cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Post 7.0x upgrade intermittend SSL traffic hangs when being decrypted

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
bbilut
L3 Networker
‎12-07-2015 10:56 AM
‎12-07-2015 10:56 AM

This is what they did for me.

 

2015-12-07 12_54_26-nadmmdfpa5050-1.png

2015-12-07 12_54_58-Program Manager.png

-Brad
Reply
Gertjan-HFG
L3 Networker
‎12-07-2015 10:59 AM
‎12-07-2015 10:59 AM

Thanks Guys, will try the DOS rule.

0 Likes
Reply
bgmncwj
L2 Linker
‎12-07-2015 11:02 AM
‎12-07-2015 11:02 AM

For reference here's the work-around I was provided:

 

set profiles dos-protection profiledos type aggregate flood tcp-syn enable yes syn-cookies activate-rate 0 alarm-rate 1000000 maximal-rate 1000000 block duration 100
set rulebase dos rules dosrule2 service service-https source 192.168.1.10 destination 1.1.1.2 action protect
set rulebase dos rules dosrule2 from zone L3-Trust
set rulebase dos rules dosrule2 to zone L3-Untrust
set rulebase dos rules dosrule2 protection aggregate profile profiledos

 

Everybody running into this problem should still open a case though to show how many people are being affected.

Reply
bbilut
L3 Networker
‎12-07-2015 11:18 AM
‎12-07-2015 11:18 AM

They had me create a reverse rule as well. I did mine based on zones rather than networks IP

 

trusted  ---> untrusted

untrusted ---> trusted

-Brad
Reply
tpatrick
L0 Member
‎12-15-2015 05:37 AM
‎12-15-2015 05:37 AM

Can anyone who has updated to 6.1.8 verify if the issue has been resolved by the update?  Support claims the issue is resolved in both 6.1.8 and 7.0.4 so hopefully if it's resolved in 6.1.8 we can assume it will also be resolved in the upcoming 7.0.4 release.  

 

We're wanting to roll out 7.0.4 shortly after the release but only if we can verify the issue is resolved.  

0 Likes
Reply
Gertjan-HFG
L3 Networker
‎12-21-2015 06:32 AM
‎12-21-2015 06:32 AM

Tried the workaround but it gives just very little improvement.

Palo Alto please release the 7.0.4 asap. Where in the week of 21 december!

0 Likes
Reply
snield
L0 Member
‎12-21-2015 02:44 PM
‎12-21-2015 02:44 PM

The Syn-Cookie-Workaround worked for me.  Before this commits were when I saw the biggest SSL traffic hangs.

Thanks

0 Likes
Reply
bbilut
L3 Networker
‎12-22-2015 08:38 AM
‎12-22-2015 08:38 AM

Upgrading to 7.0.4 right now.

-Brad
Reply
bgmncwj
L2 Linker
‎12-22-2015 09:12 AM
‎12-22-2015 09:12 AM

It looks like there were quite a few fixes to SSL decryption in this release. I'm hopeful this is actually the release where it's been fixed.

0 Likes
Reply
bbilut
L3 Networker
‎12-22-2015 09:18 AM
‎12-22-2015 09:18 AM

Let's hope. I have both of my 5050's upgraded, but we're 45K student school and everyone is out on break, so I don't have the load this week and next to verify if the fix is working.

-Brad
0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks