ssl decryption enabled and proxy_wait_pkt_drop

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ssl decryption enabled and proxy_wait_pkt_drop

Cyber Elite
Cyber Elite

 

ssl decryption is enabled on PA.

sh running resource monitor is also normal.

 

when i run below command i see

 

show counter global filter delta yes category proxy

Global counters:
Elapsed time since last sampling: 124.323 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
proxy_process 104 0 info proxy pktproc Number of flows go through proxy
proxy_wait_pkt_drop 24 0 drop proxy pktproc The number of packets get dropped because of waiting status in ssl proxy
proxy_sessions 33 0 info proxy pktproc Current number of proxy sessions
proxy_sessions_forward 33 0 info proxy pktproc Current number of SSL-Forward decrypted sessions
proxy_broker_policy_skip 69 0 info proxy pktproc Sessions not processed by forwarding profile by policy
--------------------------------------------------------------------------------
Total counters shown: 5
--------------------------------------------------------------------------------

 

I read if proxy wait pkt drop  counter is incrementing then it is resouce issue on the PA?

so which counter i should worry about ?

 

value or rate?

 

 

 

 

MP

Help the community: Like helpful comments and mark solutions.
1 accepted solution

Accepted Solutions

@MP18,

On a 220 it's quite possible that you are running into some sort of resource contention depending on how much traffic you are actively attempting to decrypt. When working on a 220 you'll be looking at the following limitations. 

 

SSL Decryption

Max SSL inbound certificates

25

 

SSL certificate cache (forward proxy)

128

 

Max concurrent decryption sessions

6,400

 

 

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@MP18,

What platform are you running; you may be running into platform limitations on the number of sessions you can actively decrypt at any one given time. 

i   have  PA 220 running 8.1.3.

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

On a 220 it's quite possible that you are running into some sort of resource contention depending on how much traffic you are actively attempting to decrypt. When working on a 220 you'll be looking at the following limitations. 

 

SSL Decryption

Max SSL inbound certificates

25

 

SSL certificate cache (forward proxy)

128

 

Max concurrent decryption sessions

6,400

 

 

Many thanks for answering question.

MP

Help the community: Like helpful comments and mark solutions.
  • 1 accepted solution
  • 2532 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!