TLS 1.3 Downgrade Detected error - PAN-OS 9.0.9

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

TLS 1.3 Downgrade Detected error - PAN-OS 9.0.9

Hello Everyone,

I am running PAN-OS 9.0.9 on my PA-3020. When enabling SSL forward proxy and try to access google.com, I get the tls13_downgradedetected error on chrome. I get the same problem even when using other browsers but different error description. 

 

When I first applied the SSL forward proxy configuration, I was running PAN-OS 8.1.3. So I followed the instructions mentioned in previous posts to upgrade to 8.1.4. So, I upgraded to version PAN-OS 9.0.9 thinking that it should have this issue resolved as well. But the problem is still there.

 

Can someone help me figure out how to overcome this issue? Is it an issue with the PAN-OS version I am running? or some configuration that I need to apply? 


Accepted Solutions
Highlighted
L3 Networker

Hi


Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 73. The stable build of Google Chrome version 73 may be available in mid-March 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.

 

Action Required: Upgrade to a supported PAN-OS release version
PAN-OS 8.1.4 or above 8.1.x Preferred Version

 

Impact:
Without upgrading to one of the above maintenance releases, users may no longer be able to access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.

 

By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.

 

Thank you,

Mohd Yasin

 

Changelog:

01/22 - Updated to reflect the availability of maintenance releases

01/23 - Updated to reflect new Chrome release version

View solution in original post


All Replies
Highlighted
L3 Networker

Hi


Please take the action recommended below if you have enabled SSL decryption forward proxy. This is required for users to access Gmail and other websites and applications using web browsers that implement strict TLS 1.3 compliance. We have been informed that Google Chrome is planning to implement strict TLS 1.3 compliance in their upcoming version 73. The stable build of Google Chrome version 73 may be available in mid-March 2019, and if your users use a pre-stable build of Google Chrome, they will experience the issue outlined below earlier.

 

Action Required: Upgrade to a supported PAN-OS release version
PAN-OS 8.1.4 or above 8.1.x Preferred Version

 

Impact:
Without upgrading to one of the above maintenance releases, users may no longer be able to access Gmail and other websites and applications that utilize TLS 1.3 when SSL forward proxy decryption is in use. As a result, your users will receive the following web browser error: ‘ERR_TLS13_DOWNGRADE_DETECTED’.

 

By upgrading PAN-OS to one of the above maintenance releases, your users will be able to continue to access Gmail and other TLS 1.3 enabled websites and applications when using browsers that exhibit this behavior.

 

Thank you,

Mohd Yasin

 

Changelog:

01/22 - Updated to reflect the availability of maintenance releases

01/23 - Updated to reflect new Chrome release version

View solution in original post

Highlighted
L1 Bithead

Thank you Mohammed. I have already upgraded to PAN-OS 9.0.9 but still facing the same issue.

Highlighted
L1 Bithead

Just wanted to update this post to mention that the upgrade did solve the problem. I was just running through a different type of problem after the upgrade. 

Highlighted
L3 Networker

Could you brief of your running problem

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!