07-12-2018 08:01 AM
Attempting to decrypt inbound ssl traffic to our federation server. I have been unsuccessful and getting decrpyt error.
We have been decrpyting other public servers in the same manner with individual certs succesfully for the past couple years. I have confirmed the cert is correct and cyphers are PA supported.
Anyone have advice of what I could be missing or what to look for?
running OS 8.0.9
03-22-2019 02:09 AM
Finally we solved upgrading to 8.1.5.
10-12-2018 02:31 PM - edited 10-12-2018 02:32 PM
I am also seeing same here on PA 8.0.9
application is web browsing and web socket.
session end reason is decrypt error
how can i narrow it down ?
is firewall unable to decrypt ssl traffic and ending the session?
Also this traffic will not be seen in ssl decrypt exclude cache right?
10-13-2018 09:01 PM
You need to look at the detailed session logs on the firewall and see what stage it failed at. That will at least get you pointed in the right direction.
10-13-2018 10:06 PM
I have looked at session details at gui that does not show me stage field.
i look at cli only thing i can found close is
tracker stage l7proc ?
Is this the right field to check the stage?
10-18-2018 11:43 AM
I have looked at session details at gui that does not show me stage field.
i look at cli only thing i can found close is
tracker stage l7proc ?
Is this the right field to check the stage?
10-18-2018 11:57 PM
I've experiencing similar problems with ssl inbound decryption, session end reasons an decryption errors just after upgrading to 8.0.6:
https://live.paloaltonetworks.com/t5/General-Topics/SSL-decryption-inbound-issue/m-p/209561
Look at 8.1.3 addressed issue PAN-97208
You may try to upgrade to 8.1.3 or 8.1.4 and check if it's related.
10-19-2018 06:57 AM
The GUI is not capable of showing the stage at this time. If the traffic was able to make it to l7proc it kind of sounds like you're only seeing a decrypt-error because the firewall isn't seeing enough traffic to properly categorize the application. If you do a lookup of the effected IP address are they add networks or something of the like?
The most common error when dealing with decrypt-error is honestly 'proxy decrypt failure' which is easy enough to troubleshoot. Failing at the l7proc stage is kind of odd.
10-19-2018 07:05 AM
PAN-97208 is specific to vwire configurations when using active/active HA; that's a very uncommon scenario to run into, as it's a rather unusual deployment.
At this point in time I would still hold off on recommending anyone install 8.1.* unless they have properly vetted the version within their environment. This could be done by reviewing the documentation for all known issues and the issues that have already been addressed; or better the ability to run it in a lab environment that closely mimics your production environment. While the number of issues decreases with every maintenance release, the ability to run it in production without issues still depends on a number of criteria which isn't really safe to assume any one deployment fits into unless specific questions are asked. If you feel like you are running into PAN-97208 (which again fits into a very small number of deployments), it was addressed in 8.0.12.
If you want to most stable platform for your production environment and lack access to a proper lab environment, I would still highly recommend you stay with 8.0.* for the time being.
10-21-2018 10:46 PM
Sorry, I meant 97082.
03-22-2019 06:55 AM
I forgot I had this post open, we resolved when we upgraded too. We also resolved a few smtp decrpytion issues to that we were recieveing errors. Thanks for reporting!
03-22-2019 08:38 AM
Thanks for updating.
Does this mean that with new PAN OS you do not get any more decrypt error?
The websites which were not working earlier is PA able to decrypt them now ?
or
PA is sending those websites to the SSL exclude cache?
Please confirm
03-25-2019 01:00 AM
Well, we have solved the problem with the upgrade. Now, decryption is working as expected.
I think SSL exclude cache only applies for ssl-forward-proxy mode, which is not my case.
03-25-2019 06:57 AM
Thanks for updating on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
