  (Says the 4 or so other people before you saying they haven't seen the bug they previously saw in 7.0.3 with SSL enabled.)

Thank you guys 7.0.4 it is then..

  • 18444 Views
  • 59 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!