Hi Mikand, thanks for the detailed instructions. Actually, I already did all of that except for the tcpdumps. The decryption policy is definitely ok (else it wouldn't decrypt the non-iPhone sessions). We also have a decryption profile that specifically blocks unsupported versions/ciphers and if ressource is unavailable. This means these sessions are supposed to blocked, but they are not. They are just not being decrypted. What bugs me the most is that there is simply no information on the box about what's going on. At least not obvious. The traffic log is not helpful at all, since all it tells me is whether a session was decrypted or not. It doesn't tell me why. There is nothing in the system logs either. The exclude-cache is empty. I love PAN, but in this area they need to improve. A lot. I am going to ask the customer to send me the server's certificate so I can check whether it uses Diffie Hellman. That's about the only thing left I can think of as a culprit.
... View more