Palo Alto Networks Knowledgebase: Web browsing fails with error: SSL_ERROR_RX_RECORD_TOO_LONG

Web browsing fails with error: SSL_ERROR_RX_RECORD_TOO_LONG

Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
URL Filtering

This article shows how to fix the problem of web browsing that fails with an error code SSL_ERROR_RX_RECORD_TOO_LONG. We'll use an example of


Screen Shot 2016-11-05 at 5.17.41 PM.png


Errror code: "SSL_ERROR_RX_RECORD_TOO_LONG" means the web server is sending non-secure (HTTP) data where secure (HTTPS) data is expected by the web browser.




Security policy on the firewall:  (refers to URL filtering profile facebook test)


Screen Shot 2016-11-05 at 6.41.45 PM.png



URL Filtering profile on firewall: (social-networking category has action of continue)


 Screen Shot 2016-11-05 at 6.34.07 PM.png


With an action of continue on the URL category, the firewall will send a redirect message to the client to prompt users to click Continue to proceed to the web page, as follows:


Screen Shot 2016-11-05 at 6.03.42 PM.png


This Continue redirect message sent by the firewall is an HTTP response:


Screen Shot 2016-11-05 at 6.07.39 PM.png


 Note: This redirect message shows the URL category and the security policy rule matched by this traffic.



When browsing to, the browser makes a request for, as below:


Screen Shot 2016-11-05 at 5.53.34 PM.png

In this case, the firewall sending an HTTP redirect message for continue is treated as an invalid response by the browser and it shows an error, SSL_ERROR_RX_RECORD_TOO_LONG.


Screen Shot 2016-11-05 at 6.17.25 PM.png



Either of the two solutions offered can overcome this issue:


  • Enable outbound SSL decryption on the firewall. For more information on how to enable SSL decryption on firewall, please click here



  • Run the following command on the firewall. This will allow the SSL handshake to complete before sending an HTTP response page to the client. For more information about this command, please click here.

# set deviceconfig setting ssl-decrypt url-proxy yes


  • Print
  • Copy Link

Choose Language