Attempting to decrypt inbound ssl traffic to our federation server. I have been unsuccessful and getting decrpyt error.
We have been decrpyting other public servers in the same manner with individual certs succesfully for the past couple years. I have confirmed the cert is correct and cyphers are PA supported.
Anyone have advice of what I could be missing or what to look for?
running OS 8.0.9
I've experiencing similar problems with ssl inbound decryption, session end reasons an decryption errors just after upgrading to 8.0.6:
Look at 8.1.3 addressed issue PAN-97208
You may try to upgrade to 8.1.3 or 8.1.4 and check if it's related.
The GUI is not capable of showing the stage at this time. If the traffic was able to make it to l7proc it kind of sounds like you're only seeing a decrypt-error because the firewall isn't seeing enough traffic to properly categorize the application. If you do a lookup of the effected IP address are they add networks or something of the like?
The most common error when dealing with decrypt-error is honestly 'proxy decrypt failure' which is easy enough to troubleshoot. Failing at the l7proc stage is kind of odd.
PAN-97208 is specific to vwire configurations when using active/active HA; that's a very uncommon scenario to run into, as it's a rather unusual deployment.
At this point in time I would still hold off on recommending anyone install 8.1.* unless they have properly vetted the version within their environment. This could be done by reviewing the documentation for all known issues and the issues that have already been addressed; or better the ability to run it in a lab environment that closely mimics your production environment. While the number of issues decreases with every maintenance release, the ability to run it in production without issues still depends on a number of criteria which isn't really safe to assume any one deployment fits into unless specific questions are asked. If you feel like you are running into PAN-97208 (which again fits into a very small number of deployments), it was addressed in 8.0.12.
If you want to most stable platform for your production environment and lack access to a proper lab environment, I would still highly recommend you stay with 8.0.* for the time being.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!