ssl decryption enabled and proxy_wait_pkt_drop

Reply
Highlighted
Cyber Elite

ssl decryption enabled and proxy_wait_pkt_drop

 

ssl decryption is enabled on PA.

sh running resource monitor is also normal.

 

when i run below command i see

 

show counter global filter delta yes category proxy

Global counters:
Elapsed time since last sampling: 124.323 seconds

name value rate severity category aspect description
--------------------------------------------------------------------------------
proxy_process 104 0 info proxy pktproc Number of flows go through proxy
proxy_wait_pkt_drop 24 0 drop proxy pktproc The number of packets get dropped because of waiting status in ssl proxy
proxy_sessions 33 0 info proxy pktproc Current number of proxy sessions
proxy_sessions_forward 33 0 info proxy pktproc Current number of SSL-Forward decrypted sessions
proxy_broker_policy_skip 69 0 info proxy pktproc Sessions not processed by forwarding profile by policy
--------------------------------------------------------------------------------
Total counters shown: 5
--------------------------------------------------------------------------------

 

I read if proxy wait pkt drop  counter is incrementing then it is resouce issue on the PA?

so which counter i should worry about ?

 

value or rate?

 

 

 

 

MP

Accepted Solutions
Highlighted
Cyber Elite

@MP18,

On a 220 it's quite possible that you are running into some sort of resource contention depending on how much traffic you are actively attempting to decrypt. When working on a 220 you'll be looking at the following limitations. 

 

SSL Decryption

Max SSL inbound certificates

25

 

SSL certificate cache (forward proxy)

128

 

Max concurrent decryption sessions

6,400

 

 

View solution in original post


All Replies
Highlighted
Cyber Elite

@MP18,

What platform are you running; you may be running into platform limitations on the number of sessions you can actively decrypt at any one given time. 

Highlighted
Cyber Elite

i   have  PA 220 running 8.1.3.

MP
Highlighted
Cyber Elite

@MP18,

On a 220 it's quite possible that you are running into some sort of resource contention depending on how much traffic you are actively attempting to decrypt. When working on a 220 you'll be looking at the following limitations. 

 

SSL Decryption

Max SSL inbound certificates

25

 

SSL certificate cache (forward proxy)

128

 

Max concurrent decryption sessions

6,400

 

 

View solution in original post

Highlighted
Cyber Elite

Many thanks for answering question.

MP
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!