SSL decryption & not working VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL decryption & not working VPN

L3 Networker

Hi guys,

 

We wittnessed a very strange phenomenon this morning.

First we received a call that our VPN gateway was not accepting any VPN connections.

At the same time we received calls that certain websites were not accessible. These websites had in common that they were SSL encrypted.

 

We have 2 PA-500 firewalls with a HA configuration.
SSL decryption is enabled for certain networks (workstations). SSL decryption uses a different certificate than our VPN gateway.

Both certificates are valid.

 

As soon as we turned off SSL decryption, the VPN gateway started to accept connections.

When we turned SSL decryption back on we noticed that some websites were decrypted while others were not.

The sites that were not decrypted should have been decrypted. They were not in the "Do-not-Decrypt" list.

To be certain the firewall was doing the job right,  I deleted the certificate cache on my browser. I also visited sites that were SSL encrypted which I had not visited before.

 

We are a bit puzzled what happened here. Currently we have SSL decryption turned off but would like to have it on again.

 

The PA-500 is a few software versions behind. Currently on version 7.1.2

I have tried to find anything related in the release notes of the newer versions that might indicate a problem with our current version. I was not able to find this.

 

Any ideas what might be going on?

 

Remko

2 accepted solutions

Accepted Solutions

L4 Transporter

Per the description sounds like a buffer depletion, I just checked the release notes and there are a couple of fixes on that but I'd recommend you to collect a tech support and open a TAC case to get the right diagnostic.

 

regards,

Gerardo.

View solution in original post

@Indorama_Ventures it does sound like buffer depletion, which is multiple fixes were made in later releases. I would recommend upgrading, 7.1.2 was very early in the 7.1 lifecycle and therefore has quite a few bugs that weren't patched until later versions. 

View solution in original post

5 REPLIES 5

L4 Transporter

Per the description sounds like a buffer depletion, I just checked the release notes and there are a couple of fixes on that but I'd recommend you to collect a tech support and open a TAC case to get the right diagnostic.

 

regards,

Gerardo.

@Indorama_Ventures it does sound like buffer depletion, which is multiple fixes were made in later releases. I would recommend upgrading, 7.1.2 was very early in the 7.1 lifecycle and therefore has quite a few bugs that weren't patched until later versions. 

Thanks both for your answers. We will plan a maintenance window to update both firewalls to their latest version.

 

Any recommendations to which version? I noticed that version 8.0.0 has been released recently.

Would it be wise to stick with 7.1.8 for now?

 

Remko

I think yes 7.1.8 is the one we also decided to go for now but to be fair you never know which release will work well for your environment. 

@Indorama_Ventures personally I would not run 8.0 in a production enviroment at all; but that's just me. Stick with 7.1.8 and you shouldn't run into any issues. 

  • 2 accepted solutions
  • 5043 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!