Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Packet dropped with message 'proxy decrypt failure' in session ... - Knowledge Base - Palo Alto Networks

Packet dropped with message 'proxy decrypt failure' in session detail

43551
Created On 09/26/18 13:49 PM - Last Modified 08/16/24 09:22 AM


Symptom


When SSL decryption is turned on and when trying to access a particular website, packets get dropped with the message 'proxy decrypt failure' in session detail. This article will explain one of the probable causes for it and how to fix it.

Packets are dropped for a particular website. When checking show session all filter source <src-ip> and associated show session <id>  shows that the packet is discarded with the tracker stage firewall as 'proxy decrypt failure' as below:

session_deny.JPG

Running global counters shows an 'unsupported SSL protocol' message:

Counter deny logs

If the webserver and client can only negotiate a cipher suite that is unsupported, the connection will be dropped because it cannot be decrypted.



Environment


  • Any Firewall


Resolution


Workaround
  • Create a no-decrypt rule for that destination
     (or)
  • Choose a cipher suite that is supported on the firewall


Additional Information


To learn more about supported cipher suites, see Palo Alto Networks Compatibility Matrix



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClqqCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language