SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Decryption in PAN 4.1 fails - Firefox warns "ssl_error_rx_unexpected_new_session_ticket"

L3 Networker

Since upgrading to Palo Alto Networks 4.1 we often have warnings in several firefox and thunderbird clients.

Then we get the error mesage "ssl_error_rx_unexpected_new_session_ticket".

This example is from thunderbird:

Warnung_2012-09-17_14-36-49.jpg

Additionally the behaviour of the firewall to let some SSL communication undecrypted - for instance: on the first click https://www.anyside.de/index.html will be decrypted, the second click on https://www.anyside.de/anydoc.html will not - is a bit disturbing.

mfg

Manfred

6 REPLIES 6

L6 Presenter

Hi,

Can you try deleting the SSL decryption certificates on Paloalto and re-importing/regenerating them again and see if it makes any difference. My guess is that the SSL decryption certs might have got corrupted during the software upgrade.

Hi sdurga,

first i tried to disable device->setup->Server CRL/OCSP Settings.

mi1-pan1 - Mozilla Firefox_2012-09-19_16-03-41.jpg

this works a bit. Now the SSL crypted websites will be mostly continuous decrypted.

With some rare exceptions: if we get an error message like this here

Seiten-Ladefehler - Mozilla Firefox_2012-09-19_15-55-19.jpg

i get an undecrypted website at next, if i click "Nochmals versuchen".

Next i will try your suggestion.

greets

Manfred

I have reimported the certificate.

Unfortunately the problem is still going on. The SSL warning is not as usual as in the beginning, but it reappears frequently.

Guessing a performance problem with our hardware (PA 2050 from 2010), what can we do?

greets

Manfred

L3 Networker

We can see another strange behaviour by the firewall, which shows in the same direction:

Especially if using the Firefox Browser will the third or fifth reload of a ssl-crypted website be undecrypted by the firewall.You simply have to click "reload" several times on any SSL Website.

Very strange behaviour by a security device.

Manfred

Your device is obviously malfunctioning for some reason.

Did you file this as a bugreport and what did the support tell you?

A similar event regarding 2000-boxes and SSL was spring 2010 (3.0/3.1.something) where the SSL engine failed in mgmtplane which gave all sort of funny results (because the MITM cert is created on the fly by the mgmtplane and then cached in the dataplane if im not mistaken). That bug was fixed a few weeks later after being reported (and debugged).

Till now, we didnt open a support request. But i will do so this morning.

Thanks

Manfred

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!