TLS 1.3 Downgrade Detected error - PAN-OS 9.0.9

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

TLS 1.3 Downgrade Detected error - PAN-OS 9.0.9

L1 Bithead

Hello Everyone,

I am running PAN-OS 9.0.9 on my PA-3020. When enabling SSL forward proxy and try to access google.com, I get the tls13_downgradedetected error on chrome. I get the same problem even when using other browsers but different error description. 

 

When I first applied the SSL forward proxy configuration, I was running PAN-OS 8.1.3. So I followed the instructions mentioned in previous posts to upgrade to 8.1.4. So, I upgraded to version PAN-OS 9.0.9 thinking that it should have this issue resolved as well. But the problem is still there.

 

Can someone help me figure out how to overcome this issue? Is it an issue with the PAN-OS version I am running? or some configuration that I need to apply? 

1 accepted solution

Accepted Solutions

L4 Transporter

Hi


Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 73. The stable build of Google Chrome version 73 may be available in mid-March 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.

 

Action Required: Upgrade to a supported PAN-OS release version
PAN-OS 8.1.4 or above 8.1.x Preferred Version

 

Impact:
Without upgrading to one of the above maintenance releases, users may no longer be able to access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.

 

By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.

 

Thank you,

Mohd Yasin

 

Changelog:

01/22 - Updated to reflect the availability of maintenance releases

01/23 - Updated to reflect new Chrome release version

View solution in original post

4 REPLIES 4

L4 Transporter

Hi


Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 73. The stable build of Google Chrome version 73 may be available in mid-March 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.

 

Action Required: Upgrade to a supported PAN-OS release version
PAN-OS 8.1.4 or above 8.1.x Preferred Version

 

Impact:
Without upgrading to one of the above maintenance releases, users may no longer be able to access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.

 

By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.

 

Thank you,

Mohd Yasin

 

Changelog:

01/22 - Updated to reflect the availability of maintenance releases

01/23 - Updated to reflect new Chrome release version

Thank you Mohammed. I have already upgraded to PAN-OS 9.0.9 but still facing the same issue.

Just wanted to update this post to mention that the upgrade did solve the problem. I was just running through a different type of problem after the upgrade. 

Could you brief of your running problem

  • 1 accepted solution
  • 5955 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!