09-17-2012 05:54 AM
Since upgrading to Palo Alto Networks 4.1 we often have warnings in several firefox and thunderbird clients.
Then we get the error mesage "ssl_error_rx_unexpected_new_session_ticket".
This example is from thunderbird:
Additionally the behaviour of the firewall to let some SSL communication undecrypted - for instance: on the first click https://www.anyside.de/index.html will be decrypted, the second click on https://www.anyside.de/anydoc.html will not - is a bit disturbing.
mfg
Manfred
09-17-2012 10:07 AM
Hi,
Can you try deleting the SSL decryption certificates on Paloalto and re-importing/regenerating them again and see if it makes any difference. My guess is that the SSL decryption certs might have got corrupted during the software upgrade.
09-19-2012 07:12 AM
Hi sdurga,
first i tried to disable device->setup->Server CRL/OCSP Settings.
this works a bit. Now the SSL crypted websites will be mostly continuous decrypted.
With some rare exceptions: if we get an error message like this here
i get an undecrypted website at next, if i click "Nochmals versuchen".
Next i will try your suggestion.
greets
Manfred
09-20-2012 03:29 AM
I have reimported the certificate.
Unfortunately the problem is still going on. The SSL warning is not as usual as in the beginning, but it reappears frequently.
Guessing a performance problem with our hardware (PA 2050 from 2010), what can we do?
greets
Manfred
09-24-2012 02:11 AM
We can see another strange behaviour by the firewall, which shows in the same direction:
Especially if using the Firefox Browser will the third or fifth reload of a ssl-crypted website be undecrypted by the firewall.You simply have to click "reload" several times on any SSL Website.
Very strange behaviour by a security device.
Manfred
09-24-2012 02:22 AM
Your device is obviously malfunctioning for some reason.
Did you file this as a bugreport and what did the support tell you?
A similar event regarding 2000-boxes and SSL was spring 2010 (3.0/3.1.something) where the SSL engine failed in mgmtplane which gave all sort of funny results (because the MITM cert is created on the fly by the mgmtplane and then cached in the dataplane if im not mistaken). That bug was fixed a few weeks later after being reported (and debugged).
09-24-2012 03:00 AM
Till now, we didnt open a support request. But i will do so this morning.
Thanks
Manfred
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
