06-03-2010 06:27 AM
We've had a few instances where we are on websites, the one I have witnessed is simply cnn.com, and then while I am browsing I'll suddenly get a certificate error well after the page is loaded that is generated by the PA-500 unit. I did not see this on the eval unit which was running 3.1.1, our purchased unit is running 3.1.2. Has anybody else seen anything like this? I had a call from a staff member a few minutes ago that it happened to them while on virginiapreps.rivals.com.
Thanks for any tips.
06-03-2010 01:14 PM
Hello Kevin,
the Paloalto device will not randomly insert a certificate error while the user is browsing.
However if the paloalto device is configured for ssl decryption and the user goes to an ssl site, you will get a certificate error . In this scenario you would need to import the ssl decrypt certificate from the paloalto device into the user's browser.
Thanks,
Stephen
06-04-2010 06:24 AM
I have no SSL Decryption Policies set. Is there somewhere else I need to disable this from?
09-16-2010 02:04 AM
We have also problems with SSL-Sites since 3.1.2
Some sites - like gmail.com - with ssl encryption won't load after login.
We also have no SSL-Decryption-Policy.
In a packet-trace i can see that the client sends packets to the Google serverfarm and don't get any answer. After a few time I can see TCP-Resets sent from the PaloAlto-MAC-Address.
In the Traffic Logs I see the packets passing to the outside but never the server response.
We have two implementations - one for the company employees and one for guests.
We have a PA-2050 acting as an L3-Internet-Router with IPS-Functionality.
Behind the PA-2050 there is one Cisco ASA5040 with a PAT configured for out employees.
In parallel we have implemented two additional ports of the PA-2050 for firewalling/routing/PAT where the guests are placed within a seperate LAN-Infrastructure.
In the productive LAN we don't see any problems with SSL-Sites.
The problems are only located at the guest-environment.
09-17-2010 12:12 PM
You MAY be running into a known issue. Can you issue the following command from the cli:
>debug dataplane reset ssl-decrypt certificate-cache
Then try to go to any ssl sites that your were having problems with before. If you are now able to access the site then you are probably encountering and issue with our ssl certificate cache that is addressed in software version 3.1.5.
If not, then please call into support in order that we can take a closer look at this issue.
thanks,
Stephen
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
