After enabling SSL Decryption and adding ‘No-Decrypt’ rules, all traffic is still showing as decrypted in the logs.
Decryption certificate is being presented for the site(s) in question rather than the original source certificate.
Running test decryption-policy-match application ssl shows the correct no-decrypt rule is matched.
If the site was accessed after creating the SSL-Decryption rule, but before the No-decrypt rule was configured, this issue is likely to happen.
This is a result of the certificate being found in the SSL-Decryption cache.
Clear this cache use the following command: debug dataplane reset ssl-decrypt certificate-cache