This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

SSL Decryption bug in PAN-OS 9.1.14

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

SSL Decryption bug in PAN-OS 9.1.14

Go to solution
LAS
L2 Linker

‎05-23-2022 10:58 AM

I recently upgraded from panos 9.1.13-h3 to 9.1.14 then SSL decryption stopped working, in the traffic monitor there wasn't any decryption error but when i excluded a PC the internet worked


and it seams other people are also having the same issue (Reddit ), but its not in the known issue list until now


so i had to revert to the previous version and its working now fine

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
N2Z2
L2 Linker

‎06-06-2022 02:07 AM - edited ‎06-06-2022 02:08 AM

It looks like that a workaround has been published or am I wrong?

 

PAN-194395
The firewall drops all decrypted outbound (SSL Forward Proxy) HTTP/2 traffic after you upgrade to PAN-OS 9.1.14. Dropping this traffic prevents users from loading HTTP/2 web pages and accessing websites that use HTTP/2.
Workaround: On the SSL Forward Proxy tab in the Decryption profile attached to the Decryption Policy rule that controls the HTTP/2 traffic, select Strip ALPN. When you Strip ALPN, the firewall negotiates HTTP/1.1 instead of HTTP/2.
 
It seems working in my environment.

View solution in original post

0 Likes Likes
22 REPLIES 22

Go to solution
LAYER_8
L5 Sessionator

‎05-23-2022 11:54 AM - edited ‎05-23-2022 11:55 AM

I don't know if this is your exact issue, but it seems as if we are tracking something internally. PAN-194219, the software packet buffers are depleting erroneously during HTTP/2 inspection only post 9.1.14 upgrade, and subsequently not decrypting.  

 

I am now following the issue and will post updates / workarounds. 

Help the community! Add tags & mark solutions please.
0 Likes Likes

Go to solution
LAS
L2 Linker
In response to LAYER_8

‎05-24-2022 03:06 AM

Ok thank you, will not update until the issue is resolved

0 Likes Likes

Go to solution
joergriether
L0 Member

‎05-24-2022 06:54 AM

Same here. Rolling back now....I wonder why there is not any statement by PA. Or is it and I didn't find it? 

0 Likes Likes

Go to solution
LAYER_8
L5 Sessionator

‎05-24-2022 10:32 AM

The issue is escalated to the senior support queue, they've successfully recreated it in a lab and are now identifying root cause. 

Help the community! Add tags & mark solutions please.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks