session_end_reason eq decrypt-error - 8.0.9

Reply
Highlighted
L2 Linker

session_end_reason eq decrypt-error - 8.0.9

Attempting to decrypt inbound ssl traffic to our federation server. I have been unsuccessful and getting decrpyt error.

 

We have been decrpyting other public servers in the same manner with individual certs succesfully for the past couple years. I have confirmed the cert is correct and cyphers are PA supported.

 

Anyone have advice of what I could be missing or what to look for?

 

running OS 8.0.9


Accepted Solutions
Highlighted
L2 Linker

Re: session_end_reason eq decrypt-error - 8.0.9

Finally we solved upgrading to 8.1.5.

View solution in original post

Tags (3)

All Replies
Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

@clewis1,

If you take a packet capture on the firewall is the firewall sending the full certificate chain or only the server certificate to the client? If you need to chain the certificates you can find infomraiton on how to do so HERE

Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

I am also seeing same here on PA 8.0.9

 

application is web browsing and web socket.

session end reason is decrypt error

 

how can i narrow it down ?

 

is firewall unable to decrypt ssl traffic and ending the session?

 

Also this traffic will not be seen in ssl decrypt exclude cache right?

MP
Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

@MP18,

You need to look at the detailed session logs on the firewall and see what stage it failed at. That will at least get you pointed in the right direction. 

Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

I have looked at session details at gui that does not show me stage field.

i look at cli only thing i can found close is 

 

tracker stage l7proc ?

 

Is this the right field to check the stage?

MP
Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

I have looked at session details at gui that does not show me stage field.

i look at cli only thing i can found close is 

 

tracker stage l7proc ?

 

Is this the right field to check the stage?

MP
Highlighted
L2 Linker

Re: session_end_reason eq decrypt-error - 8.0.9

I've experiencing similar problems with ssl inbound decryption, session end reasons an decryption errors just after upgrading to 8.0.6:

https://live.paloaltonetworks.com/t5/General-Topics/SSL-decryption-inbound-issue/m-p/209561

 

Look at 8.1.3 addressed issue PAN-97208

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os-release-notes/pan-os-8-1-addressed-i...

 

You may try to upgrade to 8.1.3 or 8.1.4 and check if it's related.

Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

@MP18,

The GUI is not capable of showing the stage at this time. If the traffic was able to make it to l7proc it kind of sounds like you're only seeing a decrypt-error because the firewall isn't seeing enough traffic to properly categorize the application. If you do a lookup of the effected IP address are they add networks or something of the like? 

The most common error when dealing with decrypt-error is honestly 'proxy decrypt failure' which is easy enough to troubleshoot. Failing at the l7proc stage is kind of odd. 

Highlighted
Cyber Elite

Re: session_end_reason eq decrypt-error - 8.0.9

@ACortes,

PAN-97208 is specific to vwire configurations when using active/active HA; that's a very uncommon scenario to run into, as it's a rather unusual deployment. 

 

At this point in time I would still hold off on recommending anyone install 8.1.* unless they have properly vetted the version within their environment. This could be done by reviewing the documentation for all known issues and the issues that have already been addressed; or better the ability to run it in a lab environment that closely mimics your production environment. While the number of issues decreases with every maintenance release, the ability to run it in production without issues still depends on a number of criteria which isn't really safe to assume any one deployment fits into unless specific questions are asked. If you feel like you are running into PAN-97208 (which again fits into a very small number of deployments), it was addressed in 8.0.12. 
If you want to most stable platform for your production environment and lack access to a proper lab environment, I would still highly recommend you stay with 8.0.* for the time being. 

Highlighted
L2 Linker

Re: session_end_reason eq decrypt-error - 8.0.9

Sorry, I meant 97082.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!