PA-820 random Decyption Error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-820 random Decyption Error

L1 Bithead

Since a few month we got more and more random outbound decryption errors. When the user wait a moment the website will automatically open correct. The browser error messages are "err_connection_reset" or net:err_cert_authority_invalid". In the decryption error log i see errors like "certificate verifiy failed", "malloc failure", "General TLS protocol error". At the moment i have installed the Version 10.2.10-h4 at our PA-820 (HA). Did anyone have the same problems. I have an opened a ticket and at the moment i wait for further actions.

4 REPLIES 4

Cyber Elite
Cyber Elite

Identify site where decryption is failing.

Go to SSLLabs and run test.

Does website include intermediate certificate or is it extra download?

If website is not sending intermediate then Linux based machines (including Palo firewall) don't download it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

This isn´t a problem with the sites ( like missing Intermediate Certificate). I open a site and i get the error message. When i close the site and open it a little bit later again the site will be correct loaded (our when i leave the site and refresh it a little bit later). I think it a decryption performance problem but we can´t see it in the firewall. 

Cyber Elite
Cyber Elite

One of your errors was "certificate verifiy failed".

Does it make any difference if you temporarily (just for testing) uncheck "Block sessions with unknown certificate status" and "Block sessions on certificate status check timeout" under Decryption Profile?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I have test it. It didn´t make any difference.

  • 397 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!