- it also affects Android's chrome browser, which is also based on WebKit, just like mobile Safari. Would be interesting to find out whether it also applies to desktop Safari. ... View more

MY PAN support case number: 00146841 ... View more

Interesting. Thanks Mikand. Let's see what PAN support has to say about this. ... View more

Thanks. Will do and post the case number here. ... View more

I guess it's time to open a case with PAN support. ... View more

Hi Mikand, thanks for the detailed instructions. Actually, I already did all of that except for the tcpdumps. The decryption policy is definitely ok (else it wouldn't decrypt the non-iPhone sessions). We also have a decryption profile that specifically blocks unsupported versions/ciphers and if ressource is unavailable. This means these sessions are supposed to blocked, but they are not. They are just not being decrypted. What bugs me the most is that there is simply no information on the box about what's going on. At least not obvious. The traffic log is not helpful at all, since all it tells me is whether a session was decrypted or not. It doesn't tell me why. There is nothing in the system logs either. The exclude-cache is empty. I love PAN, but in this area they need to improve. A lot. I am going to ask the customer to send me the server's certificate so I can check whether it uses Diffie Hellman. That's about the only thing left I can think of as a culprit. ... View more

Hi Nadir, thanks for the help. In fact, when I tried mobile Firefox the session was decrypted just fine. Using Google Chrome (Android) or mobile Safari (iPhone) the session would not get decrypted. Looks like an issue with Webkit based browsers. HOWEVER: There is nothing related in the certificate list you get when issuing the ' show system setting ssl-decrypt exclude-cache ' command. The webserver's certificate does not show up in that list. What I also don't understand: If there is a problem with ciphers, why can I connect to the webserver using iPhone/Android just fine? The browser seems to be encrypting the session without a problem. It's the firewall that does not decrypt. ... View more

How can I see that on the firewall? Where are incompatibilities being logged? Will try... ... View more

Thanks. Just for clarification: Isn't certificate revocation checking decoupled from decryption? Meaning, even if I bypass Google from decryption, wouldn't the certificate checks still jump in? Or are these settings only used in tandem with decryption? ... View more

Hello Nadir, we are running 5.0.4. And I am seeing the same error messages in sslmgr.log that are described in the other discussion you linked to. So it's safe to assume we are hitting this bug as well. I will try to turn off OCSP checks. If I understand the bug correctly, it's only happening after turning on OCSP. What do you think? Thanks Sascha ... View more

As I said earlier, regarding to my system logs, there are no issues with retrieving the CRL lists. There is no timeout, and Google is the only destination that's affected. The "timeout" in the error message is indeed strange, but sometimes we get no error message at all. Thanks! ... View more

Thanks, but it's not a problem of being blocked by firewall policy. It's a problem with the PAN checking Google's certificates. See this: As I wrote above, it must have something to do with checking CRL/OCSP in Device -> Service -> Session -> Decryption Certificate Revocation Settings. If we disable the checks, it works fine. ... View more