06-01-2017 07:22 AM - edited 06-01-2017 07:26 AM
I have a high number of sessions, for various webservers and clients, being closed due to decrypt-error. I've attempted to follow the tips from this document, but I'm still not clear on root cause:
Need help identifying why sessions are ending with message "decrypt-error"
Here are a few of the messages I'm seeing the debug logs:
2017-05-30 13:43:19.466 -0400 Error: pan_ssl3_client_process_handshake(pan_ssl_client.c:871): pan_ssl3_client_get_server_hello() failed
2017-05-30 13:43:19.466 -0400 Error: pan_ssl_proxy_handle_rt_hs(pan_ssl_proxy.c:236): pan_ssl3_process_handshake_message() failed -6
2017-05-30 13:43:19.466 -0400 Error: pan_ssl_proxy_parse_data(pan_ssl_proxy.c:550): pan_ssl_parse_record() failed
-------
2017-05-30 13:43:19.467 -0400 Warning: pan_aho_fpga_lookup(pan_aho.c:2438): too many matches in buffer
2017-05-30 13:43:19.467 -0400 Warning: pan_aho_fpga_lookup(pan_aho.c:2438): too many matches in buffer
-------------------
2017-05-30 13:43:19.462 -0400 Warning: pan_ssl3_server_get_client_hello(pan_ssl_server.c:1127): extra message at the end 2
06-01-2017 11:03 AM
06-01-2017 01:11 PM
Hi - by high number I mean it is happening frequently, but not all the time. So, it's not a general decryption issue but I'm having a hard time isolating it to any specific client or webserver behind the PA.
I observed traffic logs for 1 client connecting to the same web server behind the PA 5020 and not all sessions end with the decrypt-error. Some end normally.
Hardware is a 5020 running 7.1.10
I was thinking that if I have more info on the errors in the debug log, that'll help me narrow my search.
06-01-2017 02:31 PM - edited 06-01-2017 02:32 PM
Hello Amy,
Assuming this is for SSL forward proxy and not for inbound inspection.
Please collect these informations.
> show session all filter ssl-decrypt yes count yes
> show session all filter state discard
If you know any specific machine (source IP from the logs) please collect below mentioned information for get the actual reason for failure.
1. Enable packet-diag (ctd, ssl, proxy).
2. Enable packet capture on firewall (recv, firewall, drop) with a specific filter ( i.e source IP and destination set to 0.0.0.0).
3. take global counter o/p 5 times with a 5 seconds interval.
> show counter global filter packet-filter yes delta yes
You may also check these 2 options.
a. Double check the min TLS version on the firewall
b. Disable Extended Master Secret on client
Thanks
06-05-2017 10:22 AM
Hi Hulk - I should've specified this is for inbounc encryption.
What's the best way to check for the min tls version supported?
Thanks.
06-05-2017 11:26 AM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
