02-14-2014 02:13 AM
We've been using SSL decryption for a while now.
Where for the most websites, this is not an issue, once in a while a user complains that certain https website doesn't load at all. Browser just keeps loading indefinitely.
We can't find a reason in the logs, traffic is allowed, not blocked, decrypted flag is checked in the log detail.
For now our workaround is to add those websites to an encryption exception list (address group). But that list is starting to grow to 30+ addresses.
Two problems with this approach:
- the list is hard to maintain
- no SSL decryption, so no full App-ID visiblity for those
How can I troubleshoot this, how can I determine the real reason the sites don't load ?
02-16-2014 11:56 PM
Hello Sir,
Yes, you can change the settings under the decryption profile assigned to the decryption policy and I disabled ( uncheck) the option "Block sessions with unsupported cipher suites".
Thanks
02-14-2014 05:56 AM
Hi,
Reason for decryption fail shold be:
- Client cert used
- Non RFC app
- unsupported crypto setting
From cli you can use command like:
show system setting ssl-decrypt ecclude-cache
Carefull not trying to decrypt too many thing according law
Hope help
v.
02-14-2014 09:24 AM
I am not sure what software version you are on but there was a fix that went in 4.1.9
Bug 43507:Due to a buffering issue, firewalls configured with SSL forward proxy decryption caused performance issues for clients when downloading a large number of files (16k +) from web servers over HTTPS.
If you are on 4.1.8 i would recommend upgrading.
Thanks
Numan
02-16-2014 11:16 PM
We're on 5.0.8, so that's probably another issue. Thanks anyway.
02-16-2014 11:21 PM
Thanks, didn't know that command.
At least we now can confirm if there's a problem with certain website.
Currently I see all timing out for reason CERT_UNSUPPORTED. Any setting where I can say if that's te reason, don't decrypt and continue ?
02-16-2014 11:56 PM
Hello Sir,
Yes, you can change the settings under the decryption profile assigned to the decryption policy and I disabled ( uncheck) the option "Block sessions with unsupported cipher suites".
Thanks
02-17-2014 12:02 AM
Great info, I'll try that
03-20-2019 07:44 AM
Hello Guys,
What is the best way to troubleshoot SSL interception?
Here I have an exception with:
Issuer: RapidSSL RSA CA 2018
Status: untrusted
Ok great but I don't understand why the certificate is untrusted. I am trying to find some information in logs but I don't fing anything relevant. The relevant CA is trusted.
Is there some commands to troubleshoot that? Maybe the only way in the packet capture.
Thanks.
Best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
